![Page 1: Jaeson Schultz Technical Leader · THREAT LANDSCAPE The number of CVE Entries in 2016 so far is 239 6453 7903 18% Decrease in CVE Entries from ... Hidden frames, with random clicking](https://reader033.vdocument.in/reader033/viewer/2022050412/5f88d53ebb41267d6d33d6ae/html5/thumbnails/1.jpg)
Jaeson Schultz
Technical Leader
![Page 2: Jaeson Schultz Technical Leader · THREAT LANDSCAPE The number of CVE Entries in 2016 so far is 239 6453 7903 18% Decrease in CVE Entries from ... Hidden frames, with random clicking](https://reader033.vdocument.in/reader033/viewer/2022050412/5f88d53ebb41267d6d33d6ae/html5/thumbnails/2.jpg)
Insights On Emerging Threats
![Page 3: Jaeson Schultz Technical Leader · THREAT LANDSCAPE The number of CVE Entries in 2016 so far is 239 6453 7903 18% Decrease in CVE Entries from ... Hidden frames, with random clicking](https://reader033.vdocument.in/reader033/viewer/2022050412/5f88d53ebb41267d6d33d6ae/html5/thumbnails/3.jpg)
Who Am I?
• Jaeson Schultz – [email protected]@jaesonschultz (Twitter)
– Over 20 years specialising in thwarting abuse of security protocols like SMTP, HTTP/S, and DNS
– Former manager of the SpamCop DNSBL – An IP address-based blacklist which has taking the fight to the spammers for over a decade
– Assisted in design and development of the Cisco IronPort Anti-Spam content scanner and I’ve also developed some of the architecture & content detection for Cisco’s Web Security Appliance, Cloud Web Security, and Next Generation Firewall products.
– Most recently as Technical Leader for Talos, I perform Security Research, Author Blog/Whitepaper Publications, Speak at Conferences, and evangelise Cisco Security.
– Little Lebowski Urban Achiever
3
![Page 4: Jaeson Schultz Technical Leader · THREAT LANDSCAPE The number of CVE Entries in 2016 so far is 239 6453 7903 18% Decrease in CVE Entries from ... Hidden frames, with random clicking](https://reader033.vdocument.in/reader033/viewer/2022050412/5f88d53ebb41267d6d33d6ae/html5/thumbnails/4.jpg)
THREAT LANDSCAPE
The number of
CVE Entries in
2016 so far is
239
6453
790318%
Decrease inCVE Entries from
2014 to 2015
2011 2012 2013 2014 2015
![Page 5: Jaeson Schultz Technical Leader · THREAT LANDSCAPE The number of CVE Entries in 2016 so far is 239 6453 7903 18% Decrease in CVE Entries from ... Hidden frames, with random clicking](https://reader033.vdocument.in/reader033/viewer/2022050412/5f88d53ebb41267d6d33d6ae/html5/thumbnails/5.jpg)
THREAT LANDSCAPE
1.5 Million
![Page 6: Jaeson Schultz Technical Leader · THREAT LANDSCAPE The number of CVE Entries in 2016 so far is 239 6453 7903 18% Decrease in CVE Entries from ... Hidden frames, with random clicking](https://reader033.vdocument.in/reader033/viewer/2022050412/5f88d53ebb41267d6d33d6ae/html5/thumbnails/6.jpg)
THREAT LANDSCAPE
![Page 7: Jaeson Schultz Technical Leader · THREAT LANDSCAPE The number of CVE Entries in 2016 so far is 239 6453 7903 18% Decrease in CVE Entries from ... Hidden frames, with random clicking](https://reader033.vdocument.in/reader033/viewer/2022050412/5f88d53ebb41267d6d33d6ae/html5/thumbnails/7.jpg)
THREAT LANDSCAPE
![Page 8: Jaeson Schultz Technical Leader · THREAT LANDSCAPE The number of CVE Entries in 2016 so far is 239 6453 7903 18% Decrease in CVE Entries from ... Hidden frames, with random clicking](https://reader033.vdocument.in/reader033/viewer/2022050412/5f88d53ebb41267d6d33d6ae/html5/thumbnails/8.jpg)
THREAT LANDSCAPE
![Page 9: Jaeson Schultz Technical Leader · THREAT LANDSCAPE The number of CVE Entries in 2016 so far is 239 6453 7903 18% Decrease in CVE Entries from ... Hidden frames, with random clicking](https://reader033.vdocument.in/reader033/viewer/2022050412/5f88d53ebb41267d6d33d6ae/html5/thumbnails/9.jpg)
THREATS DON’T GO AWAY,
HOW DO WE ADDRESS IT?
![Page 10: Jaeson Schultz Technical Leader · THREAT LANDSCAPE The number of CVE Entries in 2016 so far is 239 6453 7903 18% Decrease in CVE Entries from ... Hidden frames, with random clicking](https://reader033.vdocument.in/reader033/viewer/2022050412/5f88d53ebb41267d6d33d6ae/html5/thumbnails/10.jpg)
Cloud to Core
Coverage web requests a day
16
BILLION
email messages a day
500
BILLION
AMP queries a
day
18.5
BILLION
![Page 11: Jaeson Schultz Technical Leader · THREAT LANDSCAPE The number of CVE Entries in 2016 so far is 239 6453 7903 18% Decrease in CVE Entries from ... Hidden frames, with random clicking](https://reader033.vdocument.in/reader033/viewer/2022050412/5f88d53ebb41267d6d33d6ae/html5/thumbnails/11.jpg)
MULTI-TIERED DEFENCE
Cloud to Core Coverage• WEB: Reputation, URL Filtering, AVC
• END POINT: Software – ClamAV, Razorback, Moflow
• CLOUD: FireAMP & ClamAV detection content
• EMAIL: Reputation, AntiSpam, Outbreak Filters
• NETWORK: Snort Subscription Rule Set, VDB –
FireSIGHT Updates & Content, SEU/SRU Product
Detection & Prevention Content
• Global Threat Intelligence Updates
![Page 12: Jaeson Schultz Technical Leader · THREAT LANDSCAPE The number of CVE Entries in 2016 so far is 239 6453 7903 18% Decrease in CVE Entries from ... Hidden frames, with random clicking](https://reader033.vdocument.in/reader033/viewer/2022050412/5f88d53ebb41267d6d33d6ae/html5/thumbnails/12.jpg)
MULTI-TIERED DEFENCE
Talos is divided into 5 departments
![Page 13: Jaeson Schultz Technical Leader · THREAT LANDSCAPE The number of CVE Entries in 2016 so far is 239 6453 7903 18% Decrease in CVE Entries from ... Hidden frames, with random clicking](https://reader033.vdocument.in/reader033/viewer/2022050412/5f88d53ebb41267d6d33d6ae/html5/thumbnails/13.jpg)
Open Source
Public Facing Tools• Threat detection and
prevention: Snort, ClamAV,
Razorback, & Daemonlogger
• Vulnerability detection and
mitigation: Moflow, FreeSentry
![Page 14: Jaeson Schultz Technical Leader · THREAT LANDSCAPE The number of CVE Entries in 2016 so far is 239 6453 7903 18% Decrease in CVE Entries from ... Hidden frames, with random clicking](https://reader033.vdocument.in/reader033/viewer/2022050412/5f88d53ebb41267d6d33d6ae/html5/thumbnails/14.jpg)
Open Inte l l igence
![Page 15: Jaeson Schultz Technical Leader · THREAT LANDSCAPE The number of CVE Entries in 2016 so far is 239 6453 7903 18% Decrease in CVE Entries from ... Hidden frames, with random clicking](https://reader033.vdocument.in/reader033/viewer/2022050412/5f88d53ebb41267d6d33d6ae/html5/thumbnails/15.jpg)
Today’s Plan
• Rombertik
• Ransomware
• Windows 10
• Teslacrypt
• Cryptowall 4
• SSH Psychos
• IP Address Hijacking
• Reverse Engineering Tech Support Scammers
• Malvertising
• Rigging for Compromise – Rig Exploit Kit
• Angler Exposed
![Page 16: Jaeson Schultz Technical Leader · THREAT LANDSCAPE The number of CVE Entries in 2016 so far is 239 6453 7903 18% Decrease in CVE Entries from ... Hidden frames, with random clicking](https://reader033.vdocument.in/reader033/viewer/2022050412/5f88d53ebb41267d6d33d6ae/html5/thumbnails/16.jpg)
Rombertik
![Page 17: Jaeson Schultz Technical Leader · THREAT LANDSCAPE The number of CVE Entries in 2016 so far is 239 6453 7903 18% Decrease in CVE Entries from ... Hidden frames, with random clicking](https://reader033.vdocument.in/reader033/viewer/2022050412/5f88d53ebb41267d6d33d6ae/html5/thumbnails/17.jpg)
LEADING THREAT INTELLIGENCE
Rombertik
• Multiple layers of obfuscation
• Hooks into user’s browser
to read credentials & other
sensitive info
• Propagates via spam and
phishing
![Page 18: Jaeson Schultz Technical Leader · THREAT LANDSCAPE The number of CVE Entries in 2016 so far is 239 6453 7903 18% Decrease in CVE Entries from ... Hidden frames, with random clicking](https://reader033.vdocument.in/reader033/viewer/2022050412/5f88d53ebb41267d6d33d6ae/html5/thumbnails/18.jpg)
Code Paths. .
![Page 19: Jaeson Schultz Technical Leader · THREAT LANDSCAPE The number of CVE Entries in 2016 so far is 239 6453 7903 18% Decrease in CVE Entries from ... Hidden frames, with random clicking](https://reader033.vdocument.in/reader033/viewer/2022050412/5f88d53ebb41267d6d33d6ae/html5/thumbnails/19.jpg)
LEADING THREAT INTELLIGENCE
Rombertik
ACTION TAKEN:
• Identify malware
• Encourage best security practices
• AMP, CWS, ESA, Network Security, WSA
![Page 20: Jaeson Schultz Technical Leader · THREAT LANDSCAPE The number of CVE Entries in 2016 so far is 239 6453 7903 18% Decrease in CVE Entries from ... Hidden frames, with random clicking](https://reader033.vdocument.in/reader033/viewer/2022050412/5f88d53ebb41267d6d33d6ae/html5/thumbnails/20.jpg)
LEADING THREAT INTELLIGENCE
Rombertik
![Page 21: Jaeson Schultz Technical Leader · THREAT LANDSCAPE The number of CVE Entries in 2016 so far is 239 6453 7903 18% Decrease in CVE Entries from ... Hidden frames, with random clicking](https://reader033.vdocument.in/reader033/viewer/2022050412/5f88d53ebb41267d6d33d6ae/html5/thumbnails/21.jpg)
LEADING THREAT INTELLIGENCE
Rombertik
![Page 22: Jaeson Schultz Technical Leader · THREAT LANDSCAPE The number of CVE Entries in 2016 so far is 239 6453 7903 18% Decrease in CVE Entries from ... Hidden frames, with random clicking](https://reader033.vdocument.in/reader033/viewer/2022050412/5f88d53ebb41267d6d33d6ae/html5/thumbnails/22.jpg)
Rombert ik
![Page 23: Jaeson Schultz Technical Leader · THREAT LANDSCAPE The number of CVE Entries in 2016 so far is 239 6453 7903 18% Decrease in CVE Entries from ... Hidden frames, with random clicking](https://reader033.vdocument.in/reader033/viewer/2022050412/5f88d53ebb41267d6d33d6ae/html5/thumbnails/23.jpg)
Rombert ik
![Page 24: Jaeson Schultz Technical Leader · THREAT LANDSCAPE The number of CVE Entries in 2016 so far is 239 6453 7903 18% Decrease in CVE Entries from ... Hidden frames, with random clicking](https://reader033.vdocument.in/reader033/viewer/2022050412/5f88d53ebb41267d6d33d6ae/html5/thumbnails/24.jpg)
Ransomware
![Page 25: Jaeson Schultz Technical Leader · THREAT LANDSCAPE The number of CVE Entries in 2016 so far is 239 6453 7903 18% Decrease in CVE Entries from ... Hidden frames, with random clicking](https://reader033.vdocument.in/reader033/viewer/2022050412/5f88d53ebb41267d6d33d6ae/html5/thumbnails/25.jpg)
25
![Page 26: Jaeson Schultz Technical Leader · THREAT LANDSCAPE The number of CVE Entries in 2016 so far is 239 6453 7903 18% Decrease in CVE Entries from ... Hidden frames, with random clicking](https://reader033.vdocument.in/reader033/viewer/2022050412/5f88d53ebb41267d6d33d6ae/html5/thumbnails/26.jpg)
26
![Page 27: Jaeson Schultz Technical Leader · THREAT LANDSCAPE The number of CVE Entries in 2016 so far is 239 6453 7903 18% Decrease in CVE Entries from ... Hidden frames, with random clicking](https://reader033.vdocument.in/reader033/viewer/2022050412/5f88d53ebb41267d6d33d6ae/html5/thumbnails/27.jpg)
27
![Page 28: Jaeson Schultz Technical Leader · THREAT LANDSCAPE The number of CVE Entries in 2016 so far is 239 6453 7903 18% Decrease in CVE Entries from ... Hidden frames, with random clicking](https://reader033.vdocument.in/reader033/viewer/2022050412/5f88d53ebb41267d6d33d6ae/html5/thumbnails/28.jpg)
LEADING THREAT INTELLIGENCE
CRYPTOWALL 3.0
• Data is the new target
• Ransomware
• Becoming more popular
• Using more evasive techniques
![Page 29: Jaeson Schultz Technical Leader · THREAT LANDSCAPE The number of CVE Entries in 2016 so far is 239 6453 7903 18% Decrease in CVE Entries from ... Hidden frames, with random clicking](https://reader033.vdocument.in/reader033/viewer/2022050412/5f88d53ebb41267d6d33d6ae/html5/thumbnails/29.jpg)
Your Fi les are Protected by a “Free
Windows 10 Upgrade”
![Page 30: Jaeson Schultz Technical Leader · THREAT LANDSCAPE The number of CVE Entries in 2016 so far is 239 6453 7903 18% Decrease in CVE Entries from ... Hidden frames, with random clicking](https://reader033.vdocument.in/reader033/viewer/2022050412/5f88d53ebb41267d6d33d6ae/html5/thumbnails/30.jpg)
Do you remember
![Page 31: Jaeson Schultz Technical Leader · THREAT LANDSCAPE The number of CVE Entries in 2016 so far is 239 6453 7903 18% Decrease in CVE Entries from ... Hidden frames, with random clicking](https://reader033.vdocument.in/reader033/viewer/2022050412/5f88d53ebb41267d6d33d6ae/html5/thumbnails/31.jpg)
Threat
• Talos discovered email spam campaign
• Shortly after Windows 10 release
![Page 32: Jaeson Schultz Technical Leader · THREAT LANDSCAPE The number of CVE Entries in 2016 so far is 239 6453 7903 18% Decrease in CVE Entries from ... Hidden frames, with random clicking](https://reader033.vdocument.in/reader033/viewer/2022050412/5f88d53ebb41267d6d33d6ae/html5/thumbnails/32.jpg)
Payload
• CTB-Locker is Ransomware Payload
![Page 33: Jaeson Schultz Technical Leader · THREAT LANDSCAPE The number of CVE Entries in 2016 so far is 239 6453 7903 18% Decrease in CVE Entries from ... Hidden frames, with random clicking](https://reader033.vdocument.in/reader033/viewer/2022050412/5f88d53ebb41267d6d33d6ae/html5/thumbnails/33.jpg)
CTB Locker
• Unparalleled visibility
• Quick and effective detection and Response
![Page 34: Jaeson Schultz Technical Leader · THREAT LANDSCAPE The number of CVE Entries in 2016 so far is 239 6453 7903 18% Decrease in CVE Entries from ... Hidden frames, with random clicking](https://reader033.vdocument.in/reader033/viewer/2022050412/5f88d53ebb41267d6d33d6ae/html5/thumbnails/34.jpg)
LEADING THREAT INTELLIGENCE
TeslaCrypt
ACTION TAKEN:
• Created TeslaCrypt Decryption Tool
• Open Source command line utility
• Users can decrypt their files
themselves
![Page 35: Jaeson Schultz Technical Leader · THREAT LANDSCAPE The number of CVE Entries in 2016 so far is 239 6453 7903 18% Decrease in CVE Entries from ... Hidden frames, with random clicking](https://reader033.vdocument.in/reader033/viewer/2022050412/5f88d53ebb41267d6d33d6ae/html5/thumbnails/35.jpg)
LEADING THREAT INTELLIGENCE
TeslaCrypt
Symmetric
Files NOT asymmetrically
encrypted with RSA 2048
Actual Encryption AES CBC 256-bit
Open Source: Decryption Tool
Knock off ransomware
Why would people pay??
Honor amongst Thieves?
![Page 36: Jaeson Schultz Technical Leader · THREAT LANDSCAPE The number of CVE Entries in 2016 so far is 239 6453 7903 18% Decrease in CVE Entries from ... Hidden frames, with random clicking](https://reader033.vdocument.in/reader033/viewer/2022050412/5f88d53ebb41267d6d33d6ae/html5/thumbnails/36.jpg)
TeslaCrypt Demo
![Page 37: Jaeson Schultz Technical Leader · THREAT LANDSCAPE The number of CVE Entries in 2016 so far is 239 6453 7903 18% Decrease in CVE Entries from ... Hidden frames, with random clicking](https://reader033.vdocument.in/reader033/viewer/2022050412/5f88d53ebb41267d6d33d6ae/html5/thumbnails/37.jpg)
- CryptoWall Version 4 -
The Evolution continues
![Page 38: Jaeson Schultz Technical Leader · THREAT LANDSCAPE The number of CVE Entries in 2016 so far is 239 6453 7903 18% Decrease in CVE Entries from ... Hidden frames, with random clicking](https://reader033.vdocument.in/reader033/viewer/2022050412/5f88d53ebb41267d6d33d6ae/html5/thumbnails/38.jpg)
CryptoWal l Vers ion 4
• Notorious
ransomware
• Version 1 first seen
in 2014
• Distributed via
Exploitkits and
Phishing Emails
• Fast Evolution
![Page 39: Jaeson Schultz Technical Leader · THREAT LANDSCAPE The number of CVE Entries in 2016 so far is 239 6453 7903 18% Decrease in CVE Entries from ... Hidden frames, with random clicking](https://reader033.vdocument.in/reader033/viewer/2022050412/5f88d53ebb41267d6d33d6ae/html5/thumbnails/39.jpg)
Detai led Inst ruct ions
![Page 40: Jaeson Schultz Technical Leader · THREAT LANDSCAPE The number of CVE Entries in 2016 so far is 239 6453 7903 18% Decrease in CVE Entries from ... Hidden frames, with random clicking](https://reader033.vdocument.in/reader033/viewer/2022050412/5f88d53ebb41267d6d33d6ae/html5/thumbnails/40.jpg)
Vict ims View – Ful l Local izat ion
CryptoWall 4 checks local region settings with an undocumented API Call
Following regions are excluded from infections:
Russian - Kazakh - Ukrainian - Uzbek - Belarusian - Azeri - Armenia … other Eastern Europe
countries
![Page 41: Jaeson Schultz Technical Leader · THREAT LANDSCAPE The number of CVE Entries in 2016 so far is 239 6453 7903 18% Decrease in CVE Entries from ... Hidden frames, with random clicking](https://reader033.vdocument.in/reader033/viewer/2022050412/5f88d53ebb41267d6d33d6ae/html5/thumbnails/41.jpg)
Fi le Encrypt ion
Temp.AES256
key15/10/07 12:39 <DIR> .15/10/07 12:39 <DIR> ..15/10/07 12:36 78,971 1.jpg15/10/07 12:39 154,330 2.jpg15/10/07 12:36 123,240 3.jpg…
1.jpg
RSA publickey
random.xyz
Encrypted AES256 key
Other data
Encrypted 1.jpg
Temporary AES key can only be decrypted with the private RSA key
![Page 42: Jaeson Schultz Technical Leader · THREAT LANDSCAPE The number of CVE Entries in 2016 so far is 239 6453 7903 18% Decrease in CVE Entries from ... Hidden frames, with random clicking](https://reader033.vdocument.in/reader033/viewer/2022050412/5f88d53ebb41267d6d33d6ae/html5/thumbnails/42.jpg)
Network Communicat ion
Initial announcement to C2
C2 Server ACK
Send PubKey, TOR domains, PNG wallpaper
Request PubKey, TOR domains, PNG wallpaper
Operation successful. Files encrypted. Done.
Verify PubKey and start encrypting files ….
Cry
pto
Wal
l Mal
war
e
Co
mm
and
an
d C
on
tro
l Ser
ver
C2 Server ACK
![Page 43: Jaeson Schultz Technical Leader · THREAT LANDSCAPE The number of CVE Entries in 2016 so far is 239 6453 7903 18% Decrease in CVE Entries from ... Hidden frames, with random clicking](https://reader033.vdocument.in/reader033/viewer/2022050412/5f88d53ebb41267d6d33d6ae/html5/thumbnails/43.jpg)
In fect ion Process Deta i ls
• One encryption thread
per logical volume
• Exclude CDROMs
• Exclude volumes with
“HELP_YOUR_FILES.PNG”
• When done:• Write
“HELP_YOUR_FILES.PNG”
to volume root
• Report success to C&C
no
Binary downloaded and executed
Injected into explorer.exe
Makes itself persistent (registry run key)
Injecting in svchost (main malware logic)
Delete all shadow copies
Dropper checkes if config files existsTry downloading pubkey and files from C2 server
Got files from C2 server ?
Pubkey valid (check hash) ?
Create config file
yes
Encrypt files and show message(s)
no
Clean up and Exit Process
noyes
Sleep 3seconds
yes
![Page 44: Jaeson Schultz Technical Leader · THREAT LANDSCAPE The number of CVE Entries in 2016 so far is 239 6453 7903 18% Decrease in CVE Entries from ... Hidden frames, with random clicking](https://reader033.vdocument.in/reader033/viewer/2022050412/5f88d53ebb41267d6d33d6ae/html5/thumbnails/44.jpg)
SSHPSYCHOS
If it doesn’t work you’re just not using enough
BRUTEFORCE
![Page 45: Jaeson Schultz Technical Leader · THREAT LANDSCAPE The number of CVE Entries in 2016 so far is 239 6453 7903 18% Decrease in CVE Entries from ... Hidden frames, with random clicking](https://reader033.vdocument.in/reader033/viewer/2022050412/5f88d53ebb41267d6d33d6ae/html5/thumbnails/45.jpg)
SSH Psychos Update
SSHPsychos
• Brute Force SSH Attacks until
password guess
• 300K Unique Passwords
• Login from different address
space
• Drop DDoS Rootkit on server
• Accounted for 1/3 of all SSH
Traffic ON THE INTERNET
SSH Brute Force
Attempts
![Page 46: Jaeson Schultz Technical Leader · THREAT LANDSCAPE The number of CVE Entries in 2016 so far is 239 6453 7903 18% Decrease in CVE Entries from ... Hidden frames, with random clicking](https://reader033.vdocument.in/reader033/viewer/2022050412/5f88d53ebb41267d6d33d6ae/html5/thumbnails/46.jpg)
SSH Psychos Update
SSHPsycho
![Page 47: Jaeson Schultz Technical Leader · THREAT LANDSCAPE The number of CVE Entries in 2016 so far is 239 6453 7903 18% Decrease in CVE Entries from ... Hidden frames, with random clicking](https://reader033.vdocument.in/reader033/viewer/2022050412/5f88d53ebb41267d6d33d6ae/html5/thumbnails/47.jpg)
VICTORY
• Engaged Level 3 and another major ISP
• Sudden Pivot
• Null Routed
• Call to Action
• Effectively limited
• Downloaded blocked by standard technology
![Page 48: Jaeson Schultz Technical Leader · THREAT LANDSCAPE The number of CVE Entries in 2016 so far is 239 6453 7903 18% Decrease in CVE Entries from ... Hidden frames, with random clicking](https://reader033.vdocument.in/reader033/viewer/2022050412/5f88d53ebb41267d6d33d6ae/html5/thumbnails/48.jpg)
IP Address Hi jack ing
![Page 49: Jaeson Schultz Technical Leader · THREAT LANDSCAPE The number of CVE Entries in 2016 so far is 239 6453 7903 18% Decrease in CVE Entries from ... Hidden frames, with random clicking](https://reader033.vdocument.in/reader033/viewer/2022050412/5f88d53ebb41267d6d33d6ae/html5/thumbnails/49.jpg)
49
![Page 50: Jaeson Schultz Technical Leader · THREAT LANDSCAPE The number of CVE Entries in 2016 so far is 239 6453 7903 18% Decrease in CVE Entries from ... Hidden frames, with random clicking](https://reader033.vdocument.in/reader033/viewer/2022050412/5f88d53ebb41267d6d33d6ae/html5/thumbnails/50.jpg)
50
![Page 51: Jaeson Schultz Technical Leader · THREAT LANDSCAPE The number of CVE Entries in 2016 so far is 239 6453 7903 18% Decrease in CVE Entries from ... Hidden frames, with random clicking](https://reader033.vdocument.in/reader033/viewer/2022050412/5f88d53ebb41267d6d33d6ae/html5/thumbnails/51.jpg)
51
![Page 52: Jaeson Schultz Technical Leader · THREAT LANDSCAPE The number of CVE Entries in 2016 so far is 239 6453 7903 18% Decrease in CVE Entries from ... Hidden frames, with random clicking](https://reader033.vdocument.in/reader033/viewer/2022050412/5f88d53ebb41267d6d33d6ae/html5/thumbnails/52.jpg)
52
![Page 53: Jaeson Schultz Technical Leader · THREAT LANDSCAPE The number of CVE Entries in 2016 so far is 239 6453 7903 18% Decrease in CVE Entries from ... Hidden frames, with random clicking](https://reader033.vdocument.in/reader033/viewer/2022050412/5f88d53ebb41267d6d33d6ae/html5/thumbnails/53.jpg)
53
![Page 54: Jaeson Schultz Technical Leader · THREAT LANDSCAPE The number of CVE Entries in 2016 so far is 239 6453 7903 18% Decrease in CVE Entries from ... Hidden frames, with random clicking](https://reader033.vdocument.in/reader033/viewer/2022050412/5f88d53ebb41267d6d33d6ae/html5/thumbnails/54.jpg)
And the problem cont inues …
![Page 55: Jaeson Schultz Technical Leader · THREAT LANDSCAPE The number of CVE Entries in 2016 so far is 239 6453 7903 18% Decrease in CVE Entries from ... Hidden frames, with random clicking](https://reader033.vdocument.in/reader033/viewer/2022050412/5f88d53ebb41267d6d33d6ae/html5/thumbnails/55.jpg)
BGP Stream (@bgpstream)
![Page 56: Jaeson Schultz Technical Leader · THREAT LANDSCAPE The number of CVE Entries in 2016 so far is 239 6453 7903 18% Decrease in CVE Entries from ... Hidden frames, with random clicking](https://reader033.vdocument.in/reader033/viewer/2022050412/5f88d53ebb41267d6d33d6ae/html5/thumbnails/56.jpg)
Reverse Social Engineering
Tech Support Scammers
![Page 57: Jaeson Schultz Technical Leader · THREAT LANDSCAPE The number of CVE Entries in 2016 so far is 239 6453 7903 18% Decrease in CVE Entries from ... Hidden frames, with random clicking](https://reader033.vdocument.in/reader033/viewer/2022050412/5f88d53ebb41267d6d33d6ae/html5/thumbnails/57.jpg)
Tech Support
• Fraudulent actors masquerading
as “legitimate” tech support have
been on the rise for the past 8
years
• Talos has been monitoring the
creation of fake tech support sites
to better understand how they
operate.
![Page 58: Jaeson Schultz Technical Leader · THREAT LANDSCAPE The number of CVE Entries in 2016 so far is 239 6453 7903 18% Decrease in CVE Entries from ... Hidden frames, with random clicking](https://reader033.vdocument.in/reader033/viewer/2022050412/5f88d53ebb41267d6d33d6ae/html5/thumbnails/58.jpg)
The Setup
![Page 59: Jaeson Schultz Technical Leader · THREAT LANDSCAPE The number of CVE Entries in 2016 so far is 239 6453 7903 18% Decrease in CVE Entries from ... Hidden frames, with random clicking](https://reader033.vdocument.in/reader033/viewer/2022050412/5f88d53ebb41267d6d33d6ae/html5/thumbnails/59.jpg)
“Tro jan Vi rus”
You can listen and watch the entire interaction here: https://youtu.be/toKLOYxVkJM
![Page 60: Jaeson Schultz Technical Leader · THREAT LANDSCAPE The number of CVE Entries in 2016 so far is 239 6453 7903 18% Decrease in CVE Entries from ... Hidden frames, with random clicking](https://reader033.vdocument.in/reader033/viewer/2022050412/5f88d53ebb41267d6d33d6ae/html5/thumbnails/60.jpg)
Tracking the Scammers
• After the call, Talos began investigating who was behind this tech support
scam
• Our investigation lead us to two individuals
![Page 61: Jaeson Schultz Technical Leader · THREAT LANDSCAPE The number of CVE Entries in 2016 so far is 239 6453 7903 18% Decrease in CVE Entries from ... Hidden frames, with random clicking](https://reader033.vdocument.in/reader033/viewer/2022050412/5f88d53ebb41267d6d33d6ae/html5/thumbnails/61.jpg)
Taking Act ion
• Talos reached out the parent company of VOIP operator to get the number shut down.
• Talos contacted TeamViewer, alerting them of the abuse and reporting the ID used by
the these scammers.
• Finally, Talos submitted a complaint to the United States Federal Trade Commission
(FTC)
![Page 62: Jaeson Schultz Technical Leader · THREAT LANDSCAPE The number of CVE Entries in 2016 so far is 239 6453 7903 18% Decrease in CVE Entries from ... Hidden frames, with random clicking](https://reader033.vdocument.in/reader033/viewer/2022050412/5f88d53ebb41267d6d33d6ae/html5/thumbnails/62.jpg)
Online Advertising
![Page 63: Jaeson Schultz Technical Leader · THREAT LANDSCAPE The number of CVE Entries in 2016 so far is 239 6453 7903 18% Decrease in CVE Entries from ... Hidden frames, with random clicking](https://reader033.vdocument.in/reader033/viewer/2022050412/5f88d53ebb41267d6d33d6ae/html5/thumbnails/63.jpg)
ONLINE ADVERTISING
A big, fat, opportunity
• Ad Injection
Rewrite web pages with extra ads
• PUAs
Adware downloads
• Clickfraud
Hidden frames, with random clicking that
generate hits.
• Malvertising
A favorite of kits such as Angler; use the
ad platform to direct browsers to a
compromised server.
![Page 64: Jaeson Schultz Technical Leader · THREAT LANDSCAPE The number of CVE Entries in 2016 so far is 239 6453 7903 18% Decrease in CVE Entries from ... Hidden frames, with random clicking](https://reader033.vdocument.in/reader033/viewer/2022050412/5f88d53ebb41267d6d33d6ae/html5/thumbnails/64.jpg)
A major news s i te
26 Domains
39 Hosts
171 Objects
557 Connections
![Page 65: Jaeson Schultz Technical Leader · THREAT LANDSCAPE The number of CVE Entries in 2016 so far is 239 6453 7903 18% Decrease in CVE Entries from ... Hidden frames, with random clicking](https://reader033.vdocument.in/reader033/viewer/2022050412/5f88d53ebb41267d6d33d6ae/html5/thumbnails/65.jpg)
Rigging Compromise – RIG EK
![Page 66: Jaeson Schultz Technical Leader · THREAT LANDSCAPE The number of CVE Entries in 2016 so far is 239 6453 7903 18% Decrease in CVE Entries from ... Hidden frames, with random clicking](https://reader033.vdocument.in/reader033/viewer/2022050412/5f88d53ebb41267d6d33d6ae/html5/thumbnails/66.jpg)
Rig EK - Overv iew
![Page 67: Jaeson Schultz Technical Leader · THREAT LANDSCAPE The number of CVE Entries in 2016 so far is 239 6453 7903 18% Decrease in CVE Entries from ... Hidden frames, with random clicking](https://reader033.vdocument.in/reader033/viewer/2022050412/5f88d53ebb41267d6d33d6ae/html5/thumbnails/67.jpg)
Patching: A Window of Opportuni tyUsers not moving quickly to the latest Flash versions or updating the patches creates an opportunity for Angler and other exploits to target the vulnerability.
![Page 68: Jaeson Schultz Technical Leader · THREAT LANDSCAPE The number of CVE Entries in 2016 so far is 239 6453 7903 18% Decrease in CVE Entries from ... Hidden frames, with random clicking](https://reader033.vdocument.in/reader033/viewer/2022050412/5f88d53ebb41267d6d33d6ae/html5/thumbnails/68.jpg)
Rig EK - Findings
![Page 69: Jaeson Schultz Technical Leader · THREAT LANDSCAPE The number of CVE Entries in 2016 so far is 239 6453 7903 18% Decrease in CVE Entries from ... Hidden frames, with random clicking](https://reader033.vdocument.in/reader033/viewer/2022050412/5f88d53ebb41267d6d33d6ae/html5/thumbnails/69.jpg)
Rig EK - Response
![Page 70: Jaeson Schultz Technical Leader · THREAT LANDSCAPE The number of CVE Entries in 2016 so far is 239 6453 7903 18% Decrease in CVE Entries from ... Hidden frames, with random clicking](https://reader033.vdocument.in/reader033/viewer/2022050412/5f88d53ebb41267d6d33d6ae/html5/thumbnails/70.jpg)
Angler Exposed
![Page 71: Jaeson Schultz Technical Leader · THREAT LANDSCAPE The number of CVE Entries in 2016 so far is 239 6453 7903 18% Decrease in CVE Entries from ... Hidden frames, with random clicking](https://reader033.vdocument.in/reader033/viewer/2022050412/5f88d53ebb41267d6d33d6ae/html5/thumbnails/71.jpg)
Overv iew
• Deep Data Analytics July 2015
• Telemetry from compromised users
• ~1000 Sandbox Runs
• July 2015
• Angler Underwent several URL
Changes
• Multiple “Hacking Team” 0-Days
added
• Ended with tons of data
![Page 72: Jaeson Schultz Technical Leader · THREAT LANDSCAPE The number of CVE Entries in 2016 so far is 239 6453 7903 18% Decrease in CVE Entries from ... Hidden frames, with random clicking](https://reader033.vdocument.in/reader033/viewer/2022050412/5f88d53ebb41267d6d33d6ae/html5/thumbnails/72.jpg)
Detect ion Chal lenges
• Hashes
• Found 3,000+ Unique Hashes
• 6% in VT
• Most detection <10
• Encrypted Payloads
• Using Diffie-Hellman Encryption for IE Exploit
• Unique to each user
• Domain Behaviour
• DDNS
• Adversary Owned Domains
• Hard Coded IP
• Domain Shadowing
![Page 73: Jaeson Schultz Technical Leader · THREAT LANDSCAPE The number of CVE Entries in 2016 so far is 239 6453 7903 18% Decrease in CVE Entries from ... Hidden frames, with random clicking](https://reader033.vdocument.in/reader033/viewer/2022050412/5f88d53ebb41267d6d33d6ae/html5/thumbnails/73.jpg)
Explo i t Deta i ls
“Hacking Team” Adobe Flash 0days
CVE-2015-5119, CVE-2015-5122
IE 10 and 11 JScript9 Memory
Corruption Vulnerability
CVE-2015-2419
IE OLE Vulnerability
CVE 2014-6332
No JAVA !
Adobe Flash
CVE
2014-6332
Silverlight
![Page 74: Jaeson Schultz Technical Leader · THREAT LANDSCAPE The number of CVE Entries in 2016 so far is 239 6453 7903 18% Decrease in CVE Entries from ... Hidden frames, with random clicking](https://reader033.vdocument.in/reader033/viewer/2022050412/5f88d53ebb41267d6d33d6ae/html5/thumbnails/74.jpg)
![Page 75: Jaeson Schultz Technical Leader · THREAT LANDSCAPE The number of CVE Entries in 2016 so far is 239 6453 7903 18% Decrease in CVE Entries from ... Hidden frames, with random clicking](https://reader033.vdocument.in/reader033/viewer/2022050412/5f88d53ebb41267d6d33d6ae/html5/thumbnails/75.jpg)
![Page 76: Jaeson Schultz Technical Leader · THREAT LANDSCAPE The number of CVE Entries in 2016 so far is 239 6453 7903 18% Decrease in CVE Entries from ... Hidden frames, with random clicking](https://reader033.vdocument.in/reader033/viewer/2022050412/5f88d53ebb41267d6d33d6ae/html5/thumbnails/76.jpg)
Findings• IP Infrastructure
• Only 10-15 Unique IP’s hosting Angler Daily
• Hosting Information• Found 60%+ Angler activity for month at two providers
• Limestone Networks• Hetzner
• HTTP Referers• Found Thousands of Different Referer headers• Malvertising
• Lots of top websites seen directing to Angler• News Sites, Real Estate, Sports, Popular Culture
• Redirection from obituaries
![Page 77: Jaeson Schultz Technical Leader · THREAT LANDSCAPE The number of CVE Entries in 2016 so far is 239 6453 7903 18% Decrease in CVE Entries from ... Hidden frames, with random clicking](https://reader033.vdocument.in/reader033/viewer/2022050412/5f88d53ebb41267d6d33d6ae/html5/thumbnails/77.jpg)
Angler Demo
![Page 78: Jaeson Schultz Technical Leader · THREAT LANDSCAPE The number of CVE Entries in 2016 so far is 239 6453 7903 18% Decrease in CVE Entries from ... Hidden frames, with random clicking](https://reader033.vdocument.in/reader033/viewer/2022050412/5f88d53ebb41267d6d33d6ae/html5/thumbnails/78.jpg)
Breakthrough
• Partnered with Limestone Networks
• Gathered Images of Systems
• Network Captures
• Level-3
• Continued collaboration after SSHPsychos
• Netflow Data Key to Investigation
• Undiscovered Findings directly related to the data
• Proxy Server Configuration
• Health Monitoring
![Page 79: Jaeson Schultz Technical Leader · THREAT LANDSCAPE The number of CVE Entries in 2016 so far is 239 6453 7903 18% Decrease in CVE Entries from ... Hidden frames, with random clicking](https://reader033.vdocument.in/reader033/viewer/2022050412/5f88d53ebb41267d6d33d6ae/html5/thumbnails/79.jpg)
A Look Ins ide Angler
![Page 80: Jaeson Schultz Technical Leader · THREAT LANDSCAPE The number of CVE Entries in 2016 so far is 239 6453 7903 18% Decrease in CVE Entries from ... Hidden frames, with random clicking](https://reader033.vdocument.in/reader033/viewer/2022050412/5f88d53ebb41267d6d33d6ae/html5/thumbnails/80.jpg)
Server Deta i ls
• NGINX Server
• Proxy all traffic to single back-end exploit server
• Health Server Monitoring Activity
• GET Request resulting in HTTP 204
• Ability to Pull Access Logs
• Ability to Remotely Delete Access Logs
• Netflow identified ~150 Angler Servers being monitored
• Scope
• Access Log
• 90K Unique IP’s in 13 Hours
• Massive malvertising Campaign – Major websites affected
![Page 81: Jaeson Schultz Technical Leader · THREAT LANDSCAPE The number of CVE Entries in 2016 so far is 239 6453 7903 18% Decrease in CVE Entries from ... Hidden frames, with random clicking](https://reader033.vdocument.in/reader033/viewer/2022050412/5f88d53ebb41267d6d33d6ae/html5/thumbnails/81.jpg)
Proxy & Heal th Conf ig
![Page 82: Jaeson Schultz Technical Leader · THREAT LANDSCAPE The number of CVE Entries in 2016 so far is 239 6453 7903 18% Decrease in CVE Entries from ... Hidden frames, with random clicking](https://reader033.vdocument.in/reader033/viewer/2022050412/5f88d53ebb41267d6d33d6ae/html5/thumbnails/82.jpg)
Show Me The Money
![Page 83: Jaeson Schultz Technical Leader · THREAT LANDSCAPE The number of CVE Entries in 2016 so far is 239 6453 7903 18% Decrease in CVE Entries from ... Hidden frames, with random clicking](https://reader033.vdocument.in/reader033/viewer/2022050412/5f88d53ebb41267d6d33d6ae/html5/thumbnails/83.jpg)
The Money
![Page 84: Jaeson Schultz Technical Leader · THREAT LANDSCAPE The number of CVE Entries in 2016 so far is 239 6453 7903 18% Decrease in CVE Entries from ... Hidden frames, with random clicking](https://reader033.vdocument.in/reader033/viewer/2022050412/5f88d53ebb41267d6d33d6ae/html5/thumbnails/84.jpg)
Response
• Drove out of Limestone resulting in significantly lower activity
• Published Community Rules for Front-End & Back-End Communication
• Blacklisted all servers
• Blacklisted all domains
• Working with Providers resulted in huge returns
• Exposed Largest Angler Actor Active on Internet Today
![Page 85: Jaeson Schultz Technical Leader · THREAT LANDSCAPE The number of CVE Entries in 2016 so far is 239 6453 7903 18% Decrease in CVE Entries from ... Hidden frames, with random clicking](https://reader033.vdocument.in/reader033/viewer/2022050412/5f88d53ebb41267d6d33d6ae/html5/thumbnails/85.jpg)
Act iv i ty
![Page 86: Jaeson Schultz Technical Leader · THREAT LANDSCAPE The number of CVE Entries in 2016 so far is 239 6453 7903 18% Decrease in CVE Entries from ... Hidden frames, with random clicking](https://reader033.vdocument.in/reader033/viewer/2022050412/5f88d53ebb41267d6d33d6ae/html5/thumbnails/86.jpg)
INTELLIGENCE COMMUNITIES
Talos works to promote collaborative and
thorough understanding of network security
threats through a number of community
programs.
Project Aspis – collaboration between Talos and host providers
• Talos provides expertise and resources to identify major threat actors
• Providers potentially save significant costs in fraudulent charges
• Talos gains real world insight into threats on a global scale, helping us
improve detection and prevention, making the internet safer for everyone
CRETE – collaboration between Talos and participating customers
• Talos provides a FirePower NGIPS sensor to deploy inside the customer network
• Talos gathers data about real world network threats and security issues
• Customers receive leading-edge intel to protect their network
AEGIS – information exchange between Talos and participating members
of the security industry
• Open to partners, customers, and members of the security industry
• Collaborative nexus of intelligence sharing in order to provide better
detection and insight into worldwide threats
![Page 87: Jaeson Schultz Technical Leader · THREAT LANDSCAPE The number of CVE Entries in 2016 so far is 239 6453 7903 18% Decrease in CVE Entries from ... Hidden frames, with random clicking](https://reader033.vdocument.in/reader033/viewer/2022050412/5f88d53ebb41267d6d33d6ae/html5/thumbnails/87.jpg)
talosintel.com
@talossecurity
@jaesonschultz