emerging threats - the state of cyber security
TRANSCRIPT
CiscoConfiden+al©2015Ciscoand/oritsaffiliates.Allrightsreserved. 1
EmergingThreats–TheStateofCyberSecurity
SeniorThreatResearcher
May2016
EarlCarter/@kungchiu
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
House Keeping Notes Thank you for attending Cisco Connect Toronto 2016, here are a few housekeeping notes to ensure we all enjoy the session today.
Please ensure your cellphones / laptops are set on silent to ensure no one is
disturbed during the session
A power bar is available at the back of
the room
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
Earl Carter (@kungchiu) Senior Threat Researcher / Security Outreach
THREAT LANDSCAPE
The number of CVE Entries in 2016 so far is
2128
6453
7903 18%
DecreaseinCVEEntriesfrom2014to2015
20112012201320142015
THREAT LANDSCAPE
19.7 Billion
7.2 Trillion
TOTAL THREAT BLOCKS181 Million Spyware Blocks
82 Thousand Virus Blocks
818 Million Web Blocks
DAILY WEB BREAKDOWN
Cloud to Core Visibility web requests a day
16 BILLION
email messages a day
600 BILLION Endpoint malware queries a day
18.5 BILLION
TALOS PRODUCTS & INTELLIGENCE Talos is the backbone for all Cisco Security Products and Services.
P R O D U C T S
D E T E C T I O N S E R V I C E S
ESA | ClamAV SpamCop SenderBase
Email Reputation Malware Protection URL, Domain, IP Reputation Phishing Protection Spoof & Spam Detection
Open Source
Snort Rules ClamAV Sigs ClamAV
Vulnerability Protection Malware Protection Policy & Control
End Point
AMP ClamAV
Cloud & End Point IOCs Malware Protection IP Reputation
Cloud
CWS CES OpenDNS
URL, Domain, IP Reputation Malware Protection AVC
Web
WSA CWS
URL, Domain, IP Reputation Malware Protection AVC
Network
FirePower/ASA ISR Meraki
Policy & Control Malware Protection URL, Domain, IP Reputation Vulnerability Protection
Services
ATA IR
Cloud & End Point IOCs Malware Protection URL, Domain, IP Reputation Vulnerability Protection Custom Protection
Intelligence
ThreatGrid
Cloud & End Point IOCs Malware Protection URL, Domain, IP Reputation Network Protection
Open Source
Public Facing Tools • Threat detection and
prevention: Snort, ClamAV, Razorback, & Daemonlogger
• Vulnerability detection and mitigation: Moflow, FreeSentry
LEADING THREAT INTELLIGENCE
• Talos discovered email campaign • Began shortly after Windows 10
release
Windows 10 Spam
LEADING THREAT INTELLIGENCE
Windows 10 Spam
• Talos is a key differentiator • Unparalleled visibility • Quick and effective detection &
response
Simple But Effect ive
Resume Spam Campaign
• Pretends to be employee resume • Short-lived and Effective • Includes Zip file attachment
Overview
• 9DifferentCountries• English&3OtherLanguages• Occurringyearround• ARacks
• HTMLForms&MaliciousARachments• LinkstoMaliciousSites
Tax Scams Gone International
Common Subjects
ClaimyourtaxrefundYouareeligibletoreceiveataxrefundTaxRefundNo+fica+onAustralianTaxa+onOfficetaxrefundconfirma+on!TaxRefundNewMessageAlert!TaxRefund(Ref#782167)-$687.00CDNTaxRefund(Ref#782167)687.00GBPTaxRefund(Ref#782167)$687.00USDTilbagebetalingafskat-DKK7122,00SkaReåterbäring:6120.20SEKRimborsofiscaleper2014-2015
Impersonating Tax Seminars
IRS:TaxandPayrollUpdatesfor2016Reminder:AnnualTaxUpdateHandlingFederalandStateTaxLeviesWithEase.RegisterNow!
SampleSubjects
LEADING THREAT INTELLIGENCE
SSHPsychos
• Brute Force SSH Attacks until password guess
• 300K Unique Passwords • Login from different address
space • Drop DDoS Rootkit on server • Accounted for 1/3 of all SSH
Traffic ON THE INTERNET
SSH Brute Force Attempts�
LEADING THREAT INTELLIGENCE
SSHPsychos
ACTION TAKEN: • Engaged Level 3…
and other providers • Sudden Pivot • Null Routed • Call to Action • Effectively Limited
Drive-by Download Attacks
• The act of downloading something unintentionally, usually malicious
• No need to click to download • Malvertising is a common vector
Summary
• Malver+singisliterallyeverywhere• BigaRackvectorforExploitKits• Ensureslotsofvic+msfromlargelyrandomsites• Sitesarestar+ngtorequireAdBlockbeTurnedoff• Malver+singasaService(MaaS)islikelytobegrowingintherestof2016andbeyond
Attacker Innovat ion
• Angler is the most successful exploit kit • Demonstrates continued innovation • New Functionality Quickly Spreads
– Exploit kits competing for business
• Exploits kits get overlooked as a sophisticated threat
Importance of Patching
Angler Exploit Vulnerability
User Activity
Update Published
Version
15.0.0.246
16.0.0.235
16.0.0.257
16.0.0.287
16.0.0.296
16.0.0.305
17.0.0.134
17.0.0.169
17.0.0.188
CVE-2015-0310
CVE-2015-0313
CVE-2015-0336
CVE-2015-0359
CVE-2015-0390
1 FEB 1 MAR 1 APR 1 MAY 1 JUN
What is an exploit k i t?
• A software package designed to exploit vulnerable browsers and plugins
• Blackhole was the first major exploit kit
Monetizat ion of Hacking
There are three main payload types: • Ransomware
• Cryptowall, Teslacrypt
• Click-fraud agents • Bedep
• Miscellaneous • trojans, keyloggers, spyware
Detect ion Challenges
• Hashes• Found3,000+UniqueHashes• 6%inVT
• Mostdetec+on<10• EncryptedPayloads
• UsingDiffieHelmanEncryp+onforIEExploit• Uniquetoeachuser
• DomainBehavior• DDNS• DomainShadowing• AdversaryOwnedDomains• HardCodedIP
Shutt ing Down Angler • PartneredwithLimestoneNetworks
• ExamineAnglertraffic• Level-3
• Con+nuedcollabora+onaperSSHPsychos• ProxyServerConfigura+on• HealthMonitoring
Summary
• Angler Continues to Evolve • Other Exploit Kits Quickly Follow Suit • Detection must Evolve to Keep Pace • Collaboration Provides Greater Visibility • Exploit Kits Industrialized – Big Money
Summary
• Startedlookingandfoundmajorityofac+vityatoneprovider• WorkedwithDigitalOceantoExposeAc+vity
• FoundmajorityoftrafficoutsideofUS• LotsofAdult/Pornographicsitesinvolvedincampaign• 150+Countriesinvolved• HealthMonitoringFound• Virtuallynologgingonproxyserver• CoverageDevelopedforback-endcommunica+on• Torasapayloadisnewandcouldbecomemorecommonasvisibility
con+nuestoincreasearoundthesetypesofthreats• Gatesand302Cushioningarebeingusedheavily
Overview
• Notoriousransomware• Version1firstseenin2014• DistributedviaExploitkitsandPhishingEmails• FastEvolu+on
CRYPTOWALL 4.0
Fi le Encrypt ion
Temp.AES256key15/10/0712:39<DIR> .
15/10/0712:39<DIR> ..15/10/0712:3678,971 1.jpg15/10/0712:39154,330 2.jpg15/10/0712:36123,240 3.jpg…
1.jpg
RSApublickey
random.xyz
EncryptedAES256key
Otherdata
Encrypted1.jpg
TemporaryAESkeycanonlybedecryptedwiththeprivateRSAkey
Network Communicat ion
Ini+alannouncementtoC2
C2ServerACK
SendPubKey,TORdomains,PNGwallpaper
RequestPubKey,TORdomains,PNGwallpaper
Opera+onsuccessful.Filesencrypted.Done.
VerifyPubKeyandstartencryp+ngfiles….
CryptoWallM
alware
CommandandCo
ntrolServer
C2ServerACK
Excluded Local Regions
• CryptoWall4checkslocalregionseyngswithanundocumentedAPICall
• Followingregionsareexcludedfrominfec+ons:• Russian• Kazakh• Ukrainian• Uzbek• Belarusian• Azeri• Armenian• …otherEasternEuropecountries
Excluded Dir/Fi les/Ext
Extensions:exe,dll,pif,scr,sys,msi,msp,com,hta,cpl,msc,bat,cmd,scfDirectories:windows,temp,cache,samplepictures,defaultpictures,SampleMusic,programfiles,programfiles(x86),games,samplevideos,useraccountpictures,packagesFiles:help_your_files.txt,help_your_files.html,help_your_files.png,thumbs.db
Sam Sam Targets Healthcare
• ExploitsJbossVulnerability• MovesLaterally• TargetedAcrossOrganiza+on• Usedrecentlyagainstmul+plehospitals
Summary
• Exploi+ngNetworkVulnerabili+es• JBoss
• Laterallytargetsmul+plesystems• PaymentisinBitcoin• ObtainPrivateKeyviaBlogComment
Web Shells !
• Web shells are a major security concern and are an indicator of compromise!
• If a web shell has been installed on a server, take immediate steps to remediate the issue
Summary
• Patch your systems • If you find you’ve been compromised, take steps to
remediate and remove any backdoors
250+ Full Time Threat Intel Researchers
MILLIONS Of Telemetry Agents
4 Global Data Centers
1100 Threat Traps
Over 100 Threat Intelligence Partners
THREAT INTEL1.5 MILLION Daily Malware Samples
600 BILLION Daily Email Messages
16 BILLION Daily Web Requests
Honeypots
Open Source Communities
Vulnerability Discovery (Internal)
Telemetry
Internet-Wide Scanning
INTEL SHARING
AspisCrete
AEGIS
3rd Party Programs (MAPP)
ISACs
TALOS INTEL BREAKDOWN