talos insight: threat innovation emerging from the noise
TRANSCRIPT
Earl Carter
Talos Threat ResearcherOctober 15, 2015
Threat Innovation Emerging from the Noise.
Talos Insight
2© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Let’s talk about the threat landscape
3© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
THREAT LANDSCAPE
The number of CVE Entries in 2015 so far is
8147
9618
7441
4© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
THREAT LANDSCAPE
5© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
THREAT LANDSCAPE
6© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
THREAT LANDSCAPE
7© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
THREAT LANDSCAPE
8© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Threats don’t go away, how do we address them?
9© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
MULTI-TIERED DEFENSE
Cloud to Core Coverage• WEB: Reputation, URL Filtering, AVC• END POINT: Software – ClamAV, Razorback,
Moflow• CLOUD: FireAMP & ClamAV detection content• EMAIL: Reputation, AntiSpam, Outbreak Filters• NETWORK: Snort Subscription Rule Set, VDB –
FireSIGHT Updates & Content, SEU/SRU Product Detection & Prevention Content
• Global Threat Intelligence Updates
10© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
MULTI-TIERED DEFENSE
Talos is divided into 5 departments
• Inbound & Outbound Feeds• Internal Systems & Development
Operations• All Detection Content Delivery• Data Analytics & Correlation• Threat Actor Attribution• Open Source Community
• Detection & Prevention Content• Vulnerability Research• Malware Research• Detection Research• Policy Improvements
• Discovery• Triage• Exploit
Development• Mitigations
• Thought Leadership• Consistent,
Repeatable Security Messaging
• Threat Reports• Media Relations
• Intelligence Systems• Web & Email
Intelligence• Sandbox• Engine Development• ClamAV Development
11© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Open Source
Public Facing Tools• Threat detection and
prevention: Snort, ClamAV, Razorback, & Daemonlogger
• Vulnerability detection and mitigation: Moflow, FreeSentry
12© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Additional Toys
13© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Talos in the news
14© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
LEADING THREAT INTELLIGENCE
• Talos discovered email campaign
• Began shortly after Windows 10 release
Windows 10 Spam
15© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Payload: CTB-Locker Ransomware
16© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
LEADING THREAT INTELLIGENCE
Windows 10 Spam
• Talos is a key differentiator• Unparalleled visibility• Quick and effective detection
& response
17© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
LEADING THREAT INTELLIGENCE
SSHPsychos
• Brute Force SSH Attacks until password guess
• 300K Unique Passwords• Login from different address
space• Drop DDoS Rootkit on
server• Accounted for 1/3 of all SSH
Traffic ON THE INTERNETSSH Brute Force Attempts
18© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
LEADING THREAT INTELLIGENCE
SSHPsychos
ACTION TAKEN:• Engaged Level 3…
and other providers• Sudden Pivot• Null Routed• Call to Action• Effectively Limited
19© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
LEADING THREAT INTELLIGENCE
PoSeidon
• Scans Point-of-Sale devices for credit card numbers
• Risk for large organizations and small mom-and-pop establishments
20© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
LEADING THREAT INTELLIGENCE
PoSeidon
21© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
LEADING THREAT INTELLIGENCE
Rombertik
• Multiple layers of obfuscation
• Hooks into user’s browser to read credentials & other sensitive info
• Propagates via spam and phishing
22© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
LEADING THREAT INTELLIGENCE
Rombertik
ACTION TAKEN:• Identify malware• Encourage best security practices• AMP, CWS, ESA, Network Security,
WSA
23© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
LEADING THREAT INTELLIGENCE
Rombertik
24© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
LEADING THREAT INTELLIGENCE
Rombertik
25© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
My Resume Protects All Your Files
26© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
LEADING THREAT INTELLIGENCE
Resume Spam Campaign
• Pretends to be employee resume
• Short-lived and Effective• Includes Zip file attachment
27© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
The Infection Chain
28© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Exploit Kits Evolve
29© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Patching: A Window of Opportunity
30© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Domain Shadowing
Domain ShadowingUsing sub domains of legitimate domains (i.e. bad.legit.com)Advanced evasion of blacklisting technologiesActors using random domainsHundreds of domain registrant accounts compromisedThousands of affected domains
Delivered via malvertising
Multiple tiers of subdomains being used for redirection
31© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Overview
Static IP Address
Registered Domains
Fast Flux DNS
Dynamic DNS
Domain Shadowing
32© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
More Angler Evolution
33© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Overview• Deep Data Analytics July 2015
• Telemetry from compromised users• ~1000 Sandbox Runs
• July 2015• Angler Underwent several URL
Changes• Multiple “Hacking Team” 0-Days added
• Ended with tons of data
34© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Detection Challenges• Hashes
• Found 3,000+ Unique Hashes• 6% in VT
• Most detection <10• Encrypted Payloads
• Using Diffie Helman Encryption for IE Exploit• Unique to each user
• Domain Behavior• DDNS• Domain Shadowing• Adversary Owned Domains• Hard Coded IP
35© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
/lists/18026519312117497906
URL Structure Landing
/polymorphism-relate-disambiguation-probation/807433931184758078
/search?q=pmOmaU2uh_me&e2=Cp4-iyeALf7zBKFL35SjcU&4VHps=LLnyCmlfcZ5gKB&98=pUuxRyaYW-xQPyh&
/fizziest.php?q=G0PP8NWqU2pJgBkEkkb4nR&h=SHY&c=el7AqmPg-LYqbGJkbLhw&s=AeIDQZMgbummm1RYkwJB&az=zpv3C6laNuDACeto8OYvUTQu&ea=p&i=a1twO7co5&g=F
/viewtopic.php?f=1&t=015806680
/inflammatory/viewforum.php?f=17&sid=11246008 /evicts/search.php?keywords=616&fid[0]=2745796
36© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
/L8Vz9fnAJQ-NIIEeBal7h7QTEL5YpvcKfrOMuBGcE7sOA4Xt
URL Structure Exploit
/0V2e2PeF9XDbT_uCRPA43XEZexvaFojkBGfja5kEHDT28-u-Vkko5AB04Ht6w4AV/AVmBMYOz8hkFOC9zv9APM-UAx35zDy31CHZNI5aVT388hbag.pycharm?two=PgIqiVNOqsq&seven=yKj0ku
/change.xfdl?model=4cAwSLa0TZ&sound=iCIuP7&street=&sort=Ew3TGK&American=3__xZmrR&right=&animal=rfWXuq2Gf&two=UufQU4W-e
37© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Unique Referrers
Unique Referers By Day July 2015
38© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Exploit Details
39© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Angler ASN Analysis
Angler HTTP Requests by Provider July 2015
40© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Shutting Down Angler
41© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Breakthrough
• Partnered with Limestone Networks• Gathered Images of Systems• Network Captures
• Level-3• Continued collaboration after SSHPsychos• Netflow Data Key to Investigation
• Undiscovered Findings directly related to the data• Proxy Server Configuration• Health Monitoring
42© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
A Look Inside Angler
43© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
44© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Potential Revenue
45© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
talosintel.comblogs.cisco.com/talos
@talossecurity@kungchiu
Thank You. Visit us in the World of Solutions.