talos insight: threat innovation emerging from the noise

Earl Carter

Talos Threat ResearcherOctober 15, 2015

Threat Innovation Emerging from the Noise.

Talos Insight

2© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Let’s talk about the threat landscape


THREAT LANDSCAPE

The number of CVE Entries in 2015 so far is

8147

9618

7441


THREAT LANDSCAPE


Threats don’t go away, how do we address them?


MULTI-TIERED DEFENSE

Cloud to Core Coverage• WEB: Reputation, URL Filtering, AVC• END POINT: Software – ClamAV, Razorback,

Moflow• CLOUD: FireAMP & ClamAV detection content• EMAIL: Reputation, AntiSpam, Outbreak Filters• NETWORK: Snort Subscription Rule Set, VDB –

FireSIGHT Updates & Content, SEU/SRU Product Detection & Prevention Content

• Global Threat Intelligence Updates


MULTI-TIERED DEFENSE

Talos is divided into 5 departments

• Inbound & Outbound Feeds• Internal Systems & Development

Operations• All Detection Content Delivery• Data Analytics & Correlation• Threat Actor Attribution• Open Source Community

• Detection & Prevention Content• Vulnerability Research• Malware Research• Detection Research• Policy Improvements

• Discovery• Triage• Exploit

Development• Mitigations

• Thought Leadership• Consistent,

Repeatable Security Messaging

• Threat Reports• Media Relations

• Intelligence Systems• Web & Email

Intelligence• Sandbox• Engine Development• ClamAV Development


Open Source

Public Facing Tools• Threat detection and

prevention: Snort, ClamAV, Razorback, & Daemonlogger

• Vulnerability detection and mitigation: Moflow, FreeSentry


Additional Toys


Talos in the news


LEADING THREAT INTELLIGENCE

• Talos discovered email campaign

• Began shortly after Windows 10 release

Windows 10 Spam


Payload: CTB-Locker Ransomware



Windows 10 Spam

• Talos is a key differentiator• Unparalleled visibility• Quick and effective detection

& response



SSHPsychos

• Brute Force SSH Attacks until password guess

• 300K Unique Passwords• Login from different address

space• Drop DDoS Rootkit on

server• Accounted for 1/3 of all SSH

Traffic ON THE INTERNETSSH Brute Force Attempts



SSHPsychos

ACTION TAKEN:• Engaged Level 3…

and other providers• Sudden Pivot• Null Routed• Call to Action• Effectively Limited



PoSeidon

• Scans Point-of-Sale devices for credit card numbers

• Risk for large organizations and small mom-and-pop establishments



PoSeidon



Rombertik

• Multiple layers of obfuscation

• Hooks into user’s browser to read credentials & other sensitive info

• Propagates via spam and phishing



Rombertik

ACTION TAKEN:• Identify malware• Encourage best security practices• AMP, CWS, ESA, Network Security,

WSA



Rombertik


My Resume Protects All Your Files



Resume Spam Campaign

• Pretends to be employee resume

• Short-lived and Effective• Includes Zip file attachment


The Infection Chain


Exploit Kits Evolve


Patching: A Window of Opportunity


Domain Shadowing

Domain ShadowingUsing sub domains of legitimate domains (i.e. bad.legit.com)Advanced evasion of blacklisting technologiesActors using random domainsHundreds of domain registrant accounts compromisedThousands of affected domains

Delivered via malvertising

Multiple tiers of subdomains being used for redirection


Overview

Static IP Address

Registered Domains

Fast Flux DNS

Dynamic DNS

Domain Shadowing


More Angler Evolution


Overview• Deep Data Analytics July 2015

• Telemetry from compromised users• ~1000 Sandbox Runs

• July 2015• Angler Underwent several URL

Changes• Multiple “Hacking Team” 0-Days added

• Ended with tons of data


Detection Challenges• Hashes

• Found 3,000+ Unique Hashes• 6% in VT

• Most detection <10• Encrypted Payloads

• Using Diffie Helman Encryption for IE Exploit• Unique to each user

• Domain Behavior• DDNS• Domain Shadowing• Adversary Owned Domains• Hard Coded IP


/lists/18026519312117497906

URL Structure Landing

/polymorphism-relate-disambiguation-probation/807433931184758078

/search?q=pmOmaU2uh_me&e2=Cp4-iyeALf7zBKFL35SjcU&4VHps=LLnyCmlfcZ5gKB&98=pUuxRyaYW-xQPyh&

/fizziest.php?q=G0PP8NWqU2pJgBkEkkb4nR&h=SHY&c=el7AqmPg-LYqbGJkbLhw&s=AeIDQZMgbummm1RYkwJB&az=zpv3C6laNuDACeto8OYvUTQu&ea=p&i=a1twO7co5&g=F

/viewtopic.php?f=1&t=015806680

/inflammatory/viewforum.php?f=17&sid=11246008 /evicts/search.php?keywords=616&fid[0]=2745796


/L8Vz9fnAJQ-NIIEeBal7h7QTEL5YpvcKfrOMuBGcE7sOA4Xt

URL Structure Exploit

/0V2e2PeF9XDbT_uCRPA43XEZexvaFojkBGfja5kEHDT28-u-Vkko5AB04Ht6w4AV/AVmBMYOz8hkFOC9zv9APM-UAx35zDy31CHZNI5aVT388hbag.pycharm?two=PgIqiVNOqsq&seven=yKj0ku

/change.xfdl?model=4cAwSLa0TZ&sound=iCIuP7&street=&sort=Ew3TGK&American=3__xZmrR&right=&animal=rfWXuq2Gf&two=UufQU4W-e


Unique Referrers

Unique Referers By Day July 2015


Exploit Details


Angler ASN Analysis

Angler HTTP Requests by Provider July 2015


Shutting Down Angler


Breakthrough

• Partnered with Limestone Networks• Gathered Images of Systems• Network Captures

• Level-3• Continued collaboration after SSHPsychos• Netflow Data Key to Investigation

• Undiscovered Findings directly related to the data• Proxy Server Configuration• Health Monitoring


A Look Inside Angler


Potential Revenue


talosintel.comblogs.cisco.com/talos

@talossecurity@kungchiu

Thank You. Visit us in the World of Solutions.

talos insight: threat innovation emerging from the noise

Technology