SlideShare une entreprise Scribd logo

Angler talk

Télécharger en tant que PPTX, PDF
A
Artsiom Holub

Slides were prepared for the talk about Angler Exploit Kit campaign. Analysis applied to OpenDNS data with observed activity from 12/15 to 5/16

Données & analyses
1  sur  29
Artsiom Holub March, 2016 Deconstructing The Cyber Kill Chain of Angler Exploit Kit
2CONFIDENTI AL PRESENTER • Security Research Analyst on the OpenDNS team • Undergraduate studies from National Technical University of Belarus in Computer Science • Currently earning an Associate in Science degree from City College of San Francisco in Computer Networking and Information Security • Network Security and Cyber Security certified • Freelance pentester and bounty hunter
3CONFIDENTI AL AGENDA CYBER KILL CHAIN OF AEK CAMPAIGN APT PARALLELS AND SIGHS ANGLER EK ORIGIN MONEY FLOW DETECTION & PREVENTION SUMMARY
4CONFIDENTI AL ANGLER EK ORIGIN • First appearance of unique ‘bodiless’ bot attacking news site visitors • Reported by russian researcher Sergey Golovanov in March 2012 • Unknown exploit as a part of Cool EK • One of the first captured by Kafeine in August 2013 • Used Fileless capabilities • Angler in context of Blackhole takedown • Kafeine chosen name for this Exploit Kit October 2013 • Mapped to ‘bodiless’ bot and XXX exploit kit • XXX is real name for Angler • 2010 is the real birth year of Angler
5CONFIDENTI AL APT PARALLELS AND SIGHS Using advanced technics on all stages of campaign • Utilizing most recent vulnerabilities (CVE) • Implementing honeypot and antivirus detection and avoidance • Domain shadowing • Encrypted payloads ADVANCED
6CONFIDENTI AL APT PARALLELS AND SIGHS • Angler EK is • Talos thwarts access to ASNs, accounted for almost 90% of overall Angler traffic in October 2015 • IP scheme changed, threat still exist and growing. PERSISTENT
7CONFIDENTI AL APT PARALLELS AND SIGHS • Delivering ransomware makes it easy profitable • Ransomware accompanied with other malware (Bedep, Pony, etc.) makes it even more profitable • Used infrastructure and stolen information can be traded or rented to other malicious authors THREAT
8CONFIDENTI AL Introducing Cyber Kill Chain Of Malicious Angler Campaign In Wild
9CONFIDENTI AL CYBER KILL CHAIN • Reconnaissance • Exploitation & Weaponization • Delivery & Installation • Command and Control • Actions Mostly used in terms of APT, so I have to modify it for my case Recoinnaissance Exploitation & Weaponization Delivery & Installation C&C Actions
10CONFIDENTI AL RECONNAISSANCE • Dedicated basic infrastructure - For C&C addresses, and for DNS tunnels for guaranteed egress • Compromised registrant emails – For domain shadowing • Bulletproof hosting - For use as C&C servers, to receive connect- back shells, to launch attacks. Recently active .top and .tk • Abused Large Providers – To host landing pages • Acquiring list of vulnerable sites - For use as pivots to hide the IP addresses of the stable servers and exploits • Register fake advertising companies – To deliver traffic List or things needed for successful campaign
11CONFIDENTI AL RECONNAISSANCE Dedicated Infrastructure advertise bogons Phishing campaigns used advertised addresses Infrastructure ready Accounts used in domain shadowing aquired LAUNCH OF THE CAMPAIGN
12CONFIDENTI AL EXPLOITATION COMPROMISED DOMAINS, HOSTING LANDER PAGES 42% 5% 36% 11% 6% Wordpress Joomla Domain shadowing Dedicated Others
13CONFIDENTI AL EXPLOITATION & WEAPONIZATION Compromising victims due to one of the vulnerabilities 0 5 10 15 20 25 30 CVE-2016-0034 CVE-2015-8651 CVE-2015-8446 CVE-2015-7645 CVE-2015-5560 CVE-2015-0313 CVE-2015-2419 others %
14CONFIDENTI AL EXPLOITATION & WEAPONIZATION Placing lander pages with payloads Teslacrypt Cryptowall Bedep Hydracrypt Others Vawtrack Tinba
15CONFIDENTI AL DELIVERY Some of main points in delivery schema • Pseudo Darkleech - not a server-level infection. The malicious PHP code is injected into the menu.php/index.php file. It fetched the actual iframe code on the fly from a remote server. • DNS Shadowing - iframe URL (used to be No-IP dynamic host names) has been replaced with third level domain names of sites with hacked DNS accounts (a lot of GoDaddy) that live only for a few hours, for example: ludeincenvira[.]buydashcameras[.]com republicanaaccenner[.]handymannservices[.]com scissorcase-kursfest[.]flatfeexpress[.]com uitgehougovorili9[.]goalrillabasketballgoals[.]info • Forum-like URLs - iframe URLs now resemble URLs of forum sites. They include the following URL part with random parameters: /boards/index.php?PHPSESSID=... /topic/viewtopic.php?PHPSESSID=... /forums/search.php?PHPSESSID=... /civis/search.php?85285-…
16CONFIDENTI AL DELIVERY & INSTALLATION Most recent model delivering user traffic to lander pages IP reputation, contain not blocked Victim visits well known trusted site goo.gl URLs, ad networks abused, including top ones, fake advertiser domains SSL encrypt ad call URL or GIF hiding code with on- the-fly encoding Targeted genuine residential IP redirects to compromised site Only specific IPs will be redirected Next redirect to shadow copy or compromised site Domain shadowing technic, TLD resides on different IP Victim hits the lander page(second payload) Web filter failed, web address is not blocked Payload delivered Initial payload delivered and executed If system is vulnerable Anti virus failed, binary is obfuscated Negotiate encryption Web filter failed, communication is not blocked Encrypt data Local backups removed Display ransom notes
17CONFIDENTI AL Installation Fileless ransomware exploitation technic Locate Exploitable Process Injects first payload into it Forces the DLL to load in the context of that process When encryption is finished free memory The process is loaded into memory but the primary thread is suspended Process calls LoadLibrary Loads malicious remote DLL Persistence isn’t a goal
18CONFIDENTI AL MONEYFLOW
19CONFIDENTI AL MONEY GATHERED DURING CAMPAIGN MOSTLY IN BTC ESTIMATED REVENUE AS OF CAMPAIGN OWNERS EXPENCES & LOSSES YEARLY AFTER TALOS THWART $ $17,126,058.00 • The process of legalizing BTC income is difficult • Main ways are carding, shopping, underground exchange, money mules • Money spent on infrastructure, maintenance, recon campaigns • The end result is about 50+% loss
20CONFIDENTI AL DETECTION & PREVENTION • SPRank, created by our researches, detects compromised domains based on DNS data • Honeypot run by analyst provides another source of compromised domains based on HTTP data • Pivoting around these domains let us discover compromised registrants and IPs • Data available in Investigate helps to identify reused infrastructure, malicious authors, and patterns STOPPING EXPLOIT CHAIN AT ANY STEP CAN MITIGATE INFECTION
21CONFIDENTI AL EXAMPLE Dedicated accounts used for multiple scams Dedicated and abused servers
22CONFIDENTI AL EXAMPLE Bulletproof hosting Potentially compromised
23CONFIDENTI AL DETECTION ANALYSIS LEEDS TO NEW THREAT MODELS WITH DIFFERENT BASIS SEED Investigate Honeypot VirusTotal Malwr ThreatGrid ROOT 1 3 4 2 5 689 7 10
24CONFIDENTI AL ABUSED and DEDICATED ASNs • AS 59504 CYBERTECH-AS LLC CyberTech,RU • AS 201094 GMHOST Mulgin Alexander Sergeevich,UA (dedicated) • AS 15756 CARAVAN JSC Caravan Telecom,RU • AS 48716 PS-AS PS Internet Company LLC,RU • AS 43146 AGAVA3 Agava Ltd.,RU • AS 16276 OVH OVH SAS,FR (highly abused) • AS 15083 INFOLINK-MIA-US - Infolink Global Corporation,US • AS 29182 ISPSYSTEM-AS JSC _ISPsystem_,LU • AS 53264 CDC-LMB1 - Continuum Data Centers, LLC.,US • AS 20860 IOMART-AS Iomart,GB • AS 12586 ASGHOSTNET GHOSTnet GmbH, DE 86400 (.tk) • AS 203973 GUARDOMICRO-AS GUARDOMICRO S.R.L, RO 86400 (.tk) Most active ASNs in the last 90 days
25CONFIDENTI AL Graphical representation of IPs to ASNs active for last 90 days
26CONFIDENTI AL PREVENTION Ways to mitigate risks • Keep back ups of the data all the time • Use layered security system, software and(or) hardware firewall is a must have • Implement DNS control • Patch management(most exploits) • Maintain consistency of domain’s DNS settings, so it contains only legitimate records • User education
27CONFIDENTI AL SUMMARY
28CONFIDENTI AL Reasons Angler Keeps Winning • The organizations responsible for these exploit kit campaigns are generating millions of dollars in revenue. As a result they are continually evolving to maximize the amount of users that are impacted. • Findings point to a larger organization that is using various threats to infect users for monetary gain. • With close to 40% of users hitting Angler infrastructure being compromised it is a significant threat • Security applications do not quickly recognize ransomware’s maliciousness, because, ransomware itself “effectively acts as a security application. • The details are not always known, because unlike data breaches, ransomware attacks do not need to be disclosed by law.
29CONFIDENTI AL Artsiom Holub – Security Research Analyst artholub@cisco.com Credits to Kafeine

Recommandé

Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...
Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...
Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...OpenDNS
 
Web Services Discovery for Devices
Web Services Discovery for DevicesWeb Services Discovery for Devices
Web Services Discovery for DevicesJorgen Thelin
 
Early Detection of Malicious Flux Networks via Large Scale Passive DNS Traffi...
Early Detection of Malicious Flux Networks via Large Scale Passive DNS Traffi...Early Detection of Malicious Flux Networks via Large Scale Passive DNS Traffi...
Early Detection of Malicious Flux Networks via Large Scale Passive DNS Traffi...Paladion Networks
 
New DNS Traffic Analysis Techniques to Identify Global Internet Threats
New DNS Traffic Analysis Techniques to Identify Global Internet ThreatsNew DNS Traffic Analysis Techniques to Identify Global Internet Threats
New DNS Traffic Analysis Techniques to Identify Global Internet ThreatsOpenDNS
 
Cryptolocker Webcast
Cryptolocker WebcastCryptolocker Webcast
Cryptolocker WebcastOpenDNS
 
Security Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramSecurity Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramOpenDNS
 
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...OpenDNS
 
Dns tunnelling its all in the name
Dns tunnelling its all in the nameDns tunnelling its all in the name
Dns tunnelling its all in the nameSecurity BSides London
 

Recommandé

Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...
Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...
Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...OpenDNS
 
Web Services Discovery for Devices
Web Services Discovery for DevicesWeb Services Discovery for Devices
Web Services Discovery for DevicesJorgen Thelin
 
Early Detection of Malicious Flux Networks via Large Scale Passive DNS Traffi...
Early Detection of Malicious Flux Networks via Large Scale Passive DNS Traffi...Early Detection of Malicious Flux Networks via Large Scale Passive DNS Traffi...
Early Detection of Malicious Flux Networks via Large Scale Passive DNS Traffi...Paladion Networks
 
New DNS Traffic Analysis Techniques to Identify Global Internet Threats
New DNS Traffic Analysis Techniques to Identify Global Internet ThreatsNew DNS Traffic Analysis Techniques to Identify Global Internet Threats
New DNS Traffic Analysis Techniques to Identify Global Internet ThreatsOpenDNS
 
Cryptolocker Webcast
Cryptolocker WebcastCryptolocker Webcast
Cryptolocker WebcastOpenDNS
 
Security Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramSecurity Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramOpenDNS
 
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...OpenDNS
 
Dns tunnelling its all in the name
Dns tunnelling its all in the nameDns tunnelling its all in the name
Dns tunnelling its all in the nameSecurity BSides London
 
Early Detection of Malicious Activity—How Well Do You Know Your DNS?
Early Detection of Malicious Activity—How Well Do You Know Your DNS?Early Detection of Malicious Activity—How Well Do You Know Your DNS?
Early Detection of Malicious Activity—How Well Do You Know Your DNS?Priyanka Aash
 
DNS как линия защиты/DNS as a Defense Vector
DNS как линия защиты/DNS as a Defense VectorDNS как линия защиты/DNS as a Defense Vector
DNS как линия защиты/DNS as a Defense VectorPositive Hack Days
 
The DNS Tunneling Blindspot
The DNS Tunneling BlindspotThe DNS Tunneling Blindspot
The DNS Tunneling BlindspotBrian A. McHenry
 
Detecting dns-tunneling-34152
Detecting dns-tunneling-34152Detecting dns-tunneling-34152
Detecting dns-tunneling-34152huynhvanphuc
 
Web Services and Devices Profile for Web Services (DPWS)
Web Services and Devices Profile for Web Services (DPWS)Web Services and Devices Profile for Web Services (DPWS)
Web Services and Devices Profile for Web Services (DPWS)Jorgen Thelin
 
Umbrella for MSPs: Enterprise Grade Malware Protection & Containment
Umbrella for MSPs: Enterprise Grade Malware Protection & ContainmentUmbrella for MSPs: Enterprise Grade Malware Protection & Containment
Umbrella for MSPs: Enterprise Grade Malware Protection & ContainmentOpenDNS
 
End-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware FamilyEnd-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware FamilyCrowdStrike
 
Hiding in plain sight
Hiding in plain sightHiding in plain sight
Hiding in plain sightRob Gillen
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]RootedCON
 
Detecting Malicious SSL Certificates Using Bro
Detecting Malicious SSL Certificates Using BroDetecting Malicious SSL Certificates Using Bro
Detecting Malicious SSL Certificates Using BroAndrew Beard
 
DNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security ExtensionsDNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security ExtensionsPeter R. Egli
 
Extending Zeek for ICS Defense
Extending Zeek for ICS DefenseExtending Zeek for ICS Defense
Extending Zeek for ICS DefenseJames Dickenson
 
DANE-based TLS verification in the SIP protocol (v 2)
DANE-based TLS verification in the SIP protocol (v 2)DANE-based TLS verification in the SIP protocol (v 2)
DANE-based TLS verification in the SIP protocol (v 2)Olle E Johansson
 
Assume Compromise
Assume CompromiseAssume Compromise
Assume CompromiseZach Grace
 
Network And Application Layer Attacks
Network And Application Layer AttacksNetwork And Application Layer Attacks
Network And Application Layer AttacksArun Modi
 
Thotcon 0x5 - Retroactive Wiretapping VPN over DNS
Thotcon 0x5 - Retroactive Wiretapping VPN over DNSThotcon 0x5 - Retroactive Wiretapping VPN over DNS
Thotcon 0x5 - Retroactive Wiretapping VPN over DNSJohn Bambenek
 
DNS Security
DNS SecurityDNS Security
DNS Securityjohnmcclure00
 
Class Project Showcase: DNS Spoofing
Class Project Showcase: DNS SpoofingClass Project Showcase: DNS Spoofing
Class Project Showcase: DNS SpoofingBeibei Yang
 
Are your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
Are your cloud servers under attack?– Hacker Halted 2019 – Brian HilemanAre your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
Are your cloud servers under attack?– Hacker Halted 2019 – Brian HilemanEC-Council
 
Splunk for Security Workshop
Splunk for Security WorkshopSplunk for Security Workshop
Splunk for Security WorkshopSplunk
 
HSB - Secure DNS en BGP ontwikkelingen - Benno Overeinder
HSB - Secure DNS en BGP ontwikkelingen - Benno OvereinderHSB - Secure DNS en BGP ontwikkelingen - Benno Overeinder
HSB - Secure DNS en BGP ontwikkelingen - Benno OvereinderSplend
 
Cisco Connect Halifax 2018 Anatomy of attack
Cisco Connect Halifax 2018 Anatomy of attackCisco Connect Halifax 2018 Anatomy of attack
Cisco Connect Halifax 2018 Anatomy of attackCisco Canada
 

Contenu connexe

Tendances

Early Detection of Malicious Activity—How Well Do You Know Your DNS?
Early Detection of Malicious Activity—How Well Do You Know Your DNS?Early Detection of Malicious Activity—How Well Do You Know Your DNS?
Early Detection of Malicious Activity—How Well Do You Know Your DNS?Priyanka Aash
 
DNS как линия защиты/DNS as a Defense Vector
DNS как линия защиты/DNS as a Defense VectorDNS как линия защиты/DNS as a Defense Vector
DNS как линия защиты/DNS as a Defense VectorPositive Hack Days
 
The DNS Tunneling Blindspot
The DNS Tunneling BlindspotThe DNS Tunneling Blindspot
The DNS Tunneling BlindspotBrian A. McHenry
 
Detecting dns-tunneling-34152
Detecting dns-tunneling-34152Detecting dns-tunneling-34152
Detecting dns-tunneling-34152huynhvanphuc
 
Web Services and Devices Profile for Web Services (DPWS)
Web Services and Devices Profile for Web Services (DPWS)Web Services and Devices Profile for Web Services (DPWS)
Web Services and Devices Profile for Web Services (DPWS)Jorgen Thelin
 
Umbrella for MSPs: Enterprise Grade Malware Protection & Containment
Umbrella for MSPs: Enterprise Grade Malware Protection & ContainmentUmbrella for MSPs: Enterprise Grade Malware Protection & Containment
Umbrella for MSPs: Enterprise Grade Malware Protection & ContainmentOpenDNS
 
End-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware FamilyEnd-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware FamilyCrowdStrike
 
Hiding in plain sight
Hiding in plain sightHiding in plain sight
Hiding in plain sightRob Gillen
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]RootedCON
 
Detecting Malicious SSL Certificates Using Bro
Detecting Malicious SSL Certificates Using BroDetecting Malicious SSL Certificates Using Bro
Detecting Malicious SSL Certificates Using BroAndrew Beard
 
DNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security ExtensionsDNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security ExtensionsPeter R. Egli
 
Extending Zeek for ICS Defense
Extending Zeek for ICS DefenseExtending Zeek for ICS Defense
Extending Zeek for ICS DefenseJames Dickenson
 
DANE-based TLS verification in the SIP protocol (v 2)
DANE-based TLS verification in the SIP protocol (v 2)DANE-based TLS verification in the SIP protocol (v 2)
DANE-based TLS verification in the SIP protocol (v 2)Olle E Johansson
 
Assume Compromise
Assume CompromiseAssume Compromise
Assume CompromiseZach Grace
 
Network And Application Layer Attacks
Network And Application Layer AttacksNetwork And Application Layer Attacks
Network And Application Layer AttacksArun Modi
 
Thotcon 0x5 - Retroactive Wiretapping VPN over DNS
Thotcon 0x5 - Retroactive Wiretapping VPN over DNSThotcon 0x5 - Retroactive Wiretapping VPN over DNS
Thotcon 0x5 - Retroactive Wiretapping VPN over DNSJohn Bambenek
 
Class Project Showcase: DNS Spoofing
Class Project Showcase: DNS SpoofingClass Project Showcase: DNS Spoofing
Class Project Showcase: DNS SpoofingBeibei Yang
 
Are your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
Are your cloud servers under attack?– Hacker Halted 2019 – Brian HilemanAre your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
Are your cloud servers under attack?– Hacker Halted 2019 – Brian HilemanEC-Council
 
Splunk for Security Workshop
Splunk for Security WorkshopSplunk for Security Workshop
Splunk for Security WorkshopSplunk
 

Tendances (20)

Early Detection of Malicious Activity—How Well Do You Know Your DNS?
Early Detection of Malicious Activity—How Well Do You Know Your DNS?Early Detection of Malicious Activity—How Well Do You Know Your DNS?
Early Detection of Malicious Activity—How Well Do You Know Your DNS?
 
DNS как линия защиты/DNS as a Defense Vector
DNS как линия защиты/DNS as a Defense VectorDNS как линия защиты/DNS as a Defense Vector
DNS как линия защиты/DNS as a Defense Vector
 
The DNS Tunneling Blindspot
The DNS Tunneling BlindspotThe DNS Tunneling Blindspot
The DNS Tunneling Blindspot
 
Detecting dns-tunneling-34152
Detecting dns-tunneling-34152Detecting dns-tunneling-34152
Detecting dns-tunneling-34152
 
Web Services and Devices Profile for Web Services (DPWS)
Web Services and Devices Profile for Web Services (DPWS)Web Services and Devices Profile for Web Services (DPWS)
Web Services and Devices Profile for Web Services (DPWS)
 
Umbrella for MSPs: Enterprise Grade Malware Protection & Containment
Umbrella for MSPs: Enterprise Grade Malware Protection & ContainmentUmbrella for MSPs: Enterprise Grade Malware Protection & Containment
Umbrella for MSPs: Enterprise Grade Malware Protection & Containment
 
End-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware FamilyEnd-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware Family
 
Hiding in plain sight
Hiding in plain sightHiding in plain sight
Hiding in plain sight
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]
 
Detecting Malicious SSL Certificates Using Bro
Detecting Malicious SSL Certificates Using BroDetecting Malicious SSL Certificates Using Bro
Detecting Malicious SSL Certificates Using Bro
 
DNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security ExtensionsDNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security Extensions
 
Extending Zeek for ICS Defense
Extending Zeek for ICS DefenseExtending Zeek for ICS Defense
Extending Zeek for ICS Defense
 
DANE-based TLS verification in the SIP protocol (v 2)
DANE-based TLS verification in the SIP protocol (v 2)DANE-based TLS verification in the SIP protocol (v 2)
DANE-based TLS verification in the SIP protocol (v 2)
 
Assume Compromise
Assume CompromiseAssume Compromise
Assume Compromise
 
Network And Application Layer Attacks
Network And Application Layer AttacksNetwork And Application Layer Attacks
Network And Application Layer Attacks
 
Thotcon 0x5 - Retroactive Wiretapping VPN over DNS
Thotcon 0x5 - Retroactive Wiretapping VPN over DNSThotcon 0x5 - Retroactive Wiretapping VPN over DNS
Thotcon 0x5 - Retroactive Wiretapping VPN over DNS
 
DNS Security
DNS SecurityDNS Security
DNS Security
 
Class Project Showcase: DNS Spoofing
Class Project Showcase: DNS SpoofingClass Project Showcase: DNS Spoofing
Class Project Showcase: DNS Spoofing
 
Are your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
Are your cloud servers under attack?– Hacker Halted 2019 – Brian HilemanAre your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
Are your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
 
Splunk for Security Workshop
Splunk for Security WorkshopSplunk for Security Workshop
Splunk for Security Workshop
 

Similaire à Angler talk

HSB - Secure DNS en BGP ontwikkelingen - Benno Overeinder
HSB - Secure DNS en BGP ontwikkelingen - Benno OvereinderHSB - Secure DNS en BGP ontwikkelingen - Benno Overeinder
HSB - Secure DNS en BGP ontwikkelingen - Benno OvereinderSplend
 
Cisco Connect Halifax 2018 Anatomy of attack
Cisco Connect Halifax 2018 Anatomy of attackCisco Connect Halifax 2018 Anatomy of attack
Cisco Connect Halifax 2018 Anatomy of attackCisco Canada
 
End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)
End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)
End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)BAKOTECH
 
End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...
End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...
End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...BAKOTECH
 
The evolving threat in the face of increased connectivity
The evolving threat in the face of increased connectivityThe evolving threat in the face of increased connectivity
The evolving threat in the face of increased connectivityAPNIC
 
bh-usa-07-grossman-WP.pdf
bh-usa-07-grossman-WP.pdfbh-usa-07-grossman-WP.pdf
bh-usa-07-grossman-WP.pdfcyberhacker7
 
O seu DNS está protegido
O seu DNS está protegidoO seu DNS está protegido
O seu DNS está protegidoCisco do Brasil
 
Compliance made easy. Pass your audits stress-free.
Compliance made easy. Pass your audits stress-free.Compliance made easy. Pass your audits stress-free.
Compliance made easy. Pass your audits stress-free.AlgoSec
 
Microsegmentation from strategy to execution
Microsegmentation from strategy to executionMicrosegmentation from strategy to execution
Microsegmentation from strategy to executionAlgoSec
 
2021 01-13 reducing risk-of_ransomware
2021 01-13 reducing risk-of_ransomware2021 01-13 reducing risk-of_ransomware
2021 01-13 reducing risk-of_ransomwareAlgoSec
 
Building Cloud Applications Based On Zero Trust
Building Cloud Applications Based On Zero TrustBuilding Cloud Applications Based On Zero Trust
Building Cloud Applications Based On Zero TrustMahesh Patil
 
Living with the threat of Determined Attackers - RANT0214
Living with the threat of Determined Attackers - RANT0214Living with the threat of Determined Attackers - RANT0214
Living with the threat of Determined Attackers - RANT0214James '​-- Mckinlay
 
Maximising the security of your cloud infrastructure
Maximising the security of your cloud infrastructureMaximising the security of your cloud infrastructure
Maximising the security of your cloud infrastructureOVHcloud
 
DDoS Attacks - Scenery, Evolution and Mitigation
DDoS Attacks - Scenery, Evolution and MitigationDDoS Attacks - Scenery, Evolution and Mitigation
DDoS Attacks - Scenery, Evolution and MitigationWilson Rogerio Lopes
 
Pegasus Spyware - What You Need to Know
Pegasus Spyware - What You Need to KnowPegasus Spyware - What You Need to Know
Pegasus Spyware - What You Need to KnowSkycure
 
pegasus-whatyouneedtoknow-160916194631 (1).pdf
pegasus-whatyouneedtoknow-160916194631 (1).pdfpegasus-whatyouneedtoknow-160916194631 (1).pdf
pegasus-whatyouneedtoknow-160916194631 (1).pdf064ChetanWani
 
FBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopErnest Staats
 

Similaire à Angler talk (20)

HSB - Secure DNS en BGP ontwikkelingen - Benno Overeinder
HSB - Secure DNS en BGP ontwikkelingen - Benno OvereinderHSB - Secure DNS en BGP ontwikkelingen - Benno Overeinder
HSB - Secure DNS en BGP ontwikkelingen - Benno Overeinder
 
Cisco Connect Halifax 2018 Anatomy of attack
Cisco Connect Halifax 2018 Anatomy of attackCisco Connect Halifax 2018 Anatomy of attack
Cisco Connect Halifax 2018 Anatomy of attack
 
End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)
End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)
End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)
 
End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...
End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...
End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...
 
The evolving threat in the face of increased connectivity
The evolving threat in the face of increased connectivityThe evolving threat in the face of increased connectivity
The evolving threat in the face of increased connectivity
 
bh-usa-07-grossman-WP.pdf
bh-usa-07-grossman-WP.pdfbh-usa-07-grossman-WP.pdf
bh-usa-07-grossman-WP.pdf
 
O seu DNS está protegido
O seu DNS está protegidoO seu DNS está protegido
O seu DNS está protegido
 
Compliance made easy. Pass your audits stress-free.
Compliance made easy. Pass your audits stress-free.Compliance made easy. Pass your audits stress-free.
Compliance made easy. Pass your audits stress-free.
 
JAKU Botnet Analysis
JAKU Botnet AnalysisJAKU Botnet Analysis
JAKU Botnet Analysis
 
Microsegmentation from strategy to execution
Microsegmentation from strategy to executionMicrosegmentation from strategy to execution
Microsegmentation from strategy to execution
 
2021 01-13 reducing risk-of_ransomware
2021 01-13 reducing risk-of_ransomware2021 01-13 reducing risk-of_ransomware
2021 01-13 reducing risk-of_ransomware
 
Building Cloud Applications Based On Zero Trust
Building Cloud Applications Based On Zero TrustBuilding Cloud Applications Based On Zero Trust
Building Cloud Applications Based On Zero Trust
 
Living with the threat of Determined Attackers - RANT0214
Living with the threat of Determined Attackers - RANT0214Living with the threat of Determined Attackers - RANT0214
Living with the threat of Determined Attackers - RANT0214
 
Maximising the security of your cloud infrastructure
Maximising the security of your cloud infrastructureMaximising the security of your cloud infrastructure
Maximising the security of your cloud infrastructure
 
Security events in 2014
Security events in 2014Security events in 2014
Security events in 2014
 
DDoS Attacks - Scenery, Evolution and Mitigation
DDoS Attacks - Scenery, Evolution and MitigationDDoS Attacks - Scenery, Evolution and Mitigation
DDoS Attacks - Scenery, Evolution and Mitigation
 
Atelier Technique CISCO ACSS 2018
Atelier Technique CISCO ACSS 2018Atelier Technique CISCO ACSS 2018
Atelier Technique CISCO ACSS 2018
 
Pegasus Spyware - What You Need to Know
Pegasus Spyware - What You Need to KnowPegasus Spyware - What You Need to Know
Pegasus Spyware - What You Need to Know
 
pegasus-whatyouneedtoknow-160916194631 (1).pdf
pegasus-whatyouneedtoknow-160916194631 (1).pdfpegasus-whatyouneedtoknow-160916194631 (1).pdf
pegasus-whatyouneedtoknow-160916194631 (1).pdf
 
FBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise Workshop
 

Dernier

Saket, (-DELHI )+91-9654467111-(=)CHEAP Call Girls in Escorts Service Saket C...
Saket, (-DELHI )+91-9654467111-(=)CHEAP Call Girls in Escorts Service Saket C...Saket, (-DELHI )+91-9654467111-(=)CHEAP Call Girls in Escorts Service Saket C...
Saket, (-DELHI )+91-9654467111-(=)CHEAP Call Girls in Escorts Service Saket C...Sapana Sha
 
20240419 - Measurecamp Amsterdam - SAM.pdf
20240419 - Measurecamp Amsterdam - SAM.pdf20240419 - Measurecamp Amsterdam - SAM.pdf
20240419 - Measurecamp Amsterdam - SAM.pdfHuman37
 
High Class Call Girls Noida Sector 39 Aarushi 🔝8264348440🔝 Independent Escort...
High Class Call Girls Noida Sector 39 Aarushi 🔝8264348440🔝 Independent Escort...High Class Call Girls Noida Sector 39 Aarushi 🔝8264348440🔝 Independent Escort...
High Class Call Girls Noida Sector 39 Aarushi 🔝8264348440🔝 Independent Escort...soniya singh
 
2006_GasProcessing_HB (1).pdf HYDROCARBON PROCESSING
2006_GasProcessing_HB (1).pdf HYDROCARBON PROCESSING2006_GasProcessing_HB (1).pdf HYDROCARBON PROCESSING
2006_GasProcessing_HB (1).pdf HYDROCARBON PROCESSINGmarianagonzalez07
 
Consent & Privacy Signals on Google *Pixels* - MeasureCamp Amsterdam 2024
Consent & Privacy Signals on Google *Pixels* - MeasureCamp Amsterdam 2024Consent & Privacy Signals on Google *Pixels* - MeasureCamp Amsterdam 2024
Consent & Privacy Signals on Google *Pixels* - MeasureCamp Amsterdam 2024thyngster
 
How we prevented account sharing with MFA
How we prevented account sharing with MFAHow we prevented account sharing with MFA
How we prevented account sharing with MFAAndrei Kaleshka
 
NLP Data Science Project Presentation:Predicting Heart Disease with NLP Data ...
NLP Data Science Project Presentation:Predicting Heart Disease with NLP Data ...NLP Data Science Project Presentation:Predicting Heart Disease with NLP Data ...
NLP Data Science Project Presentation:Predicting Heart Disease with NLP Data ...Boston Institute of Analytics
 
Customer Service Analytics - Make Sense of All Your Data.pptx
Customer Service Analytics - Make Sense of All Your Data.pptxCustomer Service Analytics - Make Sense of All Your Data.pptx
Customer Service Analytics - Make Sense of All Your Data.pptxEmmanuel Dauda
 
Effects of Smartphone Addiction on the Academic Performances of Grades 9 to 1...
Effects of Smartphone Addiction on the Academic Performances of Grades 9 to 1...Effects of Smartphone Addiction on the Academic Performances of Grades 9 to 1...
Effects of Smartphone Addiction on the Academic Performances of Grades 9 to 1...limedy534
 
DBA Basics: Getting Started with Performance Tuning.pdf
DBA Basics: Getting Started with Performance Tuning.pdfDBA Basics: Getting Started with Performance Tuning.pdf
DBA Basics: Getting Started with Performance Tuning.pdfJohn Sterrett
 
Call Girls in Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Defence Colony Delhi 💯Call Us 🔝8264348440🔝Call Girls in Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Defence Colony Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Top 5 Best Data Analytics Courses In Queens
Top 5 Best Data Analytics Courses In QueensTop 5 Best Data Analytics Courses In Queens
Top 5 Best Data Analytics Courses In Queensdataanalyticsqueen03
 
毕业文凭制作#回国入职#diploma#degree澳洲中央昆士兰大学毕业证成绩单pdf电子版制作修改#毕业文凭制作#回国入职#diploma#degree
毕业文凭制作#回国入职#diploma#degree澳洲中央昆士兰大学毕业证成绩单pdf电子版制作修改#毕业文凭制作#回国入职#diploma#degree毕业文凭制作#回国入职#diploma#degree澳洲中央昆士兰大学毕业证成绩单pdf电子版制作修改#毕业文凭制作#回国入职#diploma#degree
毕业文凭制作#回国入职#diploma#degree澳洲中央昆士兰大学毕业证成绩单pdf电子版制作修改#毕业文凭制作#回国入职#diploma#degreeyuu sss
 
Predictive Analysis for Loan Default Presentation : Data Analysis Project PPT
Predictive Analysis for Loan Default Presentation : Data Analysis Project PPTPredictive Analysis for Loan Default Presentation : Data Analysis Project PPT
Predictive Analysis for Loan Default Presentation : Data Analysis Project PPTBoston Institute of Analytics
 
From idea to production in a day – Leveraging Azure ML and Streamlit to build...
From idea to production in a day – Leveraging Azure ML and Streamlit to build...From idea to production in a day – Leveraging Azure ML and Streamlit to build...
From idea to production in a day – Leveraging Azure ML and Streamlit to build...Florian Roscheck
 
办理学位证中佛罗里达大学毕业证,UCF成绩单原版一比一
办理学位证中佛罗里达大学毕业证,UCF成绩单原版一比一办理学位证中佛罗里达大学毕业证,UCF成绩单原版一比一
办理学位证中佛罗里达大学毕业证,UCF成绩单原版一比一F sss
 
Indian Call Girls in Abu Dhabi O5286O24O8 Call Girls in Abu Dhabi By Independ...
Indian Call Girls in Abu Dhabi O5286O24O8 Call Girls in Abu Dhabi By Independ...Indian Call Girls in Abu Dhabi O5286O24O8 Call Girls in Abu Dhabi By Independ...
Indian Call Girls in Abu Dhabi O5286O24O8 Call Girls in Abu Dhabi By Independ...dajasot375
 
IMA MSN - Medical Students Network (2).pptx
IMA MSN - Medical Students Network (2).pptxIMA MSN - Medical Students Network (2).pptx
IMA MSN - Medical Students Network (2).pptxdolaknnilon
 
GA4 Without Cookies [Measure Camp AMS]
GA4 Without Cookies [Measure Camp AMS]GA4 Without Cookies [Measure Camp AMS]
GA4 Without Cookies [Measure Camp AMS]📊 Markus Baersch
 

Dernier (20)

Saket, (-DELHI )+91-9654467111-(=)CHEAP Call Girls in Escorts Service Saket C...
Saket, (-DELHI )+91-9654467111-(=)CHEAP Call Girls in Escorts Service Saket C...Saket, (-DELHI )+91-9654467111-(=)CHEAP Call Girls in Escorts Service Saket C...
Saket, (-DELHI )+91-9654467111-(=)CHEAP Call Girls in Escorts Service Saket C...
 
20240419 - Measurecamp Amsterdam - SAM.pdf
20240419 - Measurecamp Amsterdam - SAM.pdf20240419 - Measurecamp Amsterdam - SAM.pdf
20240419 - Measurecamp Amsterdam - SAM.pdf
 
High Class Call Girls Noida Sector 39 Aarushi 🔝8264348440🔝 Independent Escort...
High Class Call Girls Noida Sector 39 Aarushi 🔝8264348440🔝 Independent Escort...High Class Call Girls Noida Sector 39 Aarushi 🔝8264348440🔝 Independent Escort...
High Class Call Girls Noida Sector 39 Aarushi 🔝8264348440🔝 Independent Escort...
 
2006_GasProcessing_HB (1).pdf HYDROCARBON PROCESSING
2006_GasProcessing_HB (1).pdf HYDROCARBON PROCESSING2006_GasProcessing_HB (1).pdf HYDROCARBON PROCESSING
2006_GasProcessing_HB (1).pdf HYDROCARBON PROCESSING
 
Consent & Privacy Signals on Google *Pixels* - MeasureCamp Amsterdam 2024
Consent & Privacy Signals on Google *Pixels* - MeasureCamp Amsterdam 2024Consent & Privacy Signals on Google *Pixels* - MeasureCamp Amsterdam 2024
Consent & Privacy Signals on Google *Pixels* - MeasureCamp Amsterdam 2024
 
How we prevented account sharing with MFA
How we prevented account sharing with MFAHow we prevented account sharing with MFA
How we prevented account sharing with MFA
 
NLP Data Science Project Presentation:Predicting Heart Disease with NLP Data ...
NLP Data Science Project Presentation:Predicting Heart Disease with NLP Data ...NLP Data Science Project Presentation:Predicting Heart Disease with NLP Data ...
NLP Data Science Project Presentation:Predicting Heart Disease with NLP Data ...
 
Customer Service Analytics - Make Sense of All Your Data.pptx
Customer Service Analytics - Make Sense of All Your Data.pptxCustomer Service Analytics - Make Sense of All Your Data.pptx
Customer Service Analytics - Make Sense of All Your Data.pptx
 
Effects of Smartphone Addiction on the Academic Performances of Grades 9 to 1...
Effects of Smartphone Addiction on the Academic Performances of Grades 9 to 1...Effects of Smartphone Addiction on the Academic Performances of Grades 9 to 1...
Effects of Smartphone Addiction on the Academic Performances of Grades 9 to 1...
 
DBA Basics: Getting Started with Performance Tuning.pdf
DBA Basics: Getting Started with Performance Tuning.pdfDBA Basics: Getting Started with Performance Tuning.pdf
DBA Basics: Getting Started with Performance Tuning.pdf
 
Call Girls in Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Defence Colony Delhi 💯Call Us 🔝8264348440🔝Call Girls in Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Defence Colony Delhi 💯Call Us 🔝8264348440🔝
 
Top 5 Best Data Analytics Courses In Queens
Top 5 Best Data Analytics Courses In QueensTop 5 Best Data Analytics Courses In Queens
Top 5 Best Data Analytics Courses In Queens
 
毕业文凭制作#回国入职#diploma#degree澳洲中央昆士兰大学毕业证成绩单pdf电子版制作修改#毕业文凭制作#回国入职#diploma#degree
毕业文凭制作#回国入职#diploma#degree澳洲中央昆士兰大学毕业证成绩单pdf电子版制作修改#毕业文凭制作#回国入职#diploma#degree毕业文凭制作#回国入职#diploma#degree澳洲中央昆士兰大学毕业证成绩单pdf电子版制作修改#毕业文凭制作#回国入职#diploma#degree
毕业文凭制作#回国入职#diploma#degree澳洲中央昆士兰大学毕业证成绩单pdf电子版制作修改#毕业文凭制作#回国入职#diploma#degree
 
Predictive Analysis for Loan Default Presentation : Data Analysis Project PPT
Predictive Analysis for Loan Default Presentation : Data Analysis Project PPTPredictive Analysis for Loan Default Presentation : Data Analysis Project PPT
Predictive Analysis for Loan Default Presentation : Data Analysis Project PPT
 
From idea to production in a day – Leveraging Azure ML and Streamlit to build...
From idea to production in a day – Leveraging Azure ML and Streamlit to build...From idea to production in a day – Leveraging Azure ML and Streamlit to build...
From idea to production in a day – Leveraging Azure ML and Streamlit to build...
 
办理学位证中佛罗里达大学毕业证,UCF成绩单原版一比一
办理学位证中佛罗里达大学毕业证,UCF成绩单原版一比一办理学位证中佛罗里达大学毕业证,UCF成绩单原版一比一
办理学位证中佛罗里达大学毕业证,UCF成绩单原版一比一
 
Call Girls in Saket 99530🔝 56974 Escort Service
Call Girls in Saket 99530🔝 56974 Escort ServiceCall Girls in Saket 99530🔝 56974 Escort Service
Call Girls in Saket 99530🔝 56974 Escort Service
 
Indian Call Girls in Abu Dhabi O5286O24O8 Call Girls in Abu Dhabi By Independ...
Indian Call Girls in Abu Dhabi O5286O24O8 Call Girls in Abu Dhabi By Independ...Indian Call Girls in Abu Dhabi O5286O24O8 Call Girls in Abu Dhabi By Independ...
Indian Call Girls in Abu Dhabi O5286O24O8 Call Girls in Abu Dhabi By Independ...
 
IMA MSN - Medical Students Network (2).pptx
IMA MSN - Medical Students Network (2).pptxIMA MSN - Medical Students Network (2).pptx
IMA MSN - Medical Students Network (2).pptx
 
GA4 Without Cookies [Measure Camp AMS]
GA4 Without Cookies [Measure Camp AMS]GA4 Without Cookies [Measure Camp AMS]
GA4 Without Cookies [Measure Camp AMS]
 

Angler talk

  • 1. Artsiom Holub March, 2016 Deconstructing The Cyber Kill Chain of Angler Exploit Kit
  • 2. 2CONFIDENTI AL PRESENTER • Security Research Analyst on the OpenDNS team • Undergraduate studies from National Technical University of Belarus in Computer Science • Currently earning an Associate in Science degree from City College of San Francisco in Computer Networking and Information Security • Network Security and Cyber Security certified • Freelance pentester and bounty hunter
  • 3. 3CONFIDENTI AL AGENDA CYBER KILL CHAIN OF AEK CAMPAIGN APT PARALLELS AND SIGHS ANGLER EK ORIGIN MONEY FLOW DETECTION & PREVENTION SUMMARY
  • 4. 4CONFIDENTI AL ANGLER EK ORIGIN • First appearance of unique ‘bodiless’ bot attacking news site visitors • Reported by russian researcher Sergey Golovanov in March 2012 • Unknown exploit as a part of Cool EK • One of the first captured by Kafeine in August 2013 • Used Fileless capabilities • Angler in context of Blackhole takedown • Kafeine chosen name for this Exploit Kit October 2013 • Mapped to ‘bodiless’ bot and XXX exploit kit • XXX is real name for Angler • 2010 is the real birth year of Angler
  • 5. 5CONFIDENTI AL APT PARALLELS AND SIGHS Using advanced technics on all stages of campaign • Utilizing most recent vulnerabilities (CVE) • Implementing honeypot and antivirus detection and avoidance • Domain shadowing • Encrypted payloads ADVANCED
  • 6. 6CONFIDENTI AL APT PARALLELS AND SIGHS • Angler EK is • Talos thwarts access to ASNs, accounted for almost 90% of overall Angler traffic in October 2015 • IP scheme changed, threat still exist and growing. PERSISTENT
  • 7. 7CONFIDENTI AL APT PARALLELS AND SIGHS • Delivering ransomware makes it easy profitable • Ransomware accompanied with other malware (Bedep, Pony, etc.) makes it even more profitable • Used infrastructure and stolen information can be traded or rented to other malicious authors THREAT
  • 8. 8CONFIDENTI AL Introducing Cyber Kill Chain Of Malicious Angler Campaign In Wild
  • 9. 9CONFIDENTI AL CYBER KILL CHAIN • Reconnaissance • Exploitation & Weaponization • Delivery & Installation • Command and Control • Actions Mostly used in terms of APT, so I have to modify it for my case Recoinnaissance Exploitation & Weaponization Delivery & Installation C&C Actions
  • 10. 10CONFIDENTI AL RECONNAISSANCE • Dedicated basic infrastructure - For C&C addresses, and for DNS tunnels for guaranteed egress • Compromised registrant emails – For domain shadowing • Bulletproof hosting - For use as C&C servers, to receive connect- back shells, to launch attacks. Recently active .top and .tk • Abused Large Providers – To host landing pages • Acquiring list of vulnerable sites - For use as pivots to hide the IP addresses of the stable servers and exploits • Register fake advertising companies – To deliver traffic List or things needed for successful campaign
  • 11. 11CONFIDENTI AL RECONNAISSANCE Dedicated Infrastructure advertise bogons Phishing campaigns used advertised addresses Infrastructure ready Accounts used in domain shadowing aquired LAUNCH OF THE CAMPAIGN
  • 12. 12CONFIDENTI AL EXPLOITATION COMPROMISED DOMAINS, HOSTING LANDER PAGES 42% 5% 36% 11% 6% Wordpress Joomla Domain shadowing Dedicated Others
  • 13. 13CONFIDENTI AL EXPLOITATION & WEAPONIZATION Compromising victims due to one of the vulnerabilities 0 5 10 15 20 25 30 CVE-2016-0034 CVE-2015-8651 CVE-2015-8446 CVE-2015-7645 CVE-2015-5560 CVE-2015-0313 CVE-2015-2419 others %
  • 14. 14CONFIDENTI AL EXPLOITATION & WEAPONIZATION Placing lander pages with payloads Teslacrypt Cryptowall Bedep Hydracrypt Others Vawtrack Tinba
  • 15. 15CONFIDENTI AL DELIVERY Some of main points in delivery schema • Pseudo Darkleech - not a server-level infection. The malicious PHP code is injected into the menu.php/index.php file. It fetched the actual iframe code on the fly from a remote server. • DNS Shadowing - iframe URL (used to be No-IP dynamic host names) has been replaced with third level domain names of sites with hacked DNS accounts (a lot of GoDaddy) that live only for a few hours, for example: ludeincenvira[.]buydashcameras[.]com republicanaaccenner[.]handymannservices[.]com scissorcase-kursfest[.]flatfeexpress[.]com uitgehougovorili9[.]goalrillabasketballgoals[.]info • Forum-like URLs - iframe URLs now resemble URLs of forum sites. They include the following URL part with random parameters: /boards/index.php?PHPSESSID=... /topic/viewtopic.php?PHPSESSID=... /forums/search.php?PHPSESSID=... /civis/search.php?85285-…
  • 16. 16CONFIDENTI AL DELIVERY & INSTALLATION Most recent model delivering user traffic to lander pages IP reputation, contain not blocked Victim visits well known trusted site goo.gl URLs, ad networks abused, including top ones, fake advertiser domains SSL encrypt ad call URL or GIF hiding code with on- the-fly encoding Targeted genuine residential IP redirects to compromised site Only specific IPs will be redirected Next redirect to shadow copy or compromised site Domain shadowing technic, TLD resides on different IP Victim hits the lander page(second payload) Web filter failed, web address is not blocked Payload delivered Initial payload delivered and executed If system is vulnerable Anti virus failed, binary is obfuscated Negotiate encryption Web filter failed, communication is not blocked Encrypt data Local backups removed Display ransom notes
  • 17. 17CONFIDENTI AL Installation Fileless ransomware exploitation technic Locate Exploitable Process Injects first payload into it Forces the DLL to load in the context of that process When encryption is finished free memory The process is loaded into memory but the primary thread is suspended Process calls LoadLibrary Loads malicious remote DLL Persistence isn’t a goal
  • 19. 19CONFIDENTI AL MONEY GATHERED DURING CAMPAIGN MOSTLY IN BTC ESTIMATED REVENUE AS OF CAMPAIGN OWNERS EXPENCES & LOSSES YEARLY AFTER TALOS THWART $ $17,126,058.00 • The process of legalizing BTC income is difficult • Main ways are carding, shopping, underground exchange, money mules • Money spent on infrastructure, maintenance, recon campaigns • The end result is about 50+% loss
  • 20. 20CONFIDENTI AL DETECTION & PREVENTION • SPRank, created by our researches, detects compromised domains based on DNS data • Honeypot run by analyst provides another source of compromised domains based on HTTP data • Pivoting around these domains let us discover compromised registrants and IPs • Data available in Investigate helps to identify reused infrastructure, malicious authors, and patterns STOPPING EXPLOIT CHAIN AT ANY STEP CAN MITIGATE INFECTION
  • 21. 21CONFIDENTI AL EXAMPLE Dedicated accounts used for multiple scams Dedicated and abused servers
  • 23. 23CONFIDENTI AL DETECTION ANALYSIS LEEDS TO NEW THREAT MODELS WITH DIFFERENT BASIS SEED Investigate Honeypot VirusTotal Malwr ThreatGrid ROOT 1 3 4 2 5 689 7 10
  • 24. 24CONFIDENTI AL ABUSED and DEDICATED ASNs • AS 59504 CYBERTECH-AS LLC CyberTech,RU • AS 201094 GMHOST Mulgin Alexander Sergeevich,UA (dedicated) • AS 15756 CARAVAN JSC Caravan Telecom,RU • AS 48716 PS-AS PS Internet Company LLC,RU • AS 43146 AGAVA3 Agava Ltd.,RU • AS 16276 OVH OVH SAS,FR (highly abused) • AS 15083 INFOLINK-MIA-US - Infolink Global Corporation,US • AS 29182 ISPSYSTEM-AS JSC _ISPsystem_,LU • AS 53264 CDC-LMB1 - Continuum Data Centers, LLC.,US • AS 20860 IOMART-AS Iomart,GB • AS 12586 ASGHOSTNET GHOSTnet GmbH, DE 86400 (.tk) • AS 203973 GUARDOMICRO-AS GUARDOMICRO S.R.L, RO 86400 (.tk) Most active ASNs in the last 90 days
  • 26. 26CONFIDENTI AL PREVENTION Ways to mitigate risks • Keep back ups of the data all the time • Use layered security system, software and(or) hardware firewall is a must have • Implement DNS control • Patch management(most exploits) • Maintain consistency of domain’s DNS settings, so it contains only legitimate records • User education
  • 28. 28CONFIDENTI AL Reasons Angler Keeps Winning • The organizations responsible for these exploit kit campaigns are generating millions of dollars in revenue. As a result they are continually evolving to maximize the amount of users that are impacted. • Findings point to a larger organization that is using various threats to infect users for monetary gain. • With close to 40% of users hitting Angler infrastructure being compromised it is a significant threat • Security applications do not quickly recognize ransomware’s maliciousness, because, ransomware itself “effectively acts as a security application. • The details are not always known, because unlike data breaches, ransomware attacks do not need to be disclosed by law.
  • 29. 29CONFIDENTI AL Artsiom Holub – Security Research Analyst artholub@cisco.com Credits to Kafeine

Notes de l'éditeur

  1. As a rule, the operation of such an exploit involves saving a malicious file, usually a dropper or downloader, on the hard drive. However, in this case we were in for a surprise: no new files appeared on the hard drive. After seizing all necessary privileges on the victim computer, the exploit does not install malware on the hard drive using Java. Instead, it uses its payload to inject an encrypted dll from the web directly into the memory of the javaw.exe process. The address from which the library is to be downloaded is encrypted in the iframe that was included in the JS script downloaded from AdFox.ru
  2. 0034Microsoft Silverlight 5 before 5.1.41212.0 mishandles negative offsets during decoding, 8651, 8446,7645, 5560,0313 Flash Player, 2419 - IE