10. MULTI-TIERED DEFENSE
Talos is divided into 5 departments
• Inbound & Outbound Feeds
• Internal Systems & Development Operations
• All Detection Content Delivery
• Data Analytics & Correlation
• Threat Actor Attribution
• Open Source Community
• Detection & Prevention Content
• Vulnerability Research
• Malware Research
• Detection Research
• Policy Improvements
• Discovery
• Triage
• Exploit Development
• Mitigations
• Thought Leadership
• Consistent, Repeatable
Security Messaging
• Threat Reports
• Media Relations
• Intelligence Systems
• Web & Email Intelligence
• Sandbox
• Engine Development
• ClamAV Development
11. Open Source
Public Facing Tools
• Threat detection and
prevention: Snort, ClamAV,
Razorback, & Daemonlogger
• Vulnerability detection and
mitigation: Moflow, FreeSentry
16. LEADING THREAT INTELLIGENCE
Windows 10 Spam
• Talos is a key differentiator
• Unparalleled visibility
• Quick and effective detection &
response
17. LEADING THREAT INTELLIGENCE
SSHPsychos
• Brute Force SSH Attacks until
password guess
• 300K Unique Passwords
• Login from different address
space
• Drop DDoS Rootkit on server
• Accounted for 1/3 of all SSH
Traffic ON THE INTERNET
SSH Brute Force
Attempts
19. LEADING THREAT INTELLIGENCE
PoSeidon
• Scans Point-of-Sale devices
for credit card numbers
• Risk for large organizations
and small mom-and-pop
establishments
21. LEADING THREAT INTELLIGENCE
Rombertik
• Multiple layers of obfuscation
• Hooks into user’s browser
to read credentials & other
sensitive info
• Propagates via spam and
phishing
30. Domain Shadowing
Domain Shadowing
Using sub domains of legitimate
domains (i.e. bad.legit.com)
Advanced evasion of blacklisting technologies
Actors using random domains
Hundreds of domain registrant
accounts compromised
Thousands of affected domains
Delivered via malvertising
Multiple tiers of subdomains being
used for redirection
33. Overview
• Deep Data Analytics July 2015
• Telemetry from compromised users
• ~1000 Sandbox Runs
• July 2015
• Angler Underwent several URL
Changes
• Multiple “Hacking Team” 0-Days added
• Ended with tons of data
34. Detection Challenges
• Hashes
• Found 3,000+ Unique Hashes
• 6% in VT
• Most detection <10
• Encrypted Payloads
• Using Diffie Helman Encryption for IE Exploit
• Unique to each user
• Domain Behavior
• DDNS
• Domain Shadowing
• Adversary Owned Domains
• Hard Coded IP
41. Breakthrough
• Partnered with Limestone Networks
• Gathered Images of Systems
• Network Captures
• Level-3
• Continued collaboration after SSHPsychos
• Netflow Data Key to Investigation
• Undiscovered Findings directly related to the data
• Proxy Server Configuration
• Health Monitoring
In the history of the mitre CVE project - last 15 years - there are only 75,544 CVE’s as of this morning – WE detect 1.1m PER day – increasing daily
This is a setup slide. Its to set the basic tone, that there are a lot of threats out there, that people have to keep track of. While this is probably common knowledge to any security educated crowd, there are numerous customers who just expect us to do our mission in slide 2. This outlines what type of things we have to pay attention to, to execute on that mission.
Its not meant to be inclusive, its just a sampling of stats that outline the security problem.
In the history of the mitre CVE project - last 15 years - there are only 75,544 CVE’s as of this morning – WE detect 1.1m PER day – increasing daily
2,557,767 blocks/sec counting spam
Notes on new numbers:
19.6 Billion Threats blocked per day = Web Blocks + Spam w/ Malicious attachment
2.5 Million Threats blocked per second = The 19.6 Billion blocks + all Spam messages with attachments or not
Intelligence Powers everything, from the previous slide we pull in tons of data, Intel helps consolidate and make sense of that data.
Detection research then utilizes that data to fuel all the Security products they support. They have reverse engineers, malware analysts, domain reputation, and spam experts. That take that distilled data and turn it into something actionable.
Development works on engines, that help deliver our intelligence to all the platforms. Either APIs, backend engines that detect known and unknown threats, or actual infield detection engines that are deployed on platforms. They are fueled by the intelligence and the under fire experience of the response team.
Vulnerability Development. These guys are the zero day hunters, they help us find new threats before the bad guys do, make sure our response teams know about them so they are covered in the products so our customers are protected, and work on new and innovated ways to help protect our customers through the development of mitigations for classes of vulnerabilities.
At a glance, we help build, support, and create these public facing tools that are used everyday.
We also have release tools that help detect and mitigate vulnerabilities, such as FreeSentry, which was released and is designed to detect use-after-free vulnerabilities in code
Open intelligence
The payload if users executed it was CTB-Locker Ransomware.
This is a quickly growing ransomware variant.
Some key differences are the fact that it uses elliptical curve based encryption vs. RSA which is common for Ransomware.
Still uses public/private key technology just Elliptical Curve has lower overhead and allows better encryption with shorter keys.
Still relies heavily on Tor and Bitcoin.
Identified SSH Brute Force Group from honeypot network
/23 of address space generating huge amounts of SSH traffic
At points more than 1/3 of all SSH traffic on the Internet
Basic attack vector was to brute force using 300K unique passwords
Once password was guessed brute force stopped, new IP logged in and downloaded a DDoS Agent Rootkit
After observing the behavior for several months Cisco Talos decided we need to take action.
We engaged Level 3 Communications
Level 3 verified the behavior that we observed
Worked to coordinate Null Route of Traffic
Group suddenly pivoted to new address space
Worked as a team to remove both address spaces as much as possible
Talk about spreading via targetted emails
Over the 1.5 years, we’ve seen many reports on many payment card data breaches in some fashion or form.
Obviously, the two biggest names that come to mind are the Target and Home Depot breaches in 2013 and 2014 respective, but there are many, many more.
A quick Google search for this year alone turns up 17,000 results.
One notable trend that Talos has observed is that retailers are no longer the only target. PoS providers are now feeling the pressure and are being targeted by threat actors
Our original research in to PoSeidon was delivered to Talos from the Incident Response Group here at Cisco.
We aren’t able to discuss the attack vectors associated with that attack.
However, after disclosure the group started to expand the targets and RSA recently published a report identifying one of the deliver methodologies
Here you can see a typical spear phishing email from a well known restaurant in new york city to a popular Point of Sale Vendor
This is another great example of how these threats are targeted at specific organizations and users
Poseidon is a new malware family targeting PoS systems infecting machines to scrape memory for credit card information and exfiltrate that data to servers.
We found this threat via Incident Response by Cisco Security Solutions.
The are multiple components to Poseidon which are illustrated here.
At a high level, it starts with a Loader binary that upon being executed will first try to maintain persistence on the target machine in order to survive a possible system reboot.
The Loader then contacts a command and control server, retrieving a URL which contains another binary to download and execute. The downloaded binary, FindStr, installs a keylogger and scans the memory of the PoS device for number sequences that could be credit card numbers. Upon verifying that the numbers are in fact credit card numbers, keystrokes and credit card numbers are encoded and sent to an exfiltration server.
As researchers have become more adept and efficient at malware analysis, attackers have been forced to find methods to evade static, dynamic, and automated analysis tools and complicate analysis. It’s a constant back and forth. (Like the cliché “arms race”.)
A recent example of these behaviors is a malware sample Talos has identified as Rombertik.
Romberik is a complex piece of malware that is designed to hook into the user’s browser to read credentials and other sensitive information for exfiltration to an attacker controlled server, similar to Dyre.
Rombertik has been identified to propagate via spam and phishing messages sent to would-be victims. Attackers use social engineering tactics to entice users to download, unzip, and open the attachments that ultimately result in the user’s compromise.
In this sample, the attackers attempt to convince the user to check the attached documents to see if their business aligns with the target user’s organization.
While this file may appears to be some sort of PDF from the icon or thumbnail, the file actually is a .SCR screensaver executable file that contains Rombertik.
Once the user double clicks to open the file, Rombertik will begin the process of compromising the system.
Rombertik incorporates several layers of obfuscation along with anti-analysis functionality. Attackers included garbage code to inflate the volume of code an analyst might have to review and analyze. To give you an idea of the complexity that’s in the binary…
In this case, the unpacked Rombertik sample is 28KB while the packed version is 1264KB. Over 97% of the packed file is dedicated to making the file look legitimate by including 75 images and over 8000 functions that are never used. This packer attempts to overwhelm analysts by making it impossible to look at every function. To give you an idea, the graph on the left represents the interwoven functions within the unpacking code that is decrypted to memory.
The control flow graph on the right represents the anti-analysis checks. These 23 basic blocks represent the 930 million writes, 335 thousand API calls, checking ZwGetWriteWatch, and checking file and usernames. All of this functionality fits in this rather simple graph, where the red block is only executed if all of the checks were satisfied.
A typical function has less than 20 nodes (basic blocks) and would normally be easy to see how all basic blocks relate to each other.
Upon execution, Rombertik will stall by writing a byte of random data to memory 960 Million times. After stalling, Rombertik will check to see if analysis tools have modified code in the Windows API ZwGetWriteWatch routine (to see if it is running within a sandbox). Then, Rombertik will call the Windows API OutputDebugString function 335,000 times as an anti-debugging mechanism. Finally, an anti-analysis function within the packer is called to check the username and filename of the executing process for strings like “malwar”, “sampl”, “viru”, and “sandb”. If the packer detects any of these substrings, It will stop unpacking and terminate. Once these checks are complete, Rombertik will proceed to decrypt and install itself on the victims computer.
After installation and before Rombertik begins the process of spying on users, Rombertik will perform once last check to ensure it is not being analyzed in memory. If this check fails, Rombertik will attempt to destroy the Master Boot Record and restart the computer to render it unusable. (More on this bit later.)
A particularly nasty analysis check we found during analysis happens right after Rombertik installs itself and before it begins spying on users.
The function computes a 32-bit hash of a resource in memory, and compares it to the PE Compile Timestamp of the unpacked sample. If the resource or compile time has been altered, the malware acts destructively. It first attempts to overwrite the Master Boot Record (MBR) of PhysicalDisk0, which renders the computer inoperable.
If the malware does not have permissions to overwrite the MBR, it will instead destroy all files in the user’s home folder (e.g. C:\Documents and Settings\Administrator\) by encrypting each file with a randomly generated RC4 key. After the MBR is overwritten, or the home folder has been encrypted, the computer is restarted.
The Master Boot Record starts with code that is executed before the Operating System. The overwritten MBR contains code to print out “Carbon crack attempt, failed”, then enters an infinite loop preventing the system from continuing to boot.
2.0
Encrypted Binary
Anti-VM check
Uses TOR for Command & Control
Runs 32-bit & 64-bit code simultaneously
3.0
No VM Check, NO 64 bit code
Still has Encrypted Binary
Uses TOR & I2P for C&C
To avoid detection, the Cryptowall binary is actually encrypted and must go through a couple of decryption steps before it will actually run on the system
Unlike the previous version of Cryptowall, the dropper in this version was streamlined from the previous version. The lack of exploits in the dropper indicate that this new version is being spread via exploit kits.
When the Cryptowall software does run, it uses TOR, as well as I2P, to handle the command & control traffic. I2P is a new addition in this version. Using these anonymous networks makes it more difficult to identify the C&C traffic on the network.
Ransomware is a growing threat to computer users. Variants continue to evolve and change in functionality. Constant research is necessary to develop updated signatures and rules to combat these constant attacks.
Identifying and stopping these new complex variants requires a layered security approach. Breaking any step in the attack chain will successfully prevent this attack. Therefore, blocking the initial phishing emails, blocking network connections to known malicious content, as well as stopping malicious process activity are critical to combating ransomware and preventing it from holding your data hostage.
2.0
Encrypted Binary
Anti-VM check
Uses TOR for Command & Control
Runs 32-bit & 64-bit code simultaneously
3.0
No VM Check, NO 64 bit code
Still has Encrypted Binary
Uses TOR & I2P for C&C
To avoid detection, the Cryptowall binary is actually encrypted and must go through a couple of decryption steps before it will actually run on the system
Unlike the previous version of Cryptowall, the dropper in this version was streamlined from the previous version. The lack of exploits in the dropper indicate that this new version is being spread via exploit kits.
When the Cryptowall software does run, it uses TOR, as well as I2P, to handle the command & control traffic. I2P is a new addition in this version. Using these anonymous networks makes it more difficult to identify the C&C traffic on the network.
Ransomware is a growing threat to computer users. Variants continue to evolve and change in functionality. Constant research is necessary to develop updated signatures and rules to combat these constant attacks.
Identifying and stopping these new complex variants requires a layered security approach. Breaking any step in the attack chain will successfully prevent this attack. Therefore, blocking the initial phishing emails, blocking network connections to known malicious content, as well as stopping malicious process activity are critical to combating ransomware and preventing it from holding your data hostage.
Posted in Mar
Also of note is the use of subdirectories here. Finally, as of August 5th, Angler has added one more file, index.php. All of the current URL syntax for landing pages look like normal web traffic and that is no accident. It is much easier to trick users and detection technologies by making the URLs look like legitimate, common web traffic. The Angler exploit kit continues to shine with this methodology.
Not surprisingly the overwhelming majority of the exploits Angler was serving were tied to Adobe Flash. Almost 75% of the exploits served to users were Adobe Flash related. This was an expected outcome with two Adobe Flash 0days (CVE-2015-5119, CVE-2015-5122) being leveraged by Angler during the month. The two remaining exploit groups were somewhat surprising. The second largest group was related to the Internet Explorer vulnerability CVE-2014-6332 , which accounted for a little more than 20% of the infections. The final group was the most surprising with approximately 2% of users being served Silverlight vulnerabilities. This indicates that the three classes of exploit being leveraged by Angler were Flash, IE, and Silverlight. The one shocking omission from that group was Java. Historically Angler, and most exploit kits, have continued to exploit Java, largely because there is still a significant pool of users running older, vulnerable versions of Java.
A vulnerability in Microsoft Windows could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system.An unauthenticated, remote attacker could exploit this vulnerability by convincing a targeted user to view a malicious document. The processing of the document could trigger memory corruption that the attacker could use to execute arbitrary code on the system with the privileges of the user.Functional code that exploits this vulnerability is available as part of the Metasploit framework.
These exploit kits are continuing to evolve.
More evidence that the gap between the noise and the sophisticated threats is narrowing.
Addition of tech support phone scams points to more direct monetization of hacking.
End goal is to compromise as many systems as quickly and efficiently