CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day

© 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary
@ThreatConnect
Lots of Squats:
APTs Never Miss Leg Day
March 17, 2017

Agenda
• Spoofed domains
• Notable breaches
• Tools
• Strategic view of spoofed
domain registrations
• Tactical view
• Conclusions

3
The First Look
Vulnerability
Rescuing Leia
• Because everything has a Star Wars corollary
Spoofed domains
• Exploit the inherent and immediate trust that we place in the
familiar
• Target the organization or another organization/technology
pertinent to operation
Types
• Typosquats
• Look alikes
• Letter swaps
• Sticky keys

4
A) gooqle.com
B) googIe.com
C) qoogle.com
D) gcogle.com
Pop Quiz
Example

5
Pop Quiz
Example
gooqle.com
gI
qoogle.com
Use a lowercase “Q” in place of a “g”
gooqle.com
qoogle.com

6
Pop Quiz
Example
Use a “c” in place of an “o”
gcogle.com

7
Pop Quiz
Example
Use an uppercase “i” instead
of a lowercase “L”
googIe.com

8
Advanced
Persistent
Threats (APTs)
Everybody’s doing it
• China
• Russia
Why
• Relatively cheap
• Easy to do
• Effective
• Can obfuscate origin
Operations
• Delivery
• Exploitation
• Command and control
Notable breaches
• Anthem/BCBS entities
• OPM
• DNC/DCCC
Operation types
• Credential harvesting
• Malware dissemination

9
Notable
Breaches
China – DEEP PANDA
Anthem/BCBS
• we11point[.]com
• prennera[.]com
• Chinese registrant resellers
OPM
• opm-learning[.]org
• opmsecurity[.]org
• The Avengers registrants
Russia – FANCY BEAR
DNC/DCCC
• misdepatrment[.]com
• actblues[.]com
• Fake personas

10
So What?
Has become a TTP
• Specific actors employing spoofing against specific sectors
• There is a trend to look for
Domain registration precedes operation
• Timeline varies
Operationalize domain registration information
• WHOIS as threat intelligence

11
We’re Not Playing Whack-a-Mole
Simply reacting on a one-off basis won’t suffice
• Active state
• Predictive state
Leveraging domain registrations as threat intel
• Higher-level strategic intelligence
• Informs organizational or sector awareness
• In-depth tactical intelligence
• Provides situational awareness during incidents
Operationalize domain registration information
• Trends in spoofed domain registrations
• Identifying and leveraging APT TTPs

12
Tools of
the Trade
DNSTwist and URLCrazy
• Open source
• Identify spoofed domains for a
given domain
DomainTools
• WHOIS
• Typo Finder
• Reverse NS Lookup
• IRIS

Domain Registrations
as Strategic Intel

14
Trends in Registrations
Process
• Identify all domains registered during a given
timeframe that spoof provided domains
• Get WHOIS information for all domains
• Registrant, registrar, create date, registrant email
address, country of origin
• Used Excel
• Remove legitimate registrations as possible
• Investigate WHOIS information to identify trends or
patterns
• Correlate possible spikes in activity to current events
Hypothesis
• Keeping track of all of the
spoofed domains targeting a
given organization or sector can
help identify potential activity
against that organization or
sector.

15
Organizational
Example
Research
• Spoofed domains targeting Anthem BCBS
legitimate domains
• 10 domains/organizations
Anthem BCBS Identified
• Over 1400 spoofed domains
• Over 280 in 2015
• 59 of which came from China

16
Number of Spoofed Domain Registrations from China Targeting BCBS Entities, 2015

17

18

19
Sector Example
Research
• Spoofed domains targeting six major
pharmaceutical companies
Pharmaceutical
Industry Identified
• Over 2000 spoofed domains
• 304 in 2015
• At least 70 from China

20
Findings
Novartis – March 2015
• Three spoofed domains in March
• FDA approves first biosimilar drug
• Beijing lifts price controls on pharmaceuticals
Lilly – November 2015
• Eight spoofed domains in Oct
• Twelve in Nov
• Eli Lilly and China's Innovent expand partnership
• FDA approves cancer drug
Sanofi – April 2016
• Twelve spoofed domains in April
• Two rest of 2016
• Bids for Medivation
• Eczema drug clears trials

21
What Does This Mean for an Org/Sector?
Spikes in registration activity
• Potentially portend malicious activity
• Necessitate heightened
awareness
• May not be malicious
• May be related to non-cyber events
• Situational awareness for sectors
WHOIS
• Registrants, email addresses for tracking
• Identify other domains that individuals
targeting your organization register
Helps identify threats
• Consistencies with previously identified APTs
• Capabilities, TTPs, and other infrastructure
to be aware of

Domain Registrations
as Tactical Intel

23
Pivoting from One Spoofed Domain to Others
Process
• Identify spoofed domain that is particularly suspicious
or has been leveraged in malicious activity
• Get WHOIS and/or SOA information for domain
• Registrant, registrar, create date, registrant email
address, country of origin, name server, etc.
• Identify the most unique registration information
• Pivot to other domains using the most unique
registration information
Hypothesis
• WHOIS information for an
encountered spoofed domain
can help us identify an actor’s
other spoofed domains that may
be leveraged against the same or
other targets.

24
DNC and DCCC Attacks
DNC
• CrowdStrike analysis from mid June
• Identified a FANCY BEAR IP
address
• ThreatConnect identified
misdepatrment[.]com
• Spoofs MIS Department
DCCC
• Reporting from mid July identified that same
actors compromised DCCC
• Used spoofed domain targeting donation
website
• Fidelis identified actblues[.]com vs
actblue[.]com
• Registered day after DNC attack
publicized

25
WHOIS/SOA Information for FB Domains
misdepatrment[.]com actblues[.]com

26
What Can We Pivot from that is Unique?

27
httpconnectsys[.]com
fastcontech[.]com
intelsupportcenter[.]com
intelsupportcenter[.]net

28
fastcontech[.]com

29
fastcontech[.]com

30
fastcontech[.]com

Domains4Bitcoins
(1a7ea920.bitcoin-dns.hosting)
• Bitcoins
• ~2500 domains
• Previous associations to FB
•militaryobserver[.]net
•sysprofsvc[.]com
•euronews24[.]info
•naoasch[.]com
•storsvc[.]org
ITitch (ns1.ititch.com)
• Bitcoins
• ~2100 domains
31
Name Servers

32
Hundreds of Spoofed Domains on Name Servers
• access-google[.]com
• actblues[.]com
• adobeflashdownload[.]de
• adobeflashplayer[.]me
• adobeflashplayer[.]space
• adobeupdater[.]org
• adobeupdatetechnology[.]com
• adoble[.]net
• akamaitechnologysupport[.]com
• akamaitechupdate[.]com
• appclientsupport[.]ca
• appleappcache[.]com
• appleauthservice[.]com
• applerefund[.]com
• archivenow[.]org
• bbcupdatenews[.]com
• bit-co[.]org
• bitsdelivery[.]com
• buy0day[.]com
• cdn-google[.]com
• cdncloudflare[.]com
• cloudfiare[.]com
• dynamicnewsfeeds[.]com
• ebiqiuty[.]com
• egypressoffice[.]com
• eigsecure[.]com
• facebook-profiles[.]com
• flashplayer2015[.]xyz
• goaarmy[.]org
• govsh[.]net
• great-support[.]com
• hackborders[.]net
• helper-akamai[.]com
• honeyvvell[.]co
• intelintelligence[.]org
• intelsupportcenter[.]com
• intelsupportcenter[.]net
• login-hosts[.]com
• logmein-careservice[.]com
• marshmallow-google[.]com
• micoft[.]com
• microsoft-updates[.]me
• mofa-uae[.]com
• ms-drivadptrwin[.]com
• ms-sus6[.]com
• ms-updates[.]com
• nato-org[.]com
• natoadviser[.]com
• new-ru[.]org
• newflashplayer2015[.]xyz
• passwordreset[.]co
• pdf-online-viewer[.]com
• sec-verified[.]com
• securesystemwin[.]com
• securityresearch[.]cc
• services-gov[.]co[.]uk
• social-microsoft[.]com
• socialmedia-lab[.]com
• symantecupdates[.]com
• terms-google[.]com
• theguardiannews[.]org
• theguardianpress[.]com
• thehufflngtonpost[.]com
• vortex-sandbox-microsoft[.]com
• vpssecurehost[.]com
• win-wnigarden[.]com
• wincodec[.]com
• windowsnewupdated[.]com
• winliveupdate[.]top
• winninggroup-sg[.]com
• wm-z[.]biz
• wmepadtech[.]com
• wsjworld[.]com
• yourflashplayer[.]xyz

33
Subset for 1&1 Email Domains
Domains4Bitcoins
(1a7ea920.bitcoin-dns.hosting)
• akamaitechnologysupport[.]com
• akamaitechupdate[.]com
• micoft[.]com
• ms-drivadptrwin[.]com
• ms-sus6[.]com
• securesystemwin[.]com
• wmepadtech[.]com
• natoadviser[.]com
• theguardiannews[.]org
• wsjworld[.]com
ITitch (ns1.ititch.com)
• bitsdelivery[.]com
• apptaskserver[.]com
• aptupdates[.]org
• contentupdate[.]org
• defenceglobaladviser[.]com
• dowssys[.]com
• gmailservicegroup[.]com
• i-aol-mail[.]com
• msmodule[.]net
• officeupdater[.]com
• systemsv[.]org
• updmanager[.]net

34
What Does This
Mean for an
Org/Sector?
Relevant threat intelligence
• During incidents
• Actor pivoting
• Historical registrations for reviewing previous activity
WHOIS
• Identify other domains that individuals targeting your
organization register
Future tracking
• Registrant email addresses
• Name servers
• Confluence of WHOIS information

35
Caveats
Findings merit additional research
• Spoofed domains are not necessarily malicious
• Tracking domains may help identify if/when they are operationalized
• Hosting information
• Slice and dice the WHOIS
Legitimate domains
• Some domains, like lilly.com, inherently have false positives
• Baseline activity to identify spikes
• Also requires an understanding of your organization’s assets
Importance of sharing
• Impossible to do this type of research for all of the
organizations/technologies that your organization may be involved with
• Sharing intelligence derived from this type of research facilitates other
organizations’ defensive efforts

36
Conclusions
Leverage intelligence
from spoofed domain
registrations
Not cost prohibitive
• Lower amount of resources
• Some tools openly available
Strategic and tactical
research
• Focuses on a common TTP
• Provides situational and tactical
awareness
Helps defend your
organization and others
• Sharing is caring
• Cyber security karma

CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

En vedette

En vedette (20)

Similaire à CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day

Similaire à CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day (20)

Plus de CanSecWest

Plus de CanSecWest (9)

Dernier

Dernier (20)

CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day