Michal will take you on a journey all the way to 90’s and back, sharing the Mozilla detection framework - a systematic way to detect and hunt down threat actors. Why did we spend hours digging through some old Phrack issues? How does a blue team's member approach writing rootkits? What is better - a fail negative or a false positive? I will share answers to these questions plus a lot of alerting and evil-doing code.
6. Mozilla Confidential
Timing is everything
6
T+0000 - Emails land in GSuite
T+0234 - First report received
T+0241 - First DNS lookup for the landing domain (no bueno, training worked!!)
T+0253 - First victim
7. Mozilla Confidential
Response -> contain the attack
7
Stop the bleeding!!
If you break the glass & cut your hand
Stop the bleeding -> clean the wound
Gmail logs -> move away from user’s inboxes
8. Mozilla Confidential
Response
8
Data sourceDetection
Who received? ->
Who clicked? ->
Identify victims
and attacker’s IPs ->
Other emails?
Gmail logs -> move away from user’s inboxes
Zeek DNS logs -> Zeek DHCP logs / VPN logs-> Radius logs
Auth logs
Block + monitor sender + attacker’s IPs
lock accounts + kill sessions
9. Mozilla Confidential
Timing is everything
9
T+0309 - Attack contained
T+0327 - Threat Actor eradicated
T+late night - Pizza arrived
10. Mozilla Confidential
A dedicated infrastructure
10
21 domain names
Several hosting platforms
Multiple sources of credentials verification
Manually executed attack
Threat actors realized we’ve got them <- tried to “secure” access
11. Mozilla Confidential
This story ends here
11
Have access that you need
Be able to pull people into IR quickly
Deploy alerts quickly
Research after threat actor’s infrastructure
Are you prepared?
23. Are We Yet?
23
are we fun yet
are we chrome yet (?)
are we pretty yet
are we dead yet (??)
are we slim yet
24. Are We Pwned Yet? ;)
AWPY
24
1. Are We Pwned Yet? ;)
2. An alert analysis & response duty
25. Too many alerts
Challenges
25
Context-only alerts I cannot believe
X is not owned
A skilled threat actor looks like a skilled sysadmin :)
A skilled sysadmin looks like a skilled threat actor (:
29. Mozilla Confidential 29
Fybis - Linux Sofacy backdoor
CVE-2016-0728
/bin/rsyncd or /bin/ksysdefd
~/.config/dbus-notifier/dbus-inotifier
/usr/lib/systemd/system/rsyncd.service
~/.config/autostart/dbus-inotifier.desktop
/usr/lib/cva-ssys
mozilla-plugins.com:80 / mozillaplagins:80
azureON-line.com:80 / 198.105.125.74
30. Mozilla Confidential 30
Fybis - Linux Sofacy backdoorDetection?
Unique file and process? ->
New systemd service ->
Writes to a TCB ->
Unique destinations ->
CVE-2016-0728
/bin/rsyncd or /bin/ksysdefd
~/.config/dbus-notifier/dbus-inotifier
/usr/lib/systemd/system/rsyncd.service
~/.config/autostart/dbus-inotifier.desktop
/usr/lib/cva-ssys
mozilla-plugins.com:80 / mozillaplagins:80
azureON-line.com:80 / 198.105.125.74
31. They are lame!!
AKA Sofacy
So are most analysis
Hi Kaspersky,
Palo Alto
TrendMicro
Speaking of the not-so-Fancy Bear
31
That Linux “Fysbis”
backdoor
Go read the phrack, will ya?
Stealthy as Rudy 102
I’ve seen better bitcoin miners
36. A Linux rootkit
from Turla
Phrack for life
36
Raw network traffic
Trivial to detect
LOKI2
Kaspersky’s analysis -> facepalm
At least it backdoors something!! <- crond, ntpd
37. Reused by a Chinese state-actor
Azazel
37
Hooks accept()
If src port == magic
Spawn shell
LD_PRELOAD
Is pretty lame
54. A new, systematic approach
54
I strongly believe people should write algorithms,
not execute them
Audit your visibility
Hunt for chains
Automate alerting on IOCs <- hi Eisenhower
Enrich your alerts
71. Installation
• /tmp, /dev/shm, /run
• /bin, /usr/sbin
• /home
• /var
• Backdoor an ELF
What does a Linux rootkit do?
71
Persistence
• Cron
• .bashrc (some APTs)
• ~/.config/systemd/user
• Systemd timers / services
• Boring services (/etc/init.d)
• Rc.local, etc.
72. APTs, entertain me
72
If you were cool, you would
• Inject a code into a daemon’s memory <ptrace()>
• Load a kernel module
• Backdoor the kernel on disk
• Run a kernel exploit, backdoor the kernel in memory
• Backdoor your kernel with a direct write access through MSR <- hi Spender
• - in 2019 you cannot write to /dev/mem and /dev/kmem
• IO ports - ioperm()/iopl() <- hi HP
• Through ACPI methods (hardcore) <- Michal calls you cool ;)
73. 73
What if malware is really advanced
- It reinstalls itself on a shredded motherboard
- It attacks us from the cloud
- It hides under sysadmin’s skin
Detect steps that lead to the installation!!
75. • /tmp, /dev/shm, /run
• /bin, /usr/sbin
Detection - execution
75
• Execution from unusual place <- Auditd, TH
• Unusual binary executed <- Auditd, TH
• Unusual process running <- OSQuery, TH
How many of your servers run /sbin/kthread
76. • Cron - new or modify
• .bashrc
• ~/.config/systemd/user - new or modify
• Systemd timers / services - new or modify
• Boring services (/etc/init.d) - new or modify
• Rc.local - modify
Detection - persistence
76
• New cron jobs <- syslog - TH
• New systemd services <- syslog - TH
• TCB integrity <- TH
• Unusual process running <- OSQuery - TH
• Checksum crons/service desc/rc* <- automate
77. • Inject a code into a daemon’s memory
• Load a kernel module
• Backdoor the kernel on disk
• Run a kernel exploit, backdoor the kernel in
memory
• IO ports - ioperm()/iopl()
• Through ACPI methods
Detection - advanced persistence
77
• strace() <- Audit
• insmod/modprobe <- Auditd + kernel msg
• Write to a TCB <- Audit
• Execve() - unusual binary/dir/gcc <- Audit
• ??
78. 78
Rootkit - how do you hide?
Syscall hooking
(LD_PRELOAD)
Kernel hooking
<- are-syscalls-hooked-yet
<- Memory forensics
The Big Hammer
https://github.com/volatilityfoundation/volatility
https://github.com/google/rekall
https://github.com/504ensicsLabs/LiME
79. 79
Listen or poll
promisc
RAW socket - no promisc
listen + socket <- audit - unusual
syslog + auditd <- alert
audit <- whitelist, alert
Rootkit - how do you communicate?
81. 81
Look for patterns <- reduce your set
Geolocation anomaly detection
Monitor local users and groups for changes
Monitor AD/LDAP admin users and groups
Do not destroy the evidence
Everything else
Go slowly!!