View
217
Download
0
Category
Tags:
Preview:
Citation preview
© 2014, FireEye, Inc. All rights reserved. 1
Tobin Sears, FireEye
Zero-Days, Ghost Malware, and Other Current Trends
© 2014, FireEye, Inc. All rights reserved. 2 © 2014, FireEye, Inc. All rights reserved.
FROM THE FRONT LINES:M-TRENDS® 2015
© 2014, FireEye, Inc. All rights reserved. 3
Agenda
By the Numbers
Trend 1: Struggling with Disclosure
Trend 2: Retail in the Crosshairs
Trend 3: The Evolving Attack Lifecycle
Trend 4: Blurred Lines – Criminal and APT Actors Take a Page from Each Others’ Playbook
Ghost Malware and Zero-Days
Note: Some information has been sanitized to protect our clients’ interests.
© 2014, FireEye, Inc. All rights reserved. 4 © 2014, FireEye, Inc. All rights reserved.
BY THE NUMBERS
© 2014, FireEye, Inc. All rights reserved. 5
Who’s a Target?
© 2014, FireEye, Inc. All rights reserved. 6
How Compromises Are Being Detected
© 2014, FireEye, Inc. All rights reserved. 7
Dwell Time
24 days less than 2013
Longest Presence: 2,982 days
© 2014, FireEye, Inc. All rights reserved. 8
APT Phishing
© 2014, FireEye, Inc. All rights reserved. 9 © 2014, FireEye, Inc. All rights reserved.
TREND 1Struggling with Disclosure
© 2014, FireEye, Inc. All rights reserved. 10
Trend 1: Struggling with Disclosure
Mandiant worked with over 30 companies that publicly disclosed a compromise
Public is asking more informed questions
- Attribution
- Malware
- Attacker TTPs
Public speculation starting to affect investigations
© 2014, FireEye, Inc. All rights reserved. 11
Why the Increase in Notifications?
Mandiant worked an increased number of cases where protected data was lost
- Cardholder data, Personally identifiable information (PII), and Protected Health Information (PHI)
- Contractual and legal obligation to notify
69% of victims did not self-detect
- Increased pressure to notify
More companies willing to notify
- Companies feel like it’s the right thing to do
- Being a breach victim is less taboo than in the past
© 2014, FireEye, Inc. All rights reserved. 12
Critical Investigation Questions
Questions you should have answers to during the investigation
- How did the attacker gain initial access to the environment?
- How did the attacker maintain access to the environment?
- What is the storyline of the attack?
- What data was stolen from the environment?
- Have you contained the incident?
© 2014, FireEye, Inc. All rights reserved. 13
The Takeaways
Breaches are inevitable
- Have an effective communication strategy available
Consistent communication is key
- Based on factual investigative findings
Public speculation will happen
- Avoid distracting the investigation
CAUTIONInvestigation Hazard
© 2014, FireEye, Inc. All rights reserved. 14 © 2014, FireEye, Inc. All rights reserved.
TREND 2Retail in the Crosshairs
© 2014, FireEye, Inc. All rights reserved. 15
Trend 2: Retail in the Crosshairs
Retailers thrust into the spotlight in 2014
- Mandiant responded to many headlines
New groups getting into the game
Small misconfigurations led to greater compromise
© 2014, FireEye, Inc. All rights reserved. 16
Themes of Financial-Motivated Attackers in 2014
Application virtualization servers used as an entry point
- Valid credentials used to authenticate
- Misconfigurations / lack of network segmentation allowed greater access
New tools, tactics, and procedures
- Highly sophisticated malware
- Publically available tools
Increased number of attacks against e-commerce in locations that deployed chip-and-PIN technology
- Attackers shifting focus to lowest hanging fruit
© 2014, FireEye, Inc. All rights reserved. 17
Initial Access To Environment
Attacker authenticated to a virtual application server
- Already had legitimate credentials, no failed logons
Escaped from “jailed” environment to gain additional control over the system
Misconfiguration in virtual application server resulted in greater access to environment
- No segmentation
Same local administrator password on all systems
- Allowed attacker privileged access to systems
© 2014, FireEye, Inc. All rights reserved. 18
Lateral Movement - Forensic Artifacts
Attacker used the “psexec_command” Metasploit module to execute commands on remote systems
- Mimics command execution capability of the SysInternals PsExec utility
Windows 7/Server 2008 System event logs tracked installation of service
© 2014, FireEye, Inc. All rights reserved. 19
Persistence - Sophisticated Malware
Backdoor targeted Windows XP systems
Used a sophisticated packer
Backdoor gets capabilities from shellcode
Ability to download additional shellcode
- Makes for a versatile backdoor
© 2014, FireEye, Inc. All rights reserved. 20
Data Theft
Attacker used domain controller as pivot point into retail environment
- The retail domain had a two-way trust with the corporate domain
- The store registers ran Microsoft Windows XP
- The store registers were joined to the retail domain
Deployed card harvesting malware to registers throughout the environment
Malware wrote stolen track data to temporary MSSQL database
Attacker queried database to collect stolen track data
Transferred files off of network using FTP
© 2014, FireEye, Inc. All rights reserved. 21
A Retailer Case Study
© 2014, FireEye, Inc. All rights reserved. 22
Protect Yourself
Secure remote access
- Two-factor authentication required
Secure access to the PCI environment
- Segment the PCI environment
- Require access through internal jump server
Deploy application-whitelisting on critical assets
- Protect the POS servers and registers
Managed privileged accounts
- Control access
© 2014, FireEye, Inc. All rights reserved. 23 © 2014, FireEye, Inc. All rights reserved.
TREND 3The Evolving Attack Lifecycle
© 2014, FireEye, Inc. All rights reserved. 24
Trend 3: The Evolving Attack Lifecycle
Threat actors have used stealthy new tactics to move laterally and maintain persistence in victim environments.
© 2014, FireEye, Inc. All rights reserved. 25
Attack Lifecycle
© 2014, FireEye, Inc. All rights reserved. 26
Hijacking the VPN
Heartbleed vulnerability
Single-factor authentication & credential theft
Bypassing two-factor authentication
Dumping certificates with Mimikatz (Image Source: www.darkoperator.com)
© 2014, FireEye, Inc. All rights reserved. 27
Password Harvesting
Clear-text passwords in memory
“Golden Ticket” Kerberos attack
Malicious security packages
“Victims quickly learned that the path from a few infected systems to complete compromise of an Active Directory domain could be incredibly short.”
© 2014, FireEye, Inc. All rights reserved. 28
Persisting with WMI
© 2014, FireEye, Inc. All rights reserved. 29
Persisting with WMI
© 2014, FireEye, Inc. All rights reserved. 30
Persisting with WMI
© 2014, FireEye, Inc. All rights reserved. 31 © 2014, FireEye, Inc. All rights reserved.
TREND 4Blurred Lines – Criminal and APT Actors Take a Page from Each Others’ Playbook
© 2014, FireEye, Inc. All rights reserved. 32
Trend 4: Blurred Lines – Criminal and APT Actors Take a Page from Each Others’ Playbook
As actors' tactics merge, discerning their goals becomes critical to gauging the impact of incidents.
© 2014, FireEye, Inc. All rights reserved. 33
Tactical Overlaps between Cybercriminals and APT Groups
Interactive social engineering & social media presence
Custom malware and tools, development on the fly
Effective lateral movement and long-term persistence
Repeated, wide scale data theft
© 2014, FireEye, Inc. All rights reserved. 34
From Russia with Ambiguity: Intent Matters
Russia-based cyber activity
- Nation state espionage
- Cybercrime
- Gray area...
APT28 and “Sandworm”
- Use of BlackEnergy (traditionally crimeware) to target Industrial Control Systems
Intent & motive matters
© 2014, FireEye, Inc. All rights reserved. 35
Conclusion
Organizations are under increasing pressure to disclosure details on breaches and provide attribution
Retail remains a top target as attackers found more victims
Threat actors have adopted stealthy new tactics to hide in compromised environments
Attribution is becoming harder as the lines blur between tactics used by cyber criminals and nation-state actors
© 2014, FireEye, Inc. All rights reserved. 36 © 2014, FireEye, Inc. All rights reserved.
GHOST MALWARE AND ZERO-DAYSInteresting Data Points and Trends
© 2014, FireEye, Inc. All rights reserved. 37
Malware Lifespan AnalysisTotal pool of malware samples versus lifespan (in hours)
0 1 2 3 4 5 6 70
50000
100000
150000
200000
250000
300000
2012 2013 2014
© 2014, FireEye, Inc. All rights reserved. 38
Ghost Hunting with Antivirus
Source - http://www.fireeye.com/blog/corporate/2014/05/ghost-hunting-with-anti-virus.html
of Malware Exists Only Once
of Malware Disappears After One Hour
70%
82%
© 2014, FireEye, Inc. All rights reserved. 39
Malware Lifecycle Development – Supply Chain Comparison
Source - http://www.fireeye.com/blog/corporate/2014/05/ghost-hunting-with-anti-virus.html
Lifecycle – Days to Weeks
Lifecycle – Days
© 2014, FireEye, Inc. All rights reserved. 40
Document Exploit Kits
Effective document exploit kits emerging in underground forums
New version of Microsoft Word Intruder (MWI) includes ability to track the effectiveness of the campaign
- Marketed as an APT tool. Author limits user base and forbids use as part of spam campaigns.
- Allows the operators to track multiple campaigns, conversion rates (i.e. successful exploitations), and information about their victims using MWISTAT package
- The latest version of MWI 4.0 has been advertised as containing multiple exploits, including:
• CVE-2010-3333
• CVE-2012-0158
• CVE-2013-3906
• CVE-2014-1761
• Payload – Chthonic (Zeus variant with Andromeda packaging characteristics)
Huge increase in macros versus exploits
© 2014, FireEye, Inc. All rights reserved. 41
Flash Exploits in 2015
Web exploit targets in the last few years
- Java – packed in 2013 but dropped in January 2014 when Oracle blocked the execution of unsigned applets
- Internet Explorer – Decreased in June 2014 when MSFT introduced multiple heap corruption mitigations
- Adobe Flash – shift to Flash exploitation starting at the end of 2014
• Existing ASLR bypass mechanisms continue to allow for bug exploitation
• Advanced obfuscation techniques used to avoid detection
- Environmental checks (debugger, software version, OS language, browser type, …)
- Encryption, compression, FlashVars, data in external resource, …
- Multiple commercial Flash obfuscation tools available: DoSWF and SecureSWF
» Slows down automated analysis
© 2014, FireEye, Inc. All rights reserved. 42
Flash Campaign to Payload Mappings
© 2014, FireEye, Inc. All rights reserved. 43
VirusTotal (VT) Detection Rates vs Time for earliest samples utilizing high-profile Flash and IE/Flash exploits
© 2014, FireEye, Inc. All rights reserved. 44 © 2014, FireEye, Inc. All rights reserved.
THANK YOU
© 2014, FireEye, Inc. All rights reserved. 45
Free Resources
Available on www.mandiant.com
‒ Redline
‒ IOC Editor
‒ IOC Finder
‒ Memoryze
‒ Memoryze for Mac
‒ Highlighter
‒ ApateDNS
‒ Heap Inspector
‒ PdbXtract
Recommended