Greg Hoglund - Understanding Chinese APT Hackers: Attribution, Attack Trends and Why It Matters

Understanding Chinese APT Attackers

Greg Hoglund

CTO ManTech CSI & VP, Cofounder HBGary

October 2012

Until recently, this information was known only to those with security clearances. ALL DATA IN THIS

PRESENTATION IS UNCLASSIFIED AND REFERENCED FROM PUBLIC SOURCES

Chinese Espionage

• A focused, organized, and ongoing program of computer exploitation, with the explicit goal of stealing intellectual property and strategic economic information.

Much of the public information about Chinese espionage was leaked via the Wikileaks U.S. Diplomatic Cables

Byzantine Hades

• Byzantine Hades is linked to the First Technical Recon Bureau (TRB) – a division under the GSD 3rd Department of China’s Peoples Liberation Army* - China’s equivalent of the NSA

*http://www.strategypage.com/htmw/htiw/articles/20110417.aspx

Where to learn more

This report details the 3rd Department and it’s various bureaus

Public Information

• Aurora, Shady RAT, Night Dragon, and others are linked to this single government-sponsored spying program

• These attacks have been running since 2003

They have been penetrating U.S. & foreign networks for NINE YEARS

Chinese Freelancers

• Not all attacks appear to originate directly from government systems. Some appear to be ‘freelancer’ hacking groups – but they target the same kinds of data in similar ways

Attack strategies

• Extensive use of hash cracking, rainbow tables

– PTH toolkit and friends

• Entrenchment strategy

– Multiple backup plans, backup CNC protocol & servers both

• Avoidance of packing, rootkits, etc.

• Staging data for exfil

– Watch out for 3-day weekends

Why do they stay in?

• Polymorphism

• Private source code

• Small number of targets

– not addressed by “big” AV

• Translate.google.com example

• Hide in plain sight

Example

– seclogon.dll malware RAT

– seclogin.dll legitimate binary

– TTP: drops 1.txt, 2.txt into c:\RECYCLER, etc…

Cracking hashes remains the primary attack method

A collection of utilities found on a CNC server

C:\RECYCLER a.bat asx1.rar asx2.rar C:\$RECYCLE.BIN run.bat loe.rar

net use \\machine1\ipc$ pass DOMAIN/user

dir \\machine1\c$

net use \\machine2\ipc$ pass DOMAIN/user

dir \\machine2\c$

net use \\machine2\ipc$ pass DOMAIN/user

dir \\machine2\c$

Batch files are common

Installing a sethc.exe backdoor

Anti-forensics

Cleans the log Adds/removes services Stomps filetimes Removes last login times Secure deletes files Zaps slack disk …

GAP

Prepare Infect Interact Exploit

Reconnaissance

Weaponization

Delivery

Detonation

Command and Control

Escalation & Lateral Movement

Entrenchment

Data Exfiltration

Defense Solutions

Attacker’s exposure

Cost to attacker

High detection potential

Cost to remediate

Attack Progression

October 17, 2012 18

*Source for graph: Verizon Data Breach Report 2010

Average length of time before Shady RAT was discovered: 8 ½ months

Length of time from “Compromise to Discovery” in 2010*

Also..

Time Exploited

Future / Emerging Vectors

Social Media + Bring Your Own Device

bit.ly ? You can’t even tell what you are clicking on…

Social Networking Space

Injected Java-script

Social Networking Attack (I)

Social Networking Space

Social Network Attack (II)

Compromised Credential

The New CNC

Continuous Protection

Make your Infrastructure Smarter

Compromise Detected

Reimage Machine Get Threat Intel

More Compromise

Scan Hosts

Intelligent Perimeter

Host Analysis

Event Timeline

Malware Strings

IP, DNS, URL

Registry Scan NTFS Scan

Memory Scan

Update

GPO’s

Update

NIDS

Update

AV

event

Enterprise-wide Physical Memory and Processes

Enterprise-wide registry and Windows objects

Group Tour

APT Group

• Multiple DoD contractor targets • 30+ C&C domains in play

– nilaye.com, helpmgr.net, etc… – Registrations thru ENOM, Inc.

• ~10 Personas – Wal Rook (culture reference: Chinese general) – Tom Hansen – Tom Hason variant

• Full featured C&C protocol • No stealth

Parking

• Used to park at 127.0.0.1, now parking at yahoo.com, google, blogspot, etc…

• No longer 255.255.255.255, 1.1.1.1, etc…

• Indicates they know you are using DNS logs to find parked domains

• HBGary has new methods to discover these website-parked domains

– This involves data mining search engine web caches for historical indexed content of yahoo, etc.

APT Group

• DoD contractor-wide compromises

• Full RAT, many variants, private sourcecode

– Drops malicious screensaver, executable, DLL

• C&C protocol unchanged

– All use the same DNS registration email

– New registration email appeared recently

– ~5 Personas (variants of Xue) • Xue Lan, Lan Xue, Xue Sun, Sun Xue

• Serves malicious PDF from “esnips” social networking site

– FY11_DSDLP.PDF DoD program

Unique String Tracking

• Group uses a consistent RAT built from private source code

• HBGary has specific unique strings that always appear in this group’s malware

– These can be scanned for in physical memory

Infection Phases

• babysleep.scr connect to

– goodfeelingauto.com

• drops auto.exe

• We have also seen several other variants

– i.e., party.exe from mysundayparty.com

• This is all the same malware, but with different compile times, indicating private sourcecode

APT Group

• Very widespread, 30-50 known victims – DoD contractors, manufacturing, etc.

• Rasauto32 backdoor, nwsapagent backdoor • C&C: infosupports.com, blackcake.net,

purpledaily.org, many others • Persona: Yingxi Yuan for registrations • TTP: drop MD5-modified version of cmd.exe

– Sometimes dropped as “ati.exe” – Change metadata to ‘Macrosoft’ for example – Trying to hide this shell from your MD5 sweeps

APT Group

• Well over a dozen known DoD contractors hit • Uses google code site for C&C, base64 encoded

comments • Usernames all variants of XSL/XLS

– XSL2012, XLS2012 transposed – XXTALTAL, XXTALATL transposed – XSLPROFILE

• Recently this group changed to a new naming scheme and made pages private – HBGary has a means to extract cleartext from these

private versions via google-cache

Backdoor connects to compromised web server

Web server that has been compromised

by hacker

Backdoor downloads base64 encoded file containing instructions

Command and Control

A.

B.

D.

C.

HTML to make this look like a 404 error page.

C&C control files

• Group has C&C servers running in Hong Kong and also at a Chinese university

• Updates to OPSEC

– Company_name.html old way

– Sexy_monkey.html new way

APT Group

• spoolsv RAT, man-in-the-middle print driver

• C&C is designed to look like HP driver update

– This is fairly advanced compared to other groups

• C&C DNS: hpwsvs.com, others…

• Full RAT, remote command shell

• Creates DNS strings with single-byte pushes

Takeaway

• Use your threat intelligence

• You need endpoint visibility

• The perimeter is vanishing

• Security is a counter intelligence problem, not a technology

– Security will not be provided solely by blinking appliances in the rack

HBGary Active Defense dramatically reduced the time between network intrusion and discovery.

- U.S. Government Contractor

We can't live without it. Active Defense is saving us major money.

- Top 10 Financial Institution

Digital DNA is a game changer.

- Big Consulting Company

Responder with Digital DNA is definitely a need-to-have item in our toolbox.

- VP eCrime Unit, Fortune 50 Bank

Thank you Q&A For more information: http://hbgary.com/publications Request a copy of “APT World at War: Region China” poster Contact: karen@hbgary.com