Monthly Cyber Threat Briefing

1 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net

© 2016 HITRUST Alliance. All Rights Reserved.

Monthly Cyber Threat Briefing April 2016



Presenters • Charity Willhoite: Intelligence Analyst, Armor • Aaron Shelmire: Sr. Threat Researcher, Anomali (ThreatStream) • Jon Clay: Sr. Manager – Global Threat Communications, Trend Micro • Dennis Palmer: Senior Security Analyst, HITRUST



ARMOR: TOP THREAT ACTORS AND COMMAND AND CONTROL ACTIVITY



Top Vulnerability Exploits NAME HITS RELATED TECHS/MALWARE CVE-2016-1019 326 Adobe, Adobe Flash Player, Magnitude Exploit Kit, Microsoft Windows, MS Windows XP CVE-2016-1010 46 Adobe, Angler Exploit Kit, Adobe Flash Player, Kaspersky Lab, Microsoft Windows CVE-2016-1743 29 Apple, Graphics Drivers, Mac OS X, Null Corp. CVE-2016-0846 19 Stagefright Vulnerability 17 Android, Google, Smartphone, Zimperium, T-Mobile CVE-2016-1001 9 Angler Exploit Kit, Adobe, Adobe Flash Player, Nuclear Pack Exploit Kit, Magnitude Exploit Kit CVE-2014-4113 5 Microsoft Windows, Windows 8, Nuclear Pack Exploit Kit, Microsoft Excel, Microsoft CVE-2016-0051 5 Windows 7, MS-016, Microsoft Windows, Microsoft, GitHub CVE-2016-0984 5 Adobe, Adobe Flash Player, SDK, Microsoft Windows, Linux CVE-2016-0998 5 Adobe, Adobe Flash Player, Microsoft Windows, Flash Player Esr, SDK CVE-2015-2419 4 Microsoft IE, Angler Exploit Kit, Adobe Flash Player, RIG RENTSCH INDUSTRIE-HOLDING AG, Adobe CVE-2015-3873 2 Android, Nexus Security Bulletin, Google, CWE CVE-2015-0057 2 Windows 8, Microsoft Windows, Dyreza, Windows 10, Microsoft MS14-058 2 Microsoft Windows, Microsoft, Microsoft Excel, Windows 8.0/8.1, Operating system APSA16-01 2 Adobe, Adobe Flash Player, Microsoft Windows, Linux, Google Chrome OS CVE-2014-6271 (Shellshock) 2 Bash, Yahoo, Linux, Unix, Mac OS X CVE-2015-2413 2 Microsoft IE, Microsoft, Microsoft Internet Explorer Information Disclosure Vulnerability, CWE CVE-2015-3864 1 Google, Android, M7, Exodus, Exodus Intelligence

Action Item: Avoid utilizing Adobe Flash inside your infrastructure. Focus endpoint introspection to alert on unpatched Adobe Flash Player.



Top Emerging Malware Entities

NAME HITS RELATED TECHS/MALWARE

rokku 14 Bitcoin, Encryption, Microsoft Windows, Advanced Encryption Standard, uncommon encryption algorithm

TinyPOS 8 Point of Sale, Foregenix, iSIGHT Partners Recon Exploit 6 OneLocker 3 Password manager, Universal, Windows 10, Microsoft Windows, Windows Phone 10 NewExt 2 GSLFbot 2 Googlebot, TwitterBot, Google, GoogleMobile, Googlebot-Mobile

Action Item: Educate everyone on spearphishing. Rokku and other ransomwares utilize phishing for initial entry. Their ransomware success shows just how effective spearphising can be. https://blog.avira.com/rokku-ransomware-made-professional/



Top Corporate Targets NAME HITS Apple 200 Federal Bureau of Investigation 183 Mossack Fonseca & Co SA 134 Hacking Team 113 U.S. government 108 Syrian Government 83 National Childbirth Trust 65 Spotify 59 France 57 Islamic State in Iraq and the Levant 56

NAME HITS

NASA 51 Netflix 46 Commission on Elections 40 Sony Corp 34 Verizon 33 Georgetown University 31 Knesset 28 MedStar Health 28 Mattel 23 Google 21

Action Item: If you’re running Jboss, take a look at JexBoss. Dissect it’s code, and be sure if it was pointed at your infrastructure if would fail to profile you. https://github.com/joaomatosf/jexboss http://www.medstarhealth.org/blog/2016/04/05/april-4-2-p-m-medstar-health-update/ https://www.nct.org.uk/press-release/nct-data-breach



Top Corporate Targets IP ADDRESS HITS

223.234.142.127 47 107.180.64.84 36 188.118.2.26 26

118.170.130.207 25 46.109.168.179 20 81.183.56.217 19 185.117.75.227 17 93.174.93.94 10 183.60.48.25 9

134.96.217.62 7

IP ADDRESS HITS

103.242.190.57 7 87.222.67.194 6

47.89.36.68 6 223.25.233.46 6

195.191.158.226 6 125.88.177.94 6

123.168.123.28 6 91.236.75.4 5

58.218.205.69 5 21.0.0.182 5

Action Item: Block malicious IP’s at your edge. Prevent Reconnaissance, and increase the cost to the actors by subscribing to IP Reputation Lists. Bi-directional edge filtering can help prevent payloads from detonating in your environment.



Ransomware Evolved

LOCKY SAMSAM http://www.symantec.com/connect/blogs/samsam-may-signal-new-trend-targeted-ransomware

ROKKU https://blog.avira.com/rokku-ransomware-made-professional/

http://www.symantec.com/connect/blogs/locky-ransomware-aggressive-hunt-victims



ANOMALI: SAMSAM RANSOMWARE OVERVIEW



Overview Ransomware • Large uptick since 2013 • Largely driven by:

– TOR: Hidden services – Bitcoin



• Targeted Ransomware • Actors leverage server side exploitation, including JBOSS Vulnerabilities

• Encrypts files based upon extension • Current Ransom pages on Tor Hidden Services • Request payment in Bitcoin

SamSam Overview



SamSam Ransom Tor Page



SamSam Timeline



SamSam Activity



Relation to C0d0s0 / Peace Activity Reported Claims by: • Cisco TALOS • Dell SecureWorks • Palo Alto Networks

Appear to Rely Upon: • SamSam + McAltLib.dll on one server

• Both Targeting JBOSS vulns



Relation to C0d0s0 / Peace Activity



Relation to C0d0s0 / Peace Activity



SamSam Mitigations • Actors Targeting Server Infrastructure • Regular offline Backups • Regular Vulnerability Scans • Server Patching



Thank you! Any questions?



TREND MICRO: BUSINESS E-MAIL COMPROMISE



Business E-mail Compromise (BEC) • It is a global scam and BEC was renamed to focus on the “business angle” of this scam.

• Sophisticated scam targeting businesses – Working with foreign suppliers and/or businesses that regularly

perform wire transfer payments.

• Victims will increase – The FBI assesses with high confidence the number of victims and

the total dollar loss will continue to increase.



CEO Fraud E-mail Characteristic 1. The email of high-level

business executives (CEO, CTO, etc.) are spoofed

2. Target recipients usually responsible for processing or have authority to grant financial requests (Ex: CFO)

3. The email subject & content attempt to request for a wire transfer



The Scenario of CEO Fraud’s Victim

Real CXO may go business Trip

Fraudster forge CXO' mail box try to request urgent wire transfer

Financial related employee



The Artifice of CEO Fraud E-mail Fraudster/Spammer knew: • E-mail client usually uses Reply-To address as default recipient when user click “Reply”

Nick Name: CEO Name Scam Address

John [email protected]

John [email protected]

[email protected]



1st Type of CEO Fraud: General Type The scam e-mail address is named generically • For using to scam different enterprises • Usually contains “CEO” or “executive” terms • For example:

– Reply-To: “Company A CEO” <[email protected]> – Reply-To: “Company B CEO” [email protected]

• Register in many free email services – [email protected], [email protected], [email protected],

[email protected], [email protected]



2nd Type of CEO Fraud: Customized Type The scam e-mail address is customized for specific target business • Spammer will register domain which is similar with target company domain

• Register domain usually newly register or recently update • For example:

– “Eva_Chen”<[email protected]> – “Eva_Chen”<[email protected]>



Fraudster Does Investigation and Then Attacks • Company CXO name (company webpage & public information) • Company employee role & name (LinkedIn) • E-mail account format (e-mail harvest tool)

Is it possible that they also collect CXO business trip information?



Best Practices • Financial Employee Education: Recommend immediate training about this

threat with any employee who manages financial transactions and include executives who have authority to authorize transactions

• 2-step Verification: Employees who receive emails purportedly from executives should contact the sender for verification (authenticate that they in fact sent the email).

• The FBI recommended using the “Forward” function instead of “Reply”: So you can type the email address of your contact and ensure that the correct address is being used.

• If defrauded: Contact your bank and Law Enforcement and report to IC3.gov



HITRUST



CSF Controls Related to Threats CSF Control for Suspicious IP Addresses • Control Reference: 01.i Policy on the Use of Network Services

– Control Text: Users shall only be provided access to internal and external network services that they have been specifically authorized to use. Authentication and authorization mechanisms shall be applied to users and equipment.

– Implementation Requirement: The organization shall specify the networks and network services to which users are authorized access.



CSF Controls Related to Threats CSF Control for malicious code • Control Reference: 09.j Controls Against Malicious Code

– Control Text: Detection, prevention, and recovery controls shall be implemented to protect against malicious code, and appropriate user awareness procedures on malicious code shall be provided.

– Implementation Requirement: Protection against malicious code shall be based on malicious code detection and repair software, security awareness, and appropriate system access and change management controls.



CSF Controls Related to Threats CSF Control for Crypto-Ransomware • Control Reference: 09.l Backup

– Control Text: Back-up copies of information and software shall be taken and tested regularly.

– Implementation Requirement: Back-up copies of information and software shall be made, and tested at appropriate intervals. Complete restoration procedures shall be defined and documented for each system.



CSF Controls Related to Threats CSF Control for Ransomware (unauthorized software) • Control Reference: *10.h Control of operational software

– Control Text: There shall be procedures in place to control the installation of software on operational systems

– Implementation Requirement: The organization shall maintain information systems according to a current baseline configuration and configure system security parameters to prevent misuse.



CSF Controls Related to Threats CSF Control for Vulnerability Patching • Control Reference: *10.m Control of technical vulnerabilities

– Control Text: Timely information about technical vulnerabilities of systems being used shall be obtained; the organization's exposure to such vulnerabilities evaluated; and appropriate measures taken to address the associated risk

– Implementation Requirement: Specific information needed to support technical vulnerability management includes the software vendor, version numbers, current state of deployment (e.g. what software is installed on what systems) and the person(s) within Appropriate, timely action shall be taken in response to the identification of potential technical vulnerabilities. Once a potential technical vulnerability has been identified, the organization shall identify the associated risks and the actions to be taken. Such action shall involve patching of vulnerable systems and/or applying other controls.



QUESTIONS?



Visit www.HITRUSTAlliance.net for more information

To view our latest documents, visit the Content Spotlight

Documents

Monthly Cyber Threat Briefing