Zombie Zero - TRAPX Security · 2019-11-13 · Zombie Zero is highly unusual in that the entry point is based on malware that has been “weaponized” through its placement within

1 | ANATOMY OF AN ATTACK : Zombie Zero

© 2017 TrapX Security, Inc. All Rights Reserved.

Zombie ZeroWeaponized Malware Targets ERP Systems

ANATOMY OF AN ATTACK

TrapX Research Labs March 1, 2017



Notice

TrapX Security reports, white papers, and legal updates are made available for edu-cational and general informational purposes only. Although the information in TrapX reports, white papers, and updates is intended to be current and accurate, the informa-tion presented here may not reflect the most current developments.

Please note that these materials may be changed, improved, or updated without notice. TrapX Security is not responsible under any circumstances for any errors or omissions in the content of this report, or for damages arising from its use.

TrapX Labs has worked in strict confidence with governments and enterprise businesses worldwide to develop and document our Anatomy of an Attack series. It is our goal to identify attackers and remediate current and future cyber-attacks. Information pertaining to specific attacker activity is provided solely to help illustrate the details of the attack vectors documented.

New best practices that utilize advanced threat-detection techniques, such as deception technology, are relatively new to enterprise and government institutions and have been available commercially since 2012.



About Anatomy of an Attack

The TrapX Security Labs division was established in 2014 as an independent research team within TrapX Security. Our mission is to conduct critical cyber-security experimen-tation, analysis, and investigation, and to bring the benefits of this work to the security community through our publications and our rapid ethical compliance disclosures.

Since its inception, TrapX Labs has contributed to development of the next generation of security technologies and best practices so that we can provide industry-leading resources for the evolution of cyber security. The Anatomy of an Attack series comprises publications of TrapX Laboratories and highlights the results of our research into current information-security issues.

The TrapX Labs knowledge base benefits significantly from information on advanced malware events shared with us by the TrapX Security Operations Center. Our threat analyses are unique and include deep intelligence on the activities of sophisticated human attackers.



Contents

Notice .....................................................................................................................................................2About Anatomy of an Attack .................................................................................................................3Executive Summary ................................................................................................................................5The Dangers of Weaponized Malware ..................................................................................................6Zombie Zero Case Study .......................................................................................................................7The Target User Environment ................................................................................................................7Zombie Zero Behavior ...........................................................................................................................8Detection of Zombie Zero .....................................................................................................................9Deception Technology ..........................................................................................................................9

An Introduction to DeceptionGrid .................................................................................................................................. 9High Accuracy – Minimal Alerts .................................................................................................................................... 10DeceptionGrid™ Core Components ............................................................................................................................ 10

DeceptionGrid Differentiation .............................................................................................................12DeceptionGrid Key Benefits ...............................................................................................................13Automation Delivers Enterprise Scale .................................................................................................14



Executive Summary

Zombie Zero is an attack method discovered by TrapX labs in 2014. The discovery showed that at least eight companies were compromised beginning in May 2013. Zombie Zero is highly unusual in that the entry point is based on malware that has been “weaponized” through its placement within hardware developed by an original manufac-turer, then sold to unsuspecting customers.

We believe that the Zombie Zero malware was preloaded into newly manufactured scanners by a manufacturer in China. The scanners were sold on the open market to global shipping-and-logistics companies. The targets included some of the largest manufacturing companies in the world. Once the scanners were installed and in use, the secretly embedded malware had instant access inside the perimeter protections. The attacker tools were thus available to compromise networks from the inside and, once remotely updated with additional functionality by the attackers in China, exfiltrate proprietary financial and shipping information.

After the investigation, it was determined that the scanners had been distributed to seven shipping and logistics companies and one manufacturer, for use in checking items being shipped. The true scope of this attack will never be known, except perhaps to the perpetrator.

The Zombie Zero attack appears to have originated from a location in China near Lanxiang University, whose network has been associated with Chinese government activity in previous intelligence operations. Lanxiang’s location in Shandong province is in close proximity to that of the scanner manufacturer, and so it appears that this may be more than a coincidence, especially given that Lanxiang has been implicated in prior attacks, on Google and other U.S. corporations, as part of a campaign called “Operation Aurora.”

Tracing attacks to their source is always difficult. Sophisticated nation-state attackers can modify code to eliminate coder “signatures”; launch attacks from a variety of physical locations, especially outside the true originating country; and then utilize a variety of daisy-chained, encrypted VPNs and IP2/TOR obfuscating network services, thereby deflecting blame onto other nation states.

For more information about Zombie Zero, please email TrapX, at [email protected].

“Zombie Zero is remarkable in that this is our first direct experience with malware-

weaponized hardware, that is, new hardware shipped with malware embedded by

manufacturers in an apparent conspiracy with the malware creators.”

Moshe Ben Simon

Vice President and Co-founder TrapX Security



The Dangers of Weaponized Malware

Pre-installed malware usually catches companies off-guard. We don’t think about the security of supply chains, and we tend to assume that a new device is free from malware and hidden attacker tools. However, recent events illustrate that this assump-tion—especially when the components in question are manufactured overseas—can be quite wrong. Increasingly, malware can be pre-installed in new computers, peripherals, communications switches, firewalls, memory sticks, and Internet of things (IoT) devices.

Malware can also be placed within the firmware and logic of new semiconductor chips. This has received increasing attention from government entities for the past several years. Nation-state cyber attackers can exploit pre-installed malware to target and compromise classified government programs by targeting the supply chain of contractors that support it.

Sources of pre-installed malware include nation states, criminal organizations, and even device manufacturers. National security objectives can drive malware-compromised chips. Nation states often seek to systematically introduce compromised devices into organizations’ supply chains. The likely goal is to gain footholds for extracting information.

Organized crime usually has a simpler motive: money. By pre-installing malware into new devices, criminal organiza-tions can more rapidly establish and enable massive botnets, which can then be leveraged in a variety of ways. In one prominent example, Microsoft researchers investigating counterfeit software in China in 2012 found new computers loaded with Nitol malware, which linked the compromised computers back to subdomains of 3322.org, a top-level domain in China.

Nitol is a family of highly contagious trojans that perform DDoS attacks, allow backdoor access and control, download and run files, and perform several other malicious activities on infected computers. Simply inserting a USB drive into a Nitol-compromised computer will allow Nitol to copy itself onto the drive and then copy itself onto any machine that the drive is connected to thereafter. Nitol supports DDoS attacks, allows for backdoor access and subsequent control of impacted computers, enables uploading and downloading of additional files, and supports other malicious activities.

In another example, a large computer manufacturer in China has pre-installed malware on new laptops. This manufacturer has been banned in some cases from supplying computers to defense and government organizations.

“Zombie Zero is highly sophisticated, targeted malware, supported by an

advanced persistent attacker. It’s very selective and is hardcoded to go after financial enterprise resource planning

systems. The data contained and managed by these systems is the lifeblood

of the companies that use them. It’s not just that attackers can access data; they can actually modify shipping databases,

causing packages to appear and then disappear.”

Anthony James

Vice President TrapX Security



Zombie Zero Case Study

Our researchers discovered that a Chinese manufacturer had shipped Windows XP-embedded scanners that were infected with Zombie Zero. TrapX believes that the manufacturer was directly responsible for the malware as later analysis revealed that 16 out of 48 scanners purchased by one customer were found to be infected. We detected the same malware in a firmware update file on the manufacturer’s website. In keeping with our ethical disclosure policy, we note that the company removed the firmware update initially after TrapX notified it of the problem, but the update was later restored, with the malware intact.

The same scanner product, containing a variant of Zombie Zero, was sold and delivered to a manufacturing company, along with at least seven other customers. Malware also persisted in the Windows XP-embedded version at the Chinese manufacturer’s support website, hosted in China.

The Target User Environment

The company this case study is based on uses scanners to track its goods as they are loaded and offloaded from ships, trucks, and planes. The scanned data (origin, destination, contents, value, ship-to, ship-from, etc.) is transmitted to the corporate ERP via an exterior wireless network.

The customer had deployed scanners at two major distribu-tion sites. Site 1 had a firewall between the corporate pro-duction network and the end-point scanner wireless network that provided community of interest separation between computing environments. Site 2 had no firewall between the corporate production network and the end-point scanner wireless network.

The customer had deployed significant defense-in-depth security, using leading brands of firewalls, IPS, IDS, mail gateways, and agent-based endpoint products. The custom-er’s ERP was from one of the leading vendors. The customer installed security certificates on the scanners for network authentication, but because APT malware from the manu-facturer was already installed on the devices, the certificates were compromised.

The compromised scanners gave attackers a foothold inside the company’s network from which to establish a pivot point, which could then be used to compromise the entire enterprise network. Now the attacker had a backdoor within the internal network infrastructure. Through the weap-onized malware, the attackers could bypass most of the company’s enterprise perimeter

“Three elements make this attack quite dangerous. First, Zombie Zero targets

zero-day vulnerability on one of the most popular ERP systems in the world. Second,

Zombie Zero is polymorphic, so the code can adapt and change to elude detection

and avoid various network security countermeasures. Third, and of greatest

concern, this is the first malware that TrapX has seen embedded and delivered via

malware-weaponized hardware directly from the manufacturer.”

Carl Wright,Executive Vice President of Sales

TrapX Security



security measures and compromise the target networks almost completely. Moreover, as with all IoT devices, the devices were not easily scanned, if at all, by standard endpoint security software. Heuristics and intrusion-detection software were unable to see inside the device or observe the traffic through the hidden backdoors.

In stage 1 of the attack, the scanner malware probed the network with widely used Windows file sharing (SMB, ports 135/445) and remote administration (RADMIN port 4899) protocols looking for servers with “finance” as part of the Hostname.

Although SMB is commonly blocked by corporate firewalls, remote administration ports are often left open to facilitate network-wide server management. As many companies also use descriptors in the server name, the attack has been generally successful at locating ERP systems on the network. The command and control (CnC) network was then used to load additional software onto compromised ERP systems and then copy the entire financial database.

Stage two of the attack facilitated the upload of a “standby” weaponized payload from the scanner. The payload established a comprehensive CnC connection to a Chinese botnet that appeared to terminate at the Lanxiang Vocational School located in “China Unicom Shandong province network.” A second payload was then downloaded from the botnet that established a more sophisticated CnC of the company’s finance server. A secondary stealth botnet CnC network (the owner of the IP address was masked) was also established and terminated at a location/facility in Beijing.

Zombie Zero Behavior

After the scanner was attached to the wireless network, it immediately began an auto-mated attack on the corporate environment, using the SMB protocol (port 135/445). At Site 1, where the customer had segmented the network with a firewall, the SMB attack was defeated. However, the malware was polymorphic and launched a second automat-ed attack, leveraging the RADMIN protocol (port 4899), which successfully infected nine servers. The secondary attack was successful at defeating the corporate firewall at Site 1 because Site 2 had no firewall.

The customer had deployed 48 scanners from the Chinese manufacturer, of which 16 were infected with the APT malware. All scanner attacks targeted specific corporate servers. The attack sought out and compromised servers that had the word “finance” in their Host name. This ERP system manages all aspects of corporate transactions, includ-ing, but not limited to, financial data, customer data, and detailed shipping and manifest information.

The attack succeeded in locating and compromising the ERP financial server, allowing complete access and control by remote attackers. The attacker exfiltrated all financial data and ERP data, providing complete visibility into the company’s worldwide operations.



Detection of Zombie Zero

TrapX DeceptionGrid™ was installed on the customer’s environment as part of a proof-of-concept, which began reporting to a management station located at a TrapX Certified Managed Security Services Provider (MSSP). Within minutes, an ALERT was issued and the attack was detected.

The customer immediately requested that TrapX install additional DeceptionGrid components within Site 2. This was done remotely, and within 60 seconds the attack was detected in Site 2. TrapX deception technology succeeded in detecting and monitoring the lateral movement from the bar code readers. This movement touched several of our Traps (decoy systems, servers, and workstations deployed throughout the network) and was identified as malicious activity at extremely high probability.

Deception Technology

An Introduction to DeceptionGridIn today’s environment, the question isn’t whether attackers will penetrate your networks, but when and how often. Attackers use increasingly sophis-ticated techniques to penetrate the most robust perimeter and endpoint defenses.

How do you know if an attacker has penetrated your network? Is there any way to identify them quickly? What are their intentions? How quickly



can you stop an attack and return to normal operations?

TrapX Deception in Depth architecture answers these questions using powerful multi-tier deception platform (DeceptionGrid™) that matches each step of the sophisticated attack with a layer of deception. As the attack unfolds, at every stage DeceptionGrid moves to bait, trap and engage the active attackers.

When cyber attackers penetrate an enterprise network, they move laterally to locate high-value targets. TrapX Deception in Depth combines wide-ranging deception capabilities to bait, engage, and trap attackers with fake attack surfaces that closely match attacker activity. This multi-tier architecture creates a tempting environment for attackers, and they’re faced with immediate identification at every turn. It only takes one touch of the DeceptionGrid by the attacker to set off a high-confidence ALERT. Then DeceptionGrid integrates with key elements of the network and security ecosystem to contain attacks and enable a return to normal operations.

This multi-tier approach to engagement maximizes the deception surface to bait the attacker, allowing TrapX to identify attackers quickly, determine their intentions, and gather detailed forensics and evidence. This deep visibility into malicious activity within the network can minimize or eliminate the risk to intellectual property, IT assets, critical infrastructure, and impact on business operations.

High Accuracy – Minimal AlertsIn large enterprises, conventional cyber-defense technologies, such as firewalls and endpoint security, can generate thousands or even millions of alerts daily, overwhelming cyber-security operations. Unfortunately, just one successful penetration can compromise an entire network. DeceptionGrid takes a different approach. Unlike firewalls and endpoint security methods, which generate alerts based on probabilities, DeceptionGrid alerts are binary; attackers either attempt to engage our Traps or they don’t. If they do touch a Trap, we know with nearly 100 percent certainty that it’s an attack.

DeceptionGrid™ Core ComponentsDeceptionGrid Core Functionality – DeceptionGrid allows you to seamlessly automate the deployment of a comprehensive multi-tier deception environment. This environment includes:



» Endpoint lures – these appear as ordinary files, scripts and databases and embedded within real IT assets. These are designed to bait attackers that are explor-ing your internal endpoint systems and lure them into the traps.

» Medium interaction traps – these can emulate a large variety of IT assets and IoT devices without the need for software or applications and are designed to immediately identify when attacker re progressing from endpoints, attempting to connect with network systems. Our medium interaction traps extend transparently through our smart-deception to our high interaction traps for the deepest attacker engagement and diversion.

» High interaction traps – these are full Operating Systems and applications de-signed to mirror your critical assets and keep the attackers deeply engaged while you collect detailed forensics.

» Active traps feature - our active traps feature provides a façade of convincing network traffic - Deception in Depth even takes the illusion a step further, by maintaining a facade of convincing network traffic among the Traps.

Full Automated Forensics – Real-time automation isolates attacker tools and malware and can forward it for advanced analysis. TrapX provides malware analysis services based on our ecosystem integration, and we also offer a cloud-based option. We combine the additional intelligence gained from our analysis with Trap activity and deliver a compre-hensive assessment to the security operations center team. DeceptionGrid’s Network Intelligence Sensor feature analyzes outgoing communications and, combined with its analysis of Trap activity, builds a complete picture of compromised assets and attacker activity.

AIR Module – AIR Module, designed for rapid automated forensic analysis of suspect endpoints, is a core component of DeceptionGrid and a key part of our Deception in Depth architecture. Automated analysis is triggered by indications of compromise (IOCs) identified by DeceptionGrid and often points to compromised endpoints. The AIR Module performs a complete, fully automated forensic analysis of any suspect endpoints, then loads the forensics artifacts from the endpoints into the AIR Module. The module then runs smart intelligence correlation against the artifacts to complete and deliver the analysis.



Integrated Event Management and Threat Intelligence – Information from the auto-mated forensic analysis is pulled into the management system, tagged with a unique ID, and then stored within the integrated event-management database. The business intelligence engine combines the information with threat intelligence data to prevent future attacks. The Network Intelligence Center monitors outbound activity on real hosts, based on information regarding malicious activity spotted within decoy systems.

CryptoTrap™ Module – CrytoTrap is another important core component of DeceptionGrid and a key part of our Deception in Depth architecture. CryptoTrap is designed specifically to deceive, contain, and mitigate ransomware early in the exploita-tion cycle, halting the attack while protecting valuable resources. Traps are created that appear to ransomware as valuable network shares. Customers can also provide their own decoy data, to make the information appear even more authentic. CryptoTrap reacts to ransomware attacks immediately, holding the ransomware captive to protect real systems while disconnecting the source of the attack.

DeceptionGrid Differentiation

» Faster, real-time detection of cyber attacker movement anywhere in local network and cloud environments.

» No more alert-fatigue. TrapX alerts are more than 99% accurate and immediately actionable.

» Complete automated forensic analysis of capture malware and attacker tools. » Automated deployment of thousands of DeceptionGrid traps with minimal

resources. » Provides everything needed for security operations centers to act rapidly in

response to threats. » Powerful emulation technology enables camouflaging traps as industry-specific

devices, including medical devices, ATMs, point-of-sale terminals, Internet of things (IoT) devices, and much more.

» The Advanced Incident Response (AIR) Module delivers an automated memory analysis for any endpoint suspected of being compromised.

» Deception in Depth architecture integrates the benefits of Tokens, emulated Traps, FullOS Traps, and our Active Networks feature in one integrated multi-tier architecture, for more rapid detection, deep attacker engagement, and compre-hensive threat containment.

» Comprehensive partner integrations create end-to-end workflows, from detection to remediation, and increase value from existing ecosystem investments.



DeceptionGrid Key Benefits

» Targets the new breed of cyber attackers. Deception technology identifies sophisticated attackers that other solutions do not detect and that may already be inside the network.

» Reduces or eliminates economic losses. Accurate and rapid detection reduces the risk of economic loss due to destruction of enterprise assets, theft of data, and overall impact to business operations.

» Reduces time to breach detection. Advanced, real-time forensics and analysis, coupled with high accuracy, empowers security operations to take immediate action to disrupt all attacks within the network perimeter.

» Comprehensive visibility and coverage. Defense in Depth provides comprehensive visibility into internal networks, revealing attacker activity and intentions, and terminating the attack.

» Improves compliance, to meet PCI and HIPAA data-breach laws, along with other regulatory requirements in various countries.

» Lowest cost of implementation. Deception in Depth provides the greatest breadth and depth of deception technology at the lowest cost.

» Compatible with existing investments. Deception technology can integrate with existing operations and defense-in-depth vendor solutions.



About TrapX SecurityTrapX has created a new generation of deception technology that provides real-time breach detection and prevention. Our field proven solution deceives would-be attackers with turn-key decoys (traps) that “imitate” your true assets. Hundreds or thousands of traps can be deployed with little effort, creating a virtual mine field for cyberattacks, alerting you to any malicious activity with actionable intelligence immediately. Our solutions enable our customers to rapidly isolate, fingerprint and disable new zero day attacks and APTs in real-time. Uniquely our automation, innovative protection for your core and extreme accuracy enable us to provide complete and deep insight into malware and malicious activity unseen by other types of cyber defense. TrapX Security has many thousands of government and Global 2000 users around the world, servicing customers in defense, health care, finance, energy, consumer products and other key industries.

TrapX Security, Inc. 1875 S. Grant St., Suite 570San Mateo, CA 94402+1–855–249–4453www.trapx.com [email protected]@[email protected]

TrapX, TrapX Security, DeceptionGrid and CryptoTrap are trademarks or registered trademarks of TrapX Security in the United States and other countries. Other trademarks used in this document are the property of their respective owners. © 2017 TrapX Security. All Rights Reserved.

Automation Delivers Enterprise Scale

DeceptionGrid was developed to overcome the limitations of conventional perimeter defenses, signature-based tools and intrusion-detection methods, and honeypots. Our multi-tier Deception in Depth architecture includes powerful automation for scalability and simplicity, which is essential to supporting large enterprises and government infra-structures without the high cost of configuring individual deception nodes manually.

Documents

Zombie Zero - TRAPX Security · 2019-11-13 · Zombie Zero is highly unusual in that the entry point is based on malware that has been “weaponized” through its placement within