View
1
Download
0
Category
Preview:
Citation preview
A Talos Look into the Evolving Threat Landscape
E a r l C a r t e rS e n i o r T h r e a t R e s e a r c h e r
Today ’s P lan
• Threat Landscape• Attack Techniques
• An Unexpected Attack Vector• Self-Propagation (Worms)• Attacking Trust
• Talos Threat Intelligence
THREAT LANDSCAPE - VULNERABIL IT IES
25%• Network Accessible• Low Complexity• No Authorization• High Severity
Low Hanging Fruit on Decline60%
50%
40%
30%
20%
10%
0
2005 2007 2009 2011 2013 2015 2017
60% Reduction
Common Attack Vectors
U s e r sU n p a t c h e d V u l n e r a b i l i t i e s
I o T
Data i s the New Target
An Attack Vector In Plain Site
Covert Channels and Poor Decisions:The Tale of DNSMessenger
Mult i S tage
Powershell to Gain Persistence
Powershell to Launch C&C
Stage 1 Stage 2 Stage 3
Stage 4
Message Query
Stage 4 – DNS Messages
SYN Query
Spoofed SEC Emails Distribute Evolved DNSMessenger
Spoofed SEC Emai l s
• Targeted spear phishing campaign.
• Spoofed from SEC EDGAR system and contained malicious attachment.
DNSMessenger – Stage 4
• Functions as a Remote Access Trojan (RAT) that is implemented using PowerShell.
• Uses DNS for command retrieval from C2.– Sample domain: EFA29DD310.stage.0.ns0.pw
• POSTs data to attackers server via HTTP.
• Can be used to execute a variety of commands on infected systems.
2017 – Attack of the Worms
Remember
1988 Morris Worm(Sendmail, finger, rsh)
2008 Conficker Worm (RPC, NetBIOS)
2001 Code Red Worm (IIS)
2003 Blaster Worm (RPC)
And Then (May 2017)- WannaCry (SMB)
WannaCry Propagat ion
Next Evolut ion ( June 2017) - Nyetya
Nyetya Propagat ion
ETERNALBLUE
Scans IP subnet139 TCP
Perfc.datPSEXEC
WMI
ETERNALROMANCE
October 2017 – Bad Rabbi t
Propagat ion
NTLMSSP brute forcing
Scans IP subnet139 TCP
infpub.dat SMB/SMB2/SVCCTL
WMI
ETERNALROMANCE
February 2018 – Olympic Destroyer
Olympic Destroy Propagat ion
Eternal Romance Artifacts – No execution
Olympic Destroy Workf low
Supply Chain AttacksExploiting Trust Relationships
Supply Chain Backdoor
DistributedIntegrated Communicates Installs
Victim
SourceCode
Hidden Backdoor
Final PayloadCnC
</>
Installed orupdated
Nyetya “Ransomware” Attack
M.e.Doc Connect ion
Restor ing Connect ions
The Backdoor
Contacts upd.me-doc.com.ua every 2 mins
If finds a proxy:
Retrieve email data from local me-doc
Wait for & execute commands
These commands almost certainly used to distribute Nyetya.
CCleanup: A Vast Number of Machines at Risk
CCleaner Command and Control Causes Concern
Digital Signature of CCleaner 5.33• presence of a valid digital may be indicative of
a larger issue that resulted in portions of the development or signing process being compromised
• this certificate should be revoked and untrusted moving forward
Compilation Artifact• likely an attacker compromised a portion of
development or build environment • Leveraged access to insert malware into the
CCleaner build that was released and hosted by the organization
Data Collected on Infected SystemsInstalled Programs Process List
Targeted to Tech Companies2nd Stage only delivered to 23 specific domains
Database Tracked 2nd Stage Delivery
No Cisco Devices Delivered 2nd Stage
250+Full Time Threat Intel Researchers
MILLIONSOf Telemetry Agents
4Global Data Centers
1100+Threat Traps
100+Threat Intelligence Partners
THREAT INTEL
1.5 MILLIONDaily Malware Samples
600 BILLIONDaily Email Messages
16 BILLIONDaily Web Requests
Honeypots
Open Source Communities
Vulnerability Discovery (Internal)
Product Telemetry
Internet-Wide Scanning
20 BILLIONThreats Blocked
INTEL SHARING
TALOS INTEL BREAKDOWN
Customer Data Sharing Programs
Service Provider Coordination Program
Open Source Intel Sharing
3rd Party Programs (MAPP)
Industry Sharing Partnerships (ISACs)
500+Participants
MULTI-TIERED DEFENSE
Cloud to Core Coverage• WEB: Reputation, URL Filtering, AVC• END POINT: Software – ClamAV, Razorback, Moflow• CLOUD: FireAMP & ClamAV detection content• EMAIL: Reputation, AntiSpam, Outbreak Filters• NETWORK: Snort Subscription Rule Set, VDB –
FireSIGHT Updates & Content, SEU/SRU Product Detection & Prevention Content
• Global Threat Intelligence Updates
talosintelligence.com@talossecurity
@kungchiu
Recommended