Jaeson Schultz
Technical Leader
Insights On Emerging Threats
Who Am I?
• Jaeson Schultz – [email protected]@jaesonschultz (Twitter)
– Over 20 years specialising in thwarting abuse of security protocols like SMTP, HTTP/S, and DNS
– Former manager of the SpamCop DNSBL – An IP address-based blacklist which has taking the fight to the spammers for over a decade
– Assisted in design and development of the Cisco IronPort Anti-Spam content scanner and I’ve also developed some of the architecture & content detection for Cisco’s Web Security Appliance, Cloud Web Security, and Next Generation Firewall products.
– Most recently as Technical Leader for Talos, I perform Security Research, Author Blog/Whitepaper Publications, Speak at Conferences, and evangelise Cisco Security.
– Little Lebowski Urban Achiever
3
THREAT LANDSCAPE
The number of
CVE Entries in
2016 so far is
239
6453
790318%
Decrease inCVE Entries from
2014 to 2015
2011 2012 2013 2014 2015
THREAT LANDSCAPE
1.5 Million
THREAT LANDSCAPE
THREAT LANDSCAPE
THREAT LANDSCAPE
THREATS DON’T GO AWAY,
HOW DO WE ADDRESS IT?
Cloud to Core
Coverage web requests a day
16
BILLION
email messages a day
500
BILLION
AMP queries a
day
18.5
BILLION
MULTI-TIERED DEFENCE
Cloud to Core Coverage• WEB: Reputation, URL Filtering, AVC
• END POINT: Software – ClamAV, Razorback, Moflow
• CLOUD: FireAMP & ClamAV detection content
• EMAIL: Reputation, AntiSpam, Outbreak Filters
• NETWORK: Snort Subscription Rule Set, VDB –
FireSIGHT Updates & Content, SEU/SRU Product
Detection & Prevention Content
• Global Threat Intelligence Updates
MULTI-TIERED DEFENCE
Talos is divided into 5 departments
Open Source
Public Facing Tools• Threat detection and
prevention: Snort, ClamAV,
Razorback, & Daemonlogger
• Vulnerability detection and
mitigation: Moflow, FreeSentry
Open Inte l l igence
Today’s Plan
• Rombertik
• Ransomware
• Windows 10
• Teslacrypt
• Cryptowall 4
• SSH Psychos
• IP Address Hijacking
• Reverse Engineering Tech Support Scammers
• Malvertising
• Rigging for Compromise – Rig Exploit Kit
• Angler Exposed
Rombertik
LEADING THREAT INTELLIGENCE
Rombertik
• Multiple layers of obfuscation
• Hooks into user’s browser
to read credentials & other
sensitive info
• Propagates via spam and
phishing
Code Paths. .
LEADING THREAT INTELLIGENCE
Rombertik
ACTION TAKEN:
• Identify malware
• Encourage best security practices
• AMP, CWS, ESA, Network Security, WSA
LEADING THREAT INTELLIGENCE
Rombertik
LEADING THREAT INTELLIGENCE
Rombertik
Rombert ik
Rombert ik
Ransomware
25
26
27
LEADING THREAT INTELLIGENCE
CRYPTOWALL 3.0
• Data is the new target
• Ransomware
• Becoming more popular
• Using more evasive techniques
Your Fi les are Protected by a “Free
Windows 10 Upgrade”
Do you remember
Threat
• Talos discovered email spam campaign
• Shortly after Windows 10 release
Payload
• CTB-Locker is Ransomware Payload
CTB Locker
• Unparalleled visibility
• Quick and effective detection and Response
LEADING THREAT INTELLIGENCE
TeslaCrypt
ACTION TAKEN:
• Created TeslaCrypt Decryption Tool
• Open Source command line utility
• Users can decrypt their files
themselves
LEADING THREAT INTELLIGENCE
TeslaCrypt
Symmetric
Files NOT asymmetrically
encrypted with RSA 2048
Actual Encryption AES CBC 256-bit
Open Source: Decryption Tool
Knock off ransomware
Why would people pay??
Honor amongst Thieves?
TeslaCrypt Demo
- CryptoWall Version 4 -
The Evolution continues
CryptoWal l Vers ion 4
• Notorious
ransomware
• Version 1 first seen
in 2014
• Distributed via
Exploitkits and
Phishing Emails
• Fast Evolution
Detai led Inst ruct ions
Vict ims View – Ful l Local izat ion
CryptoWall 4 checks local region settings with an undocumented API Call
Following regions are excluded from infections:
Russian - Kazakh - Ukrainian - Uzbek - Belarusian - Azeri - Armenia … other Eastern Europe
countries
Fi le Encrypt ion
Temp.AES256
key15/10/07 12:39 <DIR> .15/10/07 12:39 <DIR> ..15/10/07 12:36 78,971 1.jpg15/10/07 12:39 154,330 2.jpg15/10/07 12:36 123,240 3.jpg…
1.jpg
RSA publickey
random.xyz
Encrypted AES256 key
Other data
Encrypted 1.jpg
Temporary AES key can only be decrypted with the private RSA key
Network Communicat ion
Initial announcement to C2
C2 Server ACK
Send PubKey, TOR domains, PNG wallpaper
Request PubKey, TOR domains, PNG wallpaper
Operation successful. Files encrypted. Done.
Verify PubKey and start encrypting files ….
Cry
pto
Wal
l Mal
war
e
Co
mm
and
an
d C
on
tro
l Ser
ver
C2 Server ACK
In fect ion Process Deta i ls
• One encryption thread
per logical volume
• Exclude CDROMs
• Exclude volumes with
“HELP_YOUR_FILES.PNG”
• When done:• Write
“HELP_YOUR_FILES.PNG”
to volume root
• Report success to C&C
no
Binary downloaded and executed
Injected into explorer.exe
Makes itself persistent (registry run key)
Injecting in svchost (main malware logic)
Delete all shadow copies
Dropper checkes if config files existsTry downloading pubkey and files from C2 server
Got files from C2 server ?
Pubkey valid (check hash) ?
Create config file
yes
Encrypt files and show message(s)
no
Clean up and Exit Process
noyes
Sleep 3seconds
yes
SSHPSYCHOS
If it doesn’t work you’re just not using enough
BRUTEFORCE
SSH Psychos Update
SSHPsychos
• Brute Force SSH Attacks until
password guess
• 300K Unique Passwords
• Login from different address
space
• Drop DDoS Rootkit on server
• Accounted for 1/3 of all SSH
Traffic ON THE INTERNET
SSH Brute Force
Attempts
SSH Psychos Update
SSHPsycho
VICTORY
• Engaged Level 3 and another major ISP
• Sudden Pivot
• Null Routed
• Call to Action
• Effectively limited
• Downloaded blocked by standard technology
IP Address Hi jack ing
49
50
51
52
53
And the problem cont inues …
BGP Stream (@bgpstream)
Reverse Social Engineering
Tech Support Scammers
Tech Support
• Fraudulent actors masquerading
as “legitimate” tech support have
been on the rise for the past 8
years
• Talos has been monitoring the
creation of fake tech support sites
to better understand how they
operate.
The Setup
“Tro jan Vi rus”
You can listen and watch the entire interaction here: https://youtu.be/toKLOYxVkJM
Tracking the Scammers
• After the call, Talos began investigating who was behind this tech support
scam
• Our investigation lead us to two individuals
Taking Act ion
• Talos reached out the parent company of VOIP operator to get the number shut down.
• Talos contacted TeamViewer, alerting them of the abuse and reporting the ID used by
the these scammers.
• Finally, Talos submitted a complaint to the United States Federal Trade Commission
(FTC)
Online Advertising
ONLINE ADVERTISING
A big, fat, opportunity
• Ad Injection
Rewrite web pages with extra ads
• PUAs
Adware downloads
• Clickfraud
Hidden frames, with random clicking that
generate hits.
• Malvertising
A favorite of kits such as Angler; use the
ad platform to direct browsers to a
compromised server.
A major news s i te
26 Domains
39 Hosts
171 Objects
557 Connections
Rigging Compromise – RIG EK
Rig EK - Overv iew
Patching: A Window of Opportuni tyUsers not moving quickly to the latest Flash versions or updating the patches creates an opportunity for Angler and other exploits to target the vulnerability.
Rig EK - Findings
Rig EK - Response
Angler Exposed
Overv iew
• Deep Data Analytics July 2015
• Telemetry from compromised users
• ~1000 Sandbox Runs
• July 2015
• Angler Underwent several URL
Changes
• Multiple “Hacking Team” 0-Days
added
• Ended with tons of data
Detect ion Chal lenges
• Hashes
• Found 3,000+ Unique Hashes
• 6% in VT
• Most detection <10
• Encrypted Payloads
• Using Diffie-Hellman Encryption for IE Exploit
• Unique to each user
• Domain Behaviour
• DDNS
• Adversary Owned Domains
• Hard Coded IP
• Domain Shadowing
Explo i t Deta i ls
“Hacking Team” Adobe Flash 0days
CVE-2015-5119, CVE-2015-5122
IE 10 and 11 JScript9 Memory
Corruption Vulnerability
CVE-2015-2419
IE OLE Vulnerability
CVE 2014-6332
No JAVA !
Adobe Flash
CVE
2014-6332
Silverlight
Findings• IP Infrastructure
• Only 10-15 Unique IP’s hosting Angler Daily
• Hosting Information• Found 60%+ Angler activity for month at two providers
• Limestone Networks• Hetzner
• HTTP Referers• Found Thousands of Different Referer headers• Malvertising
• Lots of top websites seen directing to Angler• News Sites, Real Estate, Sports, Popular Culture
• Redirection from obituaries
Angler Demo
Breakthrough
• Partnered with Limestone Networks
• Gathered Images of Systems
• Network Captures
• Level-3
• Continued collaboration after SSHPsychos
• Netflow Data Key to Investigation
• Undiscovered Findings directly related to the data
• Proxy Server Configuration
• Health Monitoring
A Look Ins ide Angler
Server Deta i ls
• NGINX Server
• Proxy all traffic to single back-end exploit server
• Health Server Monitoring Activity
• GET Request resulting in HTTP 204
• Ability to Pull Access Logs
• Ability to Remotely Delete Access Logs
• Netflow identified ~150 Angler Servers being monitored
• Scope
• Access Log
• 90K Unique IP’s in 13 Hours
• Massive malvertising Campaign – Major websites affected
Proxy & Heal th Conf ig
Show Me The Money
The Money
Response
• Drove out of Limestone resulting in significantly lower activity
• Published Community Rules for Front-End & Back-End Communication
• Blacklisted all servers
• Blacklisted all domains
• Working with Providers resulted in huge returns
• Exposed Largest Angler Actor Active on Internet Today
Act iv i ty
INTELLIGENCE COMMUNITIES
Talos works to promote collaborative and
thorough understanding of network security
threats through a number of community
programs.
Project Aspis – collaboration between Talos and host providers
• Talos provides expertise and resources to identify major threat actors
• Providers potentially save significant costs in fraudulent charges
• Talos gains real world insight into threats on a global scale, helping us
improve detection and prevention, making the internet safer for everyone
CRETE – collaboration between Talos and participating customers
• Talos provides a FirePower NGIPS sensor to deploy inside the customer network
• Talos gathers data about real world network threats and security issues
• Customers receive leading-edge intel to protect their network
AEGIS – information exchange between Talos and participating members
of the security industry
• Open to partners, customers, and members of the security industry
• Collaborative nexus of intelligence sharing in order to provide better
detection and insight into worldwide threats
talosintel.com
@talossecurity
@jaesonschultz