Monthly Cyber Threat Briefing - HITRUST€¦ · 3 855.HITRUST (855.448.7878) © 2015 HITRUST...

1 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net

© 2015 HITRUST Alliance. All Rights Reserved.

Monthly Cyber Threat Briefing September 2015



Presenters/Agenda

•  Majed Oweis: Team Lead, US-CERT •  Thomas Skybakmoen: Research Vice President, NSS Labs, Inc.

•  Tawfiq Shah: Senior Threat Intelligence Analyst, Armor •  Aaron Shelmire: Senior Security Researcher, Threatstream

•  Dennis Palmer: Senior Security Analyst, HITRUST

•  Q&A Session



NCCIC/US-CERT REPORT



Joint Analysis Report (JAR)-15-20098: A Look at the PlugX Malware •   Remote Access Trojan (RAT) used by APT actors to infiltrate U.S.

Government, various industries and sectors. •   The JAR describes changes to the RAT observed over the past year and

provides a comprehensive list of indicators of compromise (IOCs). •   Variants of PlugX were used to exfiltrate large quantities of PII. •  Gains significant control of infected hosts to include:

–   Remote access –   Full control of system services –   Keystroke logging



Observations Over the Past Year •  No significant changes to the PlugX underlying framework. •  Focus of refinement:

–  Feature enhancements – for example, P2P PlugX permits communication with 16 C2 servers and allows P2P communication between infected hosts.

–  Produce more packed variants that use the legacy unpacking process

–  Use executables signed by well-known vendors to avoid host-based IDS and AV.



JAR-15-20098 is on the US-CERT Portal at: •  PDF: https://portal.us-cert.gov/member/libraryV3/main.cfm?action=9&returnAction=17&cf=2&st=20098&libid=565702

•  STIX (IOCs): https://portal.us-cert.gov/member/libraryV3/main.cfm?action=9&returnAction=17&cf=2&st=20098&libid=565065



Questions? Comments? Contact US-CERT at: •  Email: [email protected] •  Phone: 1-888-282-0870 •  Website: www.us-cert.gov

Contact CISCP at: [email protected]



NSS LABS REPORT



Threat Capabilities Report •  NSS observed an increase in command and control activity in the Asia-Pacific region in the month of August compared to the month of July.

•  Exploits and attack campaigns primarily targeted Adobe and Internet Explorer.

•  Java and Silverlight attacks continued to decline in August. •  The majority of attacks continued to focus on popular enterprise operating systems such as Windows 7 SP1 (80%) and Windows XP SP3 (9%).



Top Targeted Applications and Operating Systems

Application/OS Combination Windows 7 SP1 Windows Vista SP1 Windows XP SP3

Adobe Flash Player 10.0.32.18 • • •



Adobe Flash Player 11.4 •

Adobe Flash Player 17.0.0.188 •

Adobe Flash Player 9.0.289 • • •

Adobe Reader 8.1.1 • • •

Internet Explorer 7 • •

Internet Explorer 8 •

Internet Explorer 9 • • •



Data from August 2015 - NSS Labs

China, 2.1% Hong Kong,

0.5%

Iceland, 0.5% Italy, 0.6% Korea, 0.7%

Netherland, 0.5%

Romania, 2.1%

Russia, 39.5%

Ukraine, 2.6%

United States, 51.1%

Action: While not feasible to remove access to popular domains in the United States, removing access to e.g. Russia and other countries might be, however.

Top Origin of Threats



Top Command and Control Hosting by Geo Country Rank

United States 1

China 2

Japan 3

Germany 4

South Korea 5

United Kingdom 6

Netherlands 7

France 8

Brazil 9

Portugal 10




C&C Server Locations & Callback Ports 10 commonly used command and control (C&C) server locations in combination with 10 commonly used callback ports

Action: Track C&C port behavior to limit data breaches. Data from August 2015 - NSS Labs

Country/Port 80 443 6666 8008 8080 82 8800 3599 118 40017 Brazil • • China • • • • • • France • • • Germany • • • Japan • • • Netherlands • • Portugal • South Korea • • • United Kingdom • • • United States • • • • • • •




CAWS: All Threats




CAWS: Top 3 Vendors




CAWS: Top 5 Applications




CAWS: Top 10 Applications (Detailed)



ARMOR REPORT



Top Vulnerability Exploits in August and September

ACTION: •  Keep a proactive stand on known vulnerability trends.

•  Remediating vulnerabilities removes you from the threat actor’s target list.



Top Attacker Groups for the Last 30 Days NAME HITS

DD4BC 180

Anonymous 159

GhostSec 46

The Impact Team 22

Lizard Squad 15

Xumuxu 8

Cyber-Berkut 7

Islamic State Hacking Division 6

APT28 Pawn Storm - Tsar Team 5

LulzSec 4

ACTION: Focus threat intelligence on identifying top threat actors and their associated TTPs.

Some of the attack techniques employed

New threat actor identified



Top Malicious C2s Seen in the Last 30 Days NAME HITS

118[.]170[.]130[.]207 26

188[.]118[.]2[.]26 26

46[.]109[.]168[.]179 24

81[.]183[.]56[.]217 22

61[.]160[.]213[.]32 19

61[.]160[.]213[.]38 16

62[.]109[.]9[.]60 11

61[.]160[.]213[.]33 10

43[.]229[.]53[.]77 9

115[.]231[.]222[.]40 8

94[.]102[.]49[.]102 8

114[.]44[.]192[.]128 7

221[.]235[.]188[.]210 7

216[.]243[.]31[.]2 6

112[.]21[.]198[.]28 6

ACTION: Establish honey pots to help fingerprint malicious C2s and proactively block them from your environment.



Tor-Based Attacks on the Rise Research in the wild shows a steady increase in SQL injection and distributed denial-of-service attacks as well as vulnerability reconnaissance activity via the Tor-anonymizing service.

Tor, which gives users the ability to mask their identity and location via layers of anonymity, was the platform for some 150,000 attacks and malicious events throughout the US alone so far this year. Most attacks using Tor were waged against IT and communications technology companies, which were hit by more than 300,000 events so far this year, followed by the manufacturing sector, with nearly 250,000 malicious events. Financial services firms (around 160,000), the education sector (more than 100,000), and retail and healthcare providers (under 100,000) were also the victims of malicious Tor-based activity. Read more: http://www.darkreading.com/perimeter/ibm-advises-businesses-to-block-tor/d/d-id/1321910

ACTION: Establish and maintain alerts with threat intelligence providers/subscriptions to block Tor exit nodes. For an example of Tor exit nodes: https://www.dan.me.uk/torlist/



unpt Taidoor Related APT Incident: unpt Taidoor Related APT unpt Taidoor associated indicators:

MD5: ECA0EF705D148FF105DBAF40CE9D1D5E

This is most likely a maliciously implanted DLL, which current antiviruses cannot detect. This executable DLL contains the hex content, "31 32 37 2E 30 2E 30 2E 31 00 00 00 00 00 00 00 01 00 00 00 26 26 00 00 3C 00 00 00 2F 00 00 00 4D 6F 7A 69 6C 6C 61 2F 34 2E 30.“

This malware has exclusively been previously observed in Taidoor related malware MD5: AE80F056B8C38873AB1251C454ED1FE9, which was documented in Taiwan. Related targeting was found in CNFI CONTACTS Excel Exploit. Taidoor connects to the C2 domain unpt.defultname.com with the URL http://unpt.defultname.com:443/

This domain is hosted on a server in Brazil.

ACTION: Ensure network security sensors have the appropriate signatures to detect for Taidoor indicators.

ACTION: When creating NIDS signatures, have your threat intelligence team keep an eye for malware variants.



BRUTPOS POINT-OF-SALE MALWARE TARGETS MAJOR HEALTHCARE PROVIDER, AUTOMOBILE MANUFACTURER, AND POS VENDOR IN THE UNITED STATES

Incident: BrutPOS Point-of-Sale Malware

This incident details indicators associated with a Point-Of-Sale (POS) malware campaign targeting large POS vendors as well as healthcare, manufacturing, and hospitality sectors within the USA. BrutPOS exploits a vulnerability within the remote desktop protocol over port 3389 to gain access to the target system, and then utilizes brute force password-cracking techniques against the victim’s POS terminal in order to access and harvest customer information.

In some instances, the Ramnit worm has been observed as the initial infection vector which then downloads the BrutPOS executable.

Command and control addresses for the malware include the following which are not active currently, but may be useful for analysis of historical data or potential future activity:

62.109.16.195 62.113.208.37 92.63.99.157 82.146.34.22

Some malware samples were observed utilizing the same IP address for downloading executable files as well as uploading harvested information, but this is not always the case.

The following MD5 file hashes are associated with the malware:

60C16D8596063F6EE0EAE579F201AE04 95B13CD79621931288BD8A8614C8483F F36889F30B62A7524BAFC766ED78B329 4AED6A5897E9030F09F13F3C51668E92 FADDBF92AB35E7C3194AF4E7A689897C

For additional technical details, please view the report at https://dsimg.ubm-us.net/envelope/364363/391603/MATI%20DeepSight%20Intelligence%20Report%20-%20SYMC%20-%20300195.pdf



62.109.16.195

ACTION: Leverage relationship mapping tools to fingerprint threat actor’s footsteps.



Social Media Hacks

ACTION: Verify your professional network contacts.



THREATSTREAM REPORT



Pirpi Threat Actors

•  Tools –  PirpiLite -> Pirpi –  CTT/CTX –  Orthrus –  Pirpi Xmailer –  Pirpi Exploit

Framework -> Scanbox

–  MANY custom tools

•  TTPs –  Phishes

•  Monthly Pattern –  Heavy use of 0-

days

•  Summary –  CVE-2014-1776 –  CVE-2015-3113 –  CVE-2015-5119 –  a/k/a APT3,

Gothic Panda, TG-0110



Pirpi Infiltration of Tools

•  GUI connection via Pirpi •  Copy Base64 text into Notepad •  Save .eml •  Double Click – Opens Mail client •  Save tools run via cmd.exe



Infiltration of Tools – l2t



Infiltration of Tools – l2t

UserAssist Notepad + Mail Client – semi-rare History for .eml file – extremely rare



Lateral Movement via CTT/CTX

•  Normal Windows Lateral Movement: –  Security event log –  User Profile creation

•  Using 3rd party access tools leave less evidence behind



CTT evidence



CTT evidence - PreFetch

CTT Prefetch New CMD prefetch



CTT evidence – AppCrash Errors

Lots of AppCrash errors



Beyond the Indicator – Lateral Movement: Beyond the Norm

https://hitrustctx.threatstream.com/tip/1245



HITRUST CSF CONTROLS



Common attack vectors related to HITRUST CSF Controls •  CSF Control for Vulnerability Patching (Top Exploits)

–  Control Reference: *10.m Control of technical vulnerabilities •   Control Text: Timely information about technical vulnerabilities of systems being used

shall be obtained; the organization's exposure to such vulnerabilities evaluated; and appropriate measures taken to address the associated risk

•   Implementation Requirement: Specific information needed to support technical vulnerability management includes the software vendor, version numbers, current state of deployment (e.g. what software is installed on what systems) and the person(s) within Appropriate, timely action shall be taken in response to the identification of potential technical vulnerabilities. Once a potential technical vulnerability has been identified, the organization shall identify the associated risks and the actions to be taken. Such action shall involve patching of vulnerable systems and/or applying other controls.



•  CSF Control for network segmentation (Command and Control)

–  Control Reference: 01.i Policy on the use of Network Services •  Control Text: Users shall only be provided with access to internal and

external network services that they have been specifically authorized to use. Authentication and authorization mechanisms shall be applied for users and equipment.

•   Implementation Requirement: The organization shall specify the networks and services to which users are authorized access. (default deny on firewall/acl)

Common attack vectors related to HITRUST CSF Controls



Common attack vectors related to HITRUST CSF Controls •  CSF Control for Phishing (password/credential compromise)

–  Control Reference: 01.f Password Use •   Control Text: Users shall be made aware of their responsibilities for maintaining

effective access controls and shall be required to follow good security practices in the selection and use of passwords and security of equipment

•   Implementation Requirement: Users are made aware of the organization’s password policies and requirements to keep passwords confidential, select quality passwords, use unique passwords, not provide their password to any one for any reason, and change passwords when there is suspected compromise.



Common attack vectors related to HITRUST CSF Controls (CERT/CISCP Slide) •  CSF Control for Dropper tools dropping basic Backdoors / RATs

–  Control Reference: 09.j Controls Against Malicious Code •  Control Text: Detection, prevention, and recovery controls shall be

implemented to protect against malicious code, and appropriate user awareness procedures on malicious code shall be provided.

•   Implementation Requirement: Protection against malicious code shall be based on malicious code detection and repair software, security awareness, and appropriate system access and change management controls.



Q&A SESSION



Visit www.HITRUSTAlliance.net for more information

To view our latest documents, visit the Content Spotlight

Date post:	06-Aug-2020
Category:	Documents
Upload:	others
View:	4 times
Download:	0 times

Monthly Cyber Threat Briefing - HITRUST€¦ · 3 855.HITRUST (855.448.7878) © 2015 HITRUST...

Documents