© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 1 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 1
SilverBlight Craig Williams Sr. Technical Leader / Security Outreach Manager
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
Agenda
• What is Talos
• A Match Made in Heaven, Exploit Packs and Dynamic DNS
• Angling for Exploitation
• Rig Exploit Kit
• A Historic Perspective
• Q&A
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Talos Security Intelligence and Research Group
• At a high level what is Talos? Sourcefire VRT Cisco TRAC Ironport Secapps
• We own the engine deliverables, the threat research, and the mitigations – There are no roadblocks
• 220+ Researchers under the Talos leadership team • Our goals
• Protect our customers • Piss off the bad guys
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
100 TB Intelligence 1.6M sensors 150 million+ endpoints 35% email world wide FireAMP™, 3+ million 13B web req
AEGIS™ & SPARK Open Source Communities 180,000+ Files per Day 1B SBRS Queries per Day 3.6PB Monthly though CWS
Advanced Industry Disclosures
Outreach Activities
Dynamic Analysis
Threat Centric Detection Content
SEU/SRU
Sandbox
VDB
Security Intelligence
Email & Web Reputation
Email Endpoints Web Networks IPS Devices
WWW
10I000 0II0 00 0III000 II1010011 101 1100001 110
110000III000III0 I00I II0I III0011 0110011 101000 0110 00
I00I III0I III00II 0II00II I0I000 0110 00
101000 0II0 00 0III000 III0I00II II II0000I II0
1100001110001III0 I00I II0I III00II 0II00II 101000 0110 00
100I II0I III00II 0II00II I0I000 0II0 00
Research Response [Talos]
Threat Intelligence
Threat Focused
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 5 Cisco Public 5 © 2014 Cisco and/or its affiliates. All rights reserved.
A match made in heaven, exploit kits and dynamic DNS
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Fiesta Exploit Kit
• January of 2014 alone over 300 companies affected
• Drive by download attack
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Fiesta Exploit Kit
• Malicious file types for all web content since mid-December 2013
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Fiesta Exploit Kit
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Fiesta Exploit Kit
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Fiesta Exploit Kit
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Dynamic DNS
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Fiesta Exploit Kit – Dynamic DNS A total of 6 IP addresses were responsible for hundreds of dynamic hosts
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Dynamic Detection of Malicious DNS - Reputation
Average
Baseline
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Dynamic Detection of Malicious DNS – AV Blocks
Average
Baseline
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Dynamic Detection of Malicious DNS What are we blocking with AV?
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Dynamic Detection of Malicious DNS
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Mitigations
• Web security appliances / Cloud Web security
• Reputation systems
• Block some/all Dynamic DNS providers using RPZ
• Client side protection Antivirus HIPS AMP Everywhere
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 19 Cisco Public 19 © 2014 Cisco and/or its affiliates. All rights reserved.
Angling for Exploitation
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Angler Exploit kit
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Content types
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Content Types
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Angler Exploit Kit
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Angler Exploit Kit
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Angler Exploit Kit
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
We see you!
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Blocking the campaign
• 7 unique Silverlight payloads
• 5 unique Angler droppers
• IOC City Linked to >650 domains 21 Hotmail addresses Way too many to list here go view the blog @ http://blogs.cisco.com/tag/trac/
• Multiple vulnerabilities being exploited…
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 30 Cisco Public 30 © 2014 Cisco and/or its affiliates. All rights reserved.
Rig Exploit Kit
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Rig Exploit Kit
• Advertised on criminal forums in April
• Began blocking April 24 Blocked over 90 domains 17% of all CWS customers affected Distributed Cryptowall
• Yet another exploit kit continuing the trend of silverlight exploits Silverlight: CVE-2013-0074 Java: CVE-2013,2465, CVE-2012-0507 Flash: CVE-2013-0634
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Requests to Rig Landing Page
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Content Type
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Mitigations
• Over 26 malicious files examined
• >190 IOCs
• IPS Silverlight: CVE-2013-0074 Java: CVE-2013,2465, CVE-2012-0507 Flash: CVE-2013-0634
• Web Security Appliance
• Cloud Web Security
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
For More: http://blogs.cisco.com/Talos
Q&A
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Thank You
