The Malware Menace: From 30,000 Feet to the Microscope Session ID 18PT
Earl Carter
Talos Threat Researcher
@kungchiu
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Agenda
Targeted Threats
Spear Phishing
Malvertising
Exploit Kits
Ransomware
Coordinated Response
3
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
PoSeidon, A Deep Dive Into Point of Sale Malware
5
Point-of-Sale Malware a Growing Threat
Engineers Reversed Sample
Poseidon –Installs Keylogger
–Scans Memory for Credit Card Data
–Exfiltrates Data
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
PoSeidon, A Deep Dive Into Point of Sale Malware
6
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Defending Against PoSeidon
7
We encourage organizations to consider security best practices, starting with a threat-centric approach. Given the dynamic threat landscape, we advocate this threat-centric and operationalized approach that implements protections across the extended network – and across the full attack continuum - before, during, and after an attack. This approach is predicated upon superior visibility, continuous control, and advanced threat protection across the extended network and the entire attack continuum
Before – During – After
Visit our blog for further analysis:
http://blogs.cisco.com/talos/poseidon
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Phishing Landscape
Constant Ongoing Threat
Campaigns More Targeted
More Short Duration Campaigns
9
http://www.senderbase.org/static/malware
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Phishing for your banking info..
Upatre
– Malicious Downloader
– Distributed primarily via SPAM (.zip/.rar attachments)
– Dyre(Banking Trojan) primary downloaded malware
SPAM Campaigns
– Frequent (New campaigns almost daily)
– Short lived (Usually 1 day)
– Use compromised systems
– Used password protected Rar Archive (Shown)
– Dropped PDF to display to user (Anti-Drone)
10
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
And the Campaigns Begin…
11
Identified at least 15 distinct campaigns
Initial Campaign – March 31st
ZIP File Attachment
From: [email protected]
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Dyre Installed While Displaying Decoy Files
12
First Seen in June 2014
Steals Banking Credentials
Performs Man-In-The-Middle Attack Through Browser
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Easily Identifiable Traffic Characteristics
13
HTTP Plain Text
Unique User Agent
Campaign Identified in Request
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
More Variations
14
Two more campaigns on March31st
Product Quote & 2015 Expenses
Still Using ZIP File Attachment
From Addresses
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
A Change in Tactics
15
Started on April 7th
ZIP attachment gone
New Attachment – Enrypted RAR File
Password in Email
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Yet Another Shift
16
Started on April 16th
ZIP attachment is back
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Communication is Now Encrypted
17
99% of Traffic Using HTTPS
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Protecting The Customer
ESA flagged the emails as Spam even without AV detection
AMP detected activity and blocked new variants
CWS/WSA can block malicious payloads
NGIPS/NGFW signatures for network activity
18
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Rombertik Phishing for Everything
19
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Rombertik
21
Anti-Analysis Code Unpacking Code
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Angler Lurking in the Domain Shadow
23
Domain Shadowing
– Using sub domains of legitimate domains
– (i.e. bad.legit.com)
– Next Evolution in exploit kits
– Advanced Evasion of blacklisting
– technologies
– Actors using random domains
– Discovered hundreds of compromised accounts
– Thousands of affected Domains
Delivered via malvertising
Multiple Tiers of subdomains being used for redirection
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Evasion Evolution
Exploit Kit Evolution
Static IP Address
Registered Domains
Fast Flux DNS
Dynamic DNS
Domain Shadowing
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Protecting The Customer
Cisco AMP & Network Security IDS & NGFW detected and blocked immediately
Defense-in-Depth is still best approach to protect your environment
Expect this technique to increase in popularity
25
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
The Malvertising Ecosystem
27
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
The Normal Web
29
cnn.com:
26 domains
39 hosts
171 objects
557 connections
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Threat: Malvertising
30
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Kyle & Stan
32
• Malicious ads served
on major websites
such as Amazon,
Yahoo, and YouTube
• Malware disguised as
a legitimate
application
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Example Attack Sequence
33
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Protecting The Customer
6941 domains blocked
Web Security Appliance
Cloud Web Security
AMP
34
Visit our blog for further analysis:
http://blogs.cisco.com/talos/kyle-and-stan
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Cryptowall 2.0
Data is the new target
Ransomware – Becoming more popular
– Using more evasive techniques
36
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Cryptowall 2.0 Functionality
37
Encrypted Binary
Anti-VM check
Uses TOR for Command & Control
Runs 32-bit & 64-bit code simultaneously
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Cryptowall 3.0 Functionality
38
Moving to Exploit Kit Delivery
Still has Encrypted Binary
Uses TOR & I2P for C&C
Dropper
Decryption
Process
Run
Cryptowall
No Exploits
No 32/64
switching
No Anti-VM
Check
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Protecting The Customer
Before:
– ESA Stops the spam which is the primary infection vector.
During:
– AMP, NGFW, IPS in addition to CWS & WSA detect and block attempts at downloading malware.
After:
– IPS & NGFW identify and block malware operation and spread.
39
Visit our blog for further analysis:
http://blogs.cisco.com/talos/cryptowall-3-0
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
SSHPsychos
• SSHPsychos
• Brute Force SSH Attacks
• 300K Unique Passwords
• Accounted for 1/3 of all SSH Traffic
• Attack
• Brute Force System until password guess
• Login from different address space
• Drop DDoS Rootkit on server
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
SSHPsychos: Action Taken
• Engaged Level 3
• Sudden Pivot
• Null Routed
• Call to Action
• Effectively limited
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Common Goals
• Blacklisted Domains
• Malware Downloaders
• C & C
• Domains for Tools
• eMail & Web
• Blacklisted Address Space
• For Malware
• For C & C
• For their Tools
• Published NGIPS Detection
• Tools Activity
• C & C Activity
• Gave it to the Community – Free, Gratis, Nada
• Published AV Detection
• Tools
• Malware
• AMP
Stopping The Bad Guys – A Good Thing™
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Q & A
Talos information:
– Web: http://www.snort.org/
http://www.clamav.net/
– Blog: http://blogs.cisco.com/talos/
http://vrt-blog.snort.org/
– Twitter: @TalosSecurity
– Labs: http://labs.snort.org
44
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
HeartBleed
• If the specified heartbeat request length is larger than its actual length, this memcpy() will read memory past the request buffer and store it in the response buffer which is sent to the attacker
• OpenSSL1.0.1 – 1.0.1f are vulnerable
• Bug was introduced in December 2011
• Approximate 534,156 services are vulnerable
• Cisco was one of the first IPS companies to provide coverage
• This IS being exploited in the wild..
48
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Background
Exploitation Allows Access to Device Memory Contents
• Attackers could potentially extract sensitive information
• Cryptographic keys and certificates are of particular concern
Impact of Exploitation Depends on Multiple Factors
• Role of affected device in the network
• How OpenSSL is used on the device
49
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Cisco Response
Announced Publicly on April 7th 2014 • No industry coordination; vulnerability was disclosed before
vendors were informed
Cisco PSIRT Coordinating Response and Investigation
Cisco Security Advisory published April 9th • Cisco among the first vendors to respond
• Initial focus on accurate listing of Cisco products and services
• Updated daily as new information is discovered
Detection and Mitigation Strategies Include: • Cisco Sourcefire and Cisco IPS signatures are available
• Technology-specific guidance and best practices
50
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Security Impact
Bigger than 443
• Any SSL service is being targeted
• Most prominent sites have already patched
• Many, many, smaller sites are not patched…
Worst case: Private keys, credentials and more leaked
• Hijacked accounts -> more exploit kits
• Embedded devices are unlikely to patch
• May enable lateral movement
• Without security monitoring there is no real way to know if you were exploited
The client side attack is also concerning
51
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Timeline
52
April 9 2014 8 10 11 7
April 7
Vulnerability announced
Exploit designed for QA within 6 hours of initial report
IPS Rules Developed
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
April 9 2014 8 10 11 7
Timeline
53
April 8
IPS Rules released
Public exploits surface
Initial VRT blog posted
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
April 9 2014 8 10 11 7
Timeline
54
April 9
Coverage extended to more SSL services
Client side exploitability discovered
Additional exploits released including MSF
Vendor A coverage released
Vendor B coverage released
Vendor C coverage released
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
April 9 2014 8 10 11 7
Timeline
55
April 10
Rules released to cover client side exploitation
VRT blog posted regarding client side exploitation
SEU/SRU released
Cisco rules detect to all known public exploits
Vendor D coverage released
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Services Being Targeted
56
Destination Port/
465 (smtps)/tcp
995 (pop3s)/tcp
993 (imaps)/tcp
443 (https)/tcp
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Heartbleed IOCs
Sourcefire IPS
• 30510 - 30513 inbound connection attempts beyond a normal threshold
• 30514 - 30517 large outbound heartbeat responses (successful exploitation)
• 30520 - 30525 outbound vulnerable client traffic
Cisco Legacy IPS
• 4187-3 - inbound connection attempts beyond a normal threshold
• 4187-4 - large outbound heartbeat responses (successful exploitation)/outbound vulnerable client traffic
57
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Fiesta Exploit Kit
January of 2014 alone over 300 companies affected
Drive by download attack
59
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Fiesta Exploit Kit: File Types
Malicious file types for all web content during campaign.
60
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Fiesta Exploit Kit: Exploits Utilized
61
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Fiesta Exploit Kit: Geographic Distribution
62
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Fiesta Exploit Kit: Dynamic DNS
64
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Dynamic Detection of Malicious DNS - Reputation
65
Average
Baseline
65
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Dynamic Detection of Malicious DNS
What are we blocking with AV?
66
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Dynamic Detection of Malicious DNS
67
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Protecting The Customer
Web security appliances / Cloud Web security
Reputation systems
Block some/all Dynamic DNS providers using RPZ
Client side protection
– Antivirus
– HIPS
– AMP Everywhere
68
For more information, see our blog entry: http://blogs.cisco.com/security/fiesta-exploit-pack-is-no-party-for-
drive-by-victims
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Spam Distribution
72
Spam broken down by Sender Type
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Snow Shoe Spam Mitigations
Cisco Outbreak Filters
– 14 hour lead time over traditional AV
Delay Quarantine
Intelligent Multiscan
– More detection engines can detect more spam
Use DNS
– Look for hundreds of hostnames using a single IP or hundreds of IPs without hostnames
Advanced Malware Protection (AMP)
73
For more information, see our blog entry: http://blogs.cisco.com/talos/snowshoe-flurry
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Don’t forget to activate your Cisco Live Virtual
account for access to all session material,
communities, and on-demand and live
activities throughout the year. Activate your
account at the Cisco booth in the World of
Solutions or visit www.ciscolive.com.
Complete Your Online Session Evaluation
Give us your feedback and you could win fabulous prizes. Winners announced daily.
Receive 20 Passport points for each session evaluation you complete.
Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center.
Note: This slide is now a Layout choice
74