Emerging Threats - The State of Cyber Security
90
Cisco Confiden+al © 2015 Cisco and/or its affiliates. All rights reserved. 1 Emerging Threats – The State of Cyber Security Senior Threat Researcher May 2016 Earl Carter / @kungchiu
-
Upload
cisco-canada -
Category
Technology
-
view
271 -
download
0
Transcript of Emerging Threats - The State of Cyber Security
CiscoConfiden+al©2015Ciscoand/oritsaffiliates.Allrightsreserved. 1
EmergingThreats–TheStateofCyberSecurity
SeniorThreatResearcher
May2016
EarlCarter/@kungchiu
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
House Keeping Notes Thank you for attending Cisco Connect Toronto 2016, here are a few housekeeping notes to ensure we all enjoy the session today.
Please ensure your cellphones / laptops are set on silent to ensure no one is
disturbed during the session
A power bar is available at the back of
the room
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
Earl Carter (@kungchiu) Senior Threat Researcher / Security Outreach
Insights on Emerging Threats
THREAT LANDSCAPE
The number of CVE Entries in 2016 so far is
2128
6453
7903 18%
DecreaseinCVEEntriesfrom2014to2015
20112012201320142015
THREAT LANDSCAPE
1.5 Million
THREAT LANDSCAPE
THREAT LANDSCAPE
19.7 Billion
7.2 Trillion
TOTAL THREAT BLOCKS181 Million Spyware Blocks
82 Thousand Virus Blocks
818 Million Web Blocks
DAILY WEB BREAKDOWN
THREAT LANDSCAPE
19.7 Billion
THREATS DON’T GO AWAY, HOW DO WE ADDRESS IT?
Cloud to Core Visibility web requests a day
16 BILLION
email messages a day
600 BILLION Endpoint malware queries a day
18.5 BILLION
TALOS PRODUCTS & INTELLIGENCE Talos is the backbone for all Cisco Security Products and Services.
P R O D U C T S
D E T E C T I O N S E R V I C E S
ESA | ClamAV SpamCop SenderBase
Email Reputation Malware Protection URL, Domain, IP Reputation Phishing Protection Spoof & Spam Detection
Open Source
Snort Rules ClamAV Sigs ClamAV
Vulnerability Protection Malware Protection Policy & Control
End Point
AMP ClamAV
Cloud & End Point IOCs Malware Protection IP Reputation
Cloud
CWS CES OpenDNS
URL, Domain, IP Reputation Malware Protection AVC
Web
WSA CWS
URL, Domain, IP Reputation Malware Protection AVC
Network
FirePower/ASA ISR Meraki
Policy & Control Malware Protection URL, Domain, IP Reputation Vulnerability Protection
Services
ATA IR
Cloud & End Point IOCs Malware Protection URL, Domain, IP Reputation Vulnerability Protection Custom Protection
Intelligence
ThreatGrid
Cloud & End Point IOCs Malware Protection URL, Domain, IP Reputation Network Protection
MULTI-TIERED DEFENSE
Talos is divided into 5 departments
Open Source
Public Facing Tools • Threat detection and
prevention: Snort, ClamAV, Razorback, & Daemonlogger
• Vulnerability detection and mitigation: Moflow, FreeSentry
Open Intel l igence
TALOS IN THE NEWS
LEADING THREAT INTELLIGENCE
• Talos discovered email campaign • Began shortly after Windows 10
release
Windows 10 Spam
Payload: CTB-Locker Ransomware
LEADING THREAT INTELLIGENCE
Windows 10 Spam
• Talos is a key differentiator • Unparalleled visibility • Quick and effective detection &
response
Simple But Effect ive
Resume Spam Campaign
• Pretends to be employee resume • Short-lived and Effective • Includes Zip file attachment
The Infect ion Chain
Tax Scams Gone International
Overview
• 9DifferentCountries• English&3OtherLanguages• Occurringyearround• ARacks
• HTMLForms&MaliciousARachments• LinkstoMaliciousSites
Tax Scams Gone International
One Campaign Spanning 3 Countr ies
US,UK&Canada
Common Subjects
ClaimyourtaxrefundYouareeligibletoreceiveataxrefundTaxRefundNo+fica+onAustralianTaxa+onOfficetaxrefundconfirma+on!TaxRefundNewMessageAlert!TaxRefund(Ref#782167)-$687.00CDNTaxRefund(Ref#782167)687.00GBPTaxRefund(Ref#782167)$687.00USDTilbagebetalingafskat-DKK7122,00SkaReåterbäring:6120.20SEKRimborsofiscaleper2014-2015
Interest ing IRS Twists
IRSForgivingDebt?YourIden+tywasStolen
Impersonating Tax Seminars
IRS:TaxandPayrollUpdatesfor2016Reminder:AnnualTaxUpdateHandlingFederalandStateTaxLeviesWithEase.RegisterNow!
SampleSubjects
LEADING THREAT INTELLIGENCE
SSHPsychos
• Brute Force SSH Attacks until password guess
• 300K Unique Passwords • Login from different address
space • Drop DDoS Rootkit on server • Accounted for 1/3 of all SSH
Traffic ON THE INTERNET
SSH Brute Force Attempts�
LEADING THREAT INTELLIGENCE
SSHPsychos
ACTION TAKEN: • Engaged Level 3…
and other providers • Sudden Pivot • Null Routed • Call to Action • Effectively Limited
VICTORYAperAc+on
• Multiple Pivots • Continuous Blocks • Group Effort • Eventually They
Stopped
Drive-by Download Attacks
• The act of downloading something unintentionally, usually malicious
• No need to click to download • Malvertising is a common vector
Malvert is ing
• Content varies by system • Content varies by user • Content varies by visit
Lots of Noise
CNN26Domains39Hosts171Objects557Connec+ons
Spin to Win…Malware
Spin to Win…Malware
Hidden in the code
Use Case
404 OK Malware
Summary
• Malver+singisliterallyeverywhere• BigaRackvectorforExploitKits• Ensureslotsofvic+msfromlargelyrandomsites• Sitesarestar+ngtorequireAdBlockbeTurnedoff• Malver+singasaService(MaaS)islikelytobegrowingintherestof2016andbeyond
Angler Evolution
Attacker Innovat ion
• Angler is the most successful exploit kit • Demonstrates continued innovation • New Functionality Quickly Spreads
– Exploit kits competing for business
• Exploits kits get overlooked as a sophisticated threat
Importance of Patching
Angler Exploit Vulnerability
User Activity
Update Published
Version
15.0.0.246
16.0.0.235
16.0.0.257
16.0.0.287
16.0.0.296
16.0.0.305
17.0.0.134
17.0.0.169
17.0.0.188
CVE-2015-0310
CVE-2015-0313
CVE-2015-0336
CVE-2015-0359
CVE-2015-0390
1 FEB 1 MAR 1 APR 1 MAY 1 JUN
What is an exploit k i t?
• A software package designed to exploit vulnerable browsers and plugins
• Blackhole was the first major exploit kit
Monetizat ion of Hacking
There are three main payload types: • Ransomware
• Cryptowall, Teslacrypt
• Click-fraud agents • Bedep
• Miscellaneous • trojans, keyloggers, spyware
Detect ion Challenges
• Hashes• Found3,000+UniqueHashes• 6%inVT
• Mostdetec+on<10• EncryptedPayloads
• UsingDiffieHelmanEncryp+onforIEExploit• Uniquetoeachuser
• DomainBehavior• DDNS• DomainShadowing• AdversaryOwnedDomains• HardCodedIP
Unique Referers
UniqueReferersByDayJuly2015
Unique IP Addresses Per Day
IP Address / ASN Relat ionship
AnglerHTTPRequestsbyProviderJuly2015
Shutt ing Down Angler • PartneredwithLimestoneNetworks
• ExamineAnglertraffic• Level-3
• Con+nuedcollabora+onaperSSHPsychos• ProxyServerConfigura+on• HealthMonitoring
The Backend Infrastructure
Angler Vict ims
Potent ial Revenue
Toplaywiththenumbers,pleasevisit:hRp://talosintel.com/angler-exposed/
Angler Exploit K it Evolves Again
• ParameterChanges:• NewGate• RegisteredDomains
Jan2016
URL Changes
Jan2016
OldFormat
NewFormat
New Gate
New Gate
Uti l iz ing Free Domains
New Actor
Angler Catches Vict ims Using Spam
• Impersona+ng900+Companies• OrderConfirma+onEmails
May2016
Recent Development - Angler Spam
The Redirect ion
Summary
• Angler Continues to Evolve • Other Exploit Kits Quickly Follow Suit • Detection must Evolve to Keep Pace • Collaboration Provides Greater Visibility • Exploit Kits Industrialized – Big Money
Nuclear Exploit K it- H i t t i n g 1 5 0 + C o u n t r i e s
Nuclear Detai ls
A Gate L ike Any Other
From the Gate to the Kit
Tor Al l the Things
NewPayloadtoAvoidC&CDetec+on
Summary
• Startedlookingandfoundmajorityofac+vityatoneprovider• WorkedwithDigitalOceantoExposeAc+vity
• FoundmajorityoftrafficoutsideofUS• LotsofAdult/Pornographicsitesinvolvedincampaign• 150+Countriesinvolved• HealthMonitoringFound• Virtuallynologgingonproxyserver• CoverageDevelopedforback-endcommunica+on• Torasapayloadisnewandcouldbecomemorecommonasvisibility
con+nuestoincreasearoundthesetypesofthreats• Gatesand302Cushioningarebeingusedheavily
CryptoWall Version 4 The Evolution Continues
Overview
• Notoriousransomware• Version1firstseenin2014• DistributedviaExploitkitsandPhishingEmails• FastEvolu+on
CRYPTOWALL 4.0
Fi le Encrypt ion
Temp.AES256key15/10/0712:39<DIR> .
15/10/0712:39<DIR> ..15/10/0712:3678,971 1.jpg15/10/0712:39154,330 2.jpg15/10/0712:36123,240 3.jpg…
1.jpg
RSApublickey
random.xyz
EncryptedAES256key
Otherdata
Encrypted1.jpg
TemporaryAESkeycanonlybedecryptedwiththeprivateRSAkey
Network Communicat ion
Ini+alannouncementtoC2
C2ServerACK
SendPubKey,TORdomains,PNGwallpaper
RequestPubKey,TORdomains,PNGwallpaper
Opera+onsuccessful.Filesencrypted.Done.
VerifyPubKeyandstartencryp+ngfiles….
CryptoWallM
alware
CommandandCo
ntrolServer
C2ServerACK
Excluded Local Regions
• CryptoWall4checkslocalregionseyngswithanundocumentedAPICall
• Followingregionsareexcludedfrominfec+ons:• Russian• Kazakh• Ukrainian• Uzbek• Belarusian• Azeri• Armenian• …otherEasternEuropecountries
Excluded Dir/Fi les/Ext
Extensions:exe,dll,pif,scr,sys,msi,msp,com,hta,cpl,msc,bat,cmd,scfDirectories:windows,temp,cache,samplepictures,defaultpictures,SampleMusic,programfiles,programfiles(x86),games,samplevideos,useraccountpictures,packagesFiles:help_your_files.txt,help_your_files.html,help_your_files.png,thumbs.db
Vict ims View – Ful l Local izat ion
Detai led Instruct ions
SamSam: The Doctor Will See You, After He Pays The Ransom
Sam Sam Targets Healthcare
• ExploitsJbossVulnerability• MovesLaterally• TargetedAcrossOrganiza+on• Usedrecentlyagainstmul+plehospitals
Communicat ing with Threat Actors
Payment Process
Payment Evolut ion
Summary
• Exploi+ngNetworkVulnerabili+es• JBoss
• Laterallytargetsmul+plesystems• PaymentisinBitcoin• ObtainPrivateKeyviaBlogComment
Threat: JBoss Server Backdoors
Changes in the Threat Landscape
• Vulnerable JBoss servers are being used as an attack vector
Web Shells !
• Web shells are a major security concern and are an indicator of compromise!
• If a web shell has been installed on a server, take immediate steps to remediate the issue
Follett Dest iny
Summary
• Patch your systems • If you find you’ve been compromised, take steps to
remediate and remove any backdoors
250+ Full Time Threat Intel Researchers
MILLIONS Of Telemetry Agents
4 Global Data Centers
1100 Threat Traps
Over 100 Threat Intelligence Partners
THREAT INTEL1.5 MILLION Daily Malware Samples
600 BILLION Daily Email Messages
16 BILLION Daily Web Requests
Honeypots
Open Source Communities
Vulnerability Discovery (Internal)
Telemetry
Internet-Wide Scanning
INTEL SHARING
AspisCrete
AEGIS
3rd Party Programs (MAPP)
ISACs
TALOS INTEL BREAKDOWN
talosintelligence.com @talossecurity
@kungchiu
