TRENDING THE CRIMEWARE ECOSYSTEM - Countermeasure › wp-content › uploads › ... · TRENDING...
Transcript of TRENDING THE CRIMEWARE ECOSYSTEM - Countermeasure › wp-content › uploads › ... · TRENDING...
TRENDING THE CRIMEWARE ECOSYSTEM
Kevin Stear
Threat Analysis Lead
RSA FirstWatch
@w1mp1
ABSTRACT
Capitalism and open market forces currently drive the evolution of today’s Crimeware environment, where a close-knit ecosystem of goods and services is thriving based on demand from ongoing malicious campaigns.
THE CRIMEWARE ECOSYSTEM
Underground forums currently occupy several regional network and market segments
Emerging W. Africa marketplace
− Real Nigerians?
Forums act as key exchanges for Crimeware goods and services
− Traffic/Delivery
− Hacking-as-a-Service (HaaS)
− Malware Development
− Infrastructure-as-a-Service (IaaS)
U N D E R G R O U N D F O R U M S A N D E X C H A N G E S
THE CRIMEWARE ECOSYSTEM
Graphic courtesy of Trend Micro:
https://documents.trendmicro.com/assets/wp/wp-cybercrime-and-the-deep-web.pdf
https://documents.trendmicro.com/assets/wp/wp-cybercrime-in-west-africa.pdf
Traffic
− Compromised Site
− Malvertising
− Spam Provider
− Traffic Distribution System (TDS)
Delivery
− Exploit Kit
− Drive by Download
− Droppers/Clickbait
Hacking
− Denial of Service
− Credential Harvesting
− Reconnaissance
− Bug Hunting
G O O D S & S E RV I C E S
THE CRIMEWARE ECOSYSTEM
Malware/Payloads
− Ransomware
− Info-stealer
− Miner
− Remote Access Trojan (RAT)
− Exploit Development
Infrastructure
− Bulletproof Hosting
− Shadow Domains
− Botnets
TRAFFIC
PAYLOADS
INFRASTRUCTURE
DELIVERY of EXPLOIT
SUSTAINABILITY
H O W I T W O R K S TO G E T H E R
THE CRIMEWARE ECOSYSTEM
Malvertising
Compromised Sites
Traffic Distribution System (TDS)
Bulletproof Hosting
Domain Shadowing
Botnets
Drive-by Download
Exploit Kits
Clickbait
RAT
Miner
Info-Stealer
Ransomware
Denial/Destruct
Bug Hunting
Reconnaissance
HACKING-as-a-SERVICE
New Bots
Cash Money
Credentials
TRAFFIC
PAYLOADS
HACKING-as-a-SERVICE
INFRASTRUCTURE
DELIVERY
SUSTAINABILITY
Traffic intersects operational
infrastructure Exploits target vulnerable
client devices
Legitimate traffic is herded
into designed bottlenecks
Successful payloads and hacking
services provide sustainability
H O W I T W O R K S TO G E T H E R – C R I M I N A L V I E W
THE CRIMEWARE ECOSYSTEM
Bad stuff lands on the
victim machine
TRAFFIC
PAYLOADS
HACKING-as-a-SERVICE
INFRASTRUCTURE
DELIVERY
SUSTAINABILITY
A friendly BOTNET delivers…
*DING* ‘you have mail!’ “Oooh,Pictures of my grandkids!”
*CLICK* (or facepalm)
Grandma’s email address is harvested
or purchased from a list service
Kevin re-images her machine…
H O W I T W O R K S TO G E T H E R – V I C T I M V I E W ( A K A M Y G R A N D M A )
THE CRIMEWARE ECOSYSTEM
Panicked phone call:
“Kevin, my computer
just all locked up…”
R E A L LY … B U T W H Y A R E T R E N D S I M P O R TA N T ?
CRIMEWARE TRENDS
“Ultimate Anonymity Services” Shop Offers Cybercriminals International RDPs: https://www.flashpoint-intel.com/blog/uas-shop-international-rdp-servers/
Hello all!!! Today we opened our service, into which we invested a lot of time and effort.
Right now, we have bruteforced RDP-servers for sale at very low prices, as well as
SOCKS. Soon, we’ll be offering SSH-tunnels, VPN, and Shells for sale. We hope you
will like us, and that you will find everything you are looking for!!!! We will always be
happy to listen to your suggestions regarding the functionality and design of the
service, as well as suggestions for improvements, etc. Write using our ticket system…
P.S. Before using our service we strongly recommend that you familiarize yourself with
our rules and pricing. Just like in the real world, ignorance of the law does not absolve
you of responsibility, same here, not knowing our rules does not excuse you from
responsibility if you break them.
T H E D E C L I N E O F E X P L O I T K I T S
CRIMEWARE TRENDS
Shadowfall, a joint RSA and GoDaddy takedown
− Disrupts more than 40,000 active shadow domains supporting RIG Exploit Kit (EK) and other malicious campaigns
Decline in Exploit Kits?
− Perceived shift away from compromised sites as a traffic source for EK delivery due to increased scarcity of necessary credentials
− Industry research support*
Impact
− Malspam takes overprimary delivery
− Malvertising becomesprimary traffer
Decline in RIG Exploit Kit: https://researchcenter.paloaltonetworks.com/2017/06/unit42-decline-rig-exploit-kit/
Fluctuation in the Exploit Kit Market – Temporary Blip or Long-term Trend?: https://www.digitalshadows.com/blog-and-research/fluctuation-in-the-exploit-kit-market-temporary-blip-or-long-term-trend/
MARKET FORCES AT WORK?
Compromised Sites
Malvertising
Traffic Distribution System (TDS)
Bulletproof Hosting
Domain Shadowing
Cash Money
Credentials
CHTHONIC Banking Trojan
Crypto Currency Miners
RAMNIT Ransomware
Exploit Kit
R I G E X P L O I T K I T
THE CRIMEWARE ECOSYSTEM
From Jun-Sep 2017, RSA FirstWatch saw the increased use of Malspam as a delivery vector:
CRIMEWARE TRENDS
Crimeware:
− JACKSBOT
− CVE-2017-8759
− XMRIG (Miner)
− ZBOT
− CVE-2017-0199
− NANOBOT
− HANCITOR/PONY
− LOCKY
− TRICKBOT
− GLOBEIMPOSTER
− BEBLOH
− CERBER
− TRICKBOT
− AGENTTESLA
− HAWKEYE
− EMOTET
− LOCKY
− LOKIBOT
− ZYKLON
− CERBER
− DRIDEX
Graphic courtesy of @james_inthe_box
2 0 1 7 S U M M E R O F M A L S PA M
Targeted:
− MOONWIND
− COBALT STRIKE
− CVE-2017-0262
− DIMNIE
− CHTHONIC/DIMNIE
− XTREME
− MONSOON
Malvertising
Malspam
Bulletproof Hosting
Botnets
CERBER Ransomware
LOCKY Ransomware
Drive-by Download
L O C K Y A N D C E R B E R
THE CRIMEWARE ECOSYSTEM
Cash Money
Credentials
CUSTOMER SERVICE!
Thanks CERBER… so thoughtful ;)
Ransomware remains a
RELIABLE REVENEUE STREAM
Backup routinely &
use DMARC people!
T H E D E S TA B I L I Z AT I O N O F U K R A I N E … B U L L E T P R O O F H O S T I N G ?
CRIMEWARE TRENDS
Graphic courtesy of wikipedia
Hey, they’re not enforcing many
laws… let’s host our Crimeware
campaign over here!?
C R E D E N T I A L & I N F R A S T R U C T U R E H A RV E S T I N G
CRIMEWARE TRENDS
Continued trend for heightened rate of scanning and brute force attacks
One of many conveniently available and botnet enabled hacking services
Chart credit: @bad_packets
SSH attacks are on the rise!
(HACKING-as-a-SERVICE)
Indicative of increased
DEMAND for scarce goods?
Why is port 22 open???
Malspam
Credentials
HANCITOR Info-stealers
TRICKBOT Banking Trojan
Clickbait
T R I C K B O T A N D H A N C I TO R
THE CRIMEWARE ECOSYSTEM
Bulletproof Hosting
Botnets
HEY, THANKS FOR THE BANK
ACCOUNT INFORMATION!
Also indicative of increased
DEMAND for scarce goods?
Weird, that PNG file is
really an EXE…
B O T N E T S
CRIMEWARE TRENDS
Current Threats− NECURS
• Mixed personal computers, servers, other devices…
− MIRAI/PERSAI
• Internet of Things (IoT) devices
− REAPER
• IoT devices
− SCHOOLBELL
• Schools, Libraries, and more
Just who controls these capabilities?
How are they being weaponized?− Malspam (e.g., Locky)
− Malvertising (e.g., Methbot)
− Hacking services (e.g., DDoS)
− Operational Relay Botnet (ORB)
T H E D D O S T H R E AT
CRIMEWARE TRENDS
Distributed Denial of Service (DDoS)
DDoS Extortion
Arbor Networks 12th Worldwide Infrastructure Security Report: https://pages.arbornetworks.com/rs/082-KNA-087/images/12th_Worldwide_Infrastructure_Security_Report.pdf
Help Net Security: https://www.helpnetsecurity.com/2017/09/25/large-ddos-attacks/
INFRASTRUCTURE INVESTMENT: DDoS
now comes with pulse wave attacks to to
increase your attack surface!!
DDoS Protection &
Fallback Comms Plan
R I S E O F T H E M I N E R S
CRIMEWARE TRENDS
The idea of a mathematically secure chain of blocks began in 1991 and was first conceptualized as digital currency in 1998 as ‘Bit Gold’. Bitcoin was the first decentralized digital currency and was implemented in 2009.
Blockchain - a chronological series of transactions/records that reference previous blocks to create a immutable and distributed digital ledger.
RSA FirstWatch tracks actors use of Monero mining and drive-by-mining via coin-hive
Malvertising
Traffic Distribution System (TDS)
Bulletproof Hosting
Domain Shadowing
Cash Money
Coinminer
Ransomware
TERROR Exploit Kit
THE CRIMEWARE ECOSYSTEM
T E R R O R E X P L O I T K I T NEW REVENUE STREAM: Mining
malware and Drive-by-mining represent
CAPITAL innovation by threat actors
Threat Intelligence & Domain
Reputation Services
P R E VA L E N C E O F S S L A N D C O D E - S I G N I N G C E R T S
CRIMEWARE TRENDS
‘Borrowing Microsoft Code Signing Certificates’: https://blog.conscioushacker.io/index.php/2017/09/27/borrowing-microsoft-code-signing-certificates/
‘Subverting Trust in Windows – A Case Study of the “How” and “Why” of Engaging in Security Research’: https://pages.arbornetworks.com/rs/082-KNA-
087/images/12th_Worldwide_Infrastructure_Security_Report.pdf
This trend speaks to the growing complexity of not just advanced persistent threat (APT) but also crimeware actors, and directly adds to the mounting challenges faced by defenders, who now increasingly encounter signed malware and encrypted malicious traffic.
What can you do?• Certificate whitelisting/blacklisting
• Care about SSL cert meta data
• Know what’s in your root store!
3
4
5
2
1
MOVING FORWARD
M A LV E R T I S I N G A N D M A L S PA M R E M A I N P R I M A R Y D E L I V E R Y V E C T O R S
‘ D A R K N E T ’ I S N ’ T G O I N G A W AY & E M P H A S I S O N C R E D E N T I A L H A R V E S T I N G P E R S I S T S
R A N S O M W A R E & C R Y P T O -C U R R E N C Y A R E I M P O R TA N T R E V E N U E S T R E A M S
B O T N E T C A PA B I L I T I E S A N D B U L L E T P R O O F H O S T I N G P R O V I D E R S I N C R E A S E
I N C R E A S E D A D O P T I O N O F
E N C R Y P T I O N W I L L B R I N G
M O R E C O M P L E X I T Y T O
D E F E N D I N G N E T W O R K S
CRIMEWARE TRENDS
@RSASecurity
THANK YOU