Monthly Cyber Threat Briefing - HITRUST · 2015-10-12 · Dennis Palmer: Senior Security Analyst, HITRUST Tawfiq Shah: Senior Threat Intelligence Analyst, FireHost Thomas Skybakmoen:

1 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net

Monthly Cyber Threat Briefing July 2015


Presenters •  Dennis Palmer: Senior Security Analyst, HITRUST •  Tawfiq Shah: Senior Threat Intelligence Analyst, FireHost

•  Thomas Skybakmoen: Research Vice President, NSS Labs, Inc. •  Aaron Shelmire: Senior Security Researcher, Threatstream

•  Toni Benson: Team Lead, US-CERT


Future Briefings - Announcement •  August MTB cancelled (due to Black hat), monthly report will be released

•  Next MTB scheduled for third Thursday of September •  FireHost will lead future briefings beginning in September •  Content changes

–  Focus on trends in healthcare industry –  Actionable data –  Demonstration of how threat actors operate


Agenda •  FireHost: Procedures used by threat actors

•  NSS Labs: Emerging and unknown exploits and product effectiveness

•  ThreatStream: Emerging Threats

•  US-CERT: Situational update on new products

•  HITRUST: CSF Controls related to ongoing threats

•  Q&A Session


Procedures Used by Threat Actors


Activity on a Sample Medical Company

Cannot be static on your defense attackers are getting more innovative. Without continuous vigilance all companies can be breached eventually.


New Vulnerability Detected: One hour later, activity is noted (IOS Vul)

Companies need to proactively search out Indicators of Compromise (IOCs)


Partnership Relationship Sample Medical Company: Every Avenue is Open to Attack

Your strength is measured by your weakest link. Phishing remains the weakest link in the chain.

Trust relationships between vendors, partners, or contractors can be leveraged to infiltrate a target network.


Domain Squatting (Cybersquatting)

FireHost TRU Recommendation: Establish alerts with your threat intelligences provider/subscription to keep an eye on suspicious domains


Continued Vigilance in the Fight Against Phishing

FireHost TRU Recommendation: Continuously reinforce employee education and run internal Phishing campaigns to test the effectiveness of your employees training.


Targeted Vulnerabilities Related to the Healthcare Sector

Example of APT proactively searched: Chines APT: RasWMI, aka HCDloadermalwarrre, used in recent major health care system breach


Sample: Potentially Vulnerable Server

OS are over million lines of code making is impossible to verify. Keeping up with Patching is an imperative task.

Attack Vectors •   App •   OS


Emerging and Unknown Exploits and Product Effectiveness

NSSLABS


•   NSS observed more than a 200 percent increase in unique callbacks for the month of June, which contrasts with May where the number of unique callbacks declined.

•   As in previous months, exploits and attack campaigns focused on Java, Silverlight, and Internet Explorer. Unlike previous months, attacks on Flash were less prevalent.

•   The TS WebProxy vulnerability (CVE-2015-0016) uses an escalation of privileges to escape the Internet Explorer sandbox and increasingly is being utilized with CVE-2014-6332. This allows remote attackers to execute arbitrary code via a crafted web site in several versions of the Windows operating system.

* Data from June 2015—NSS Labs

Threat Capabilities Report


Application/OS Combination Windows 7 SP1 Windows Vista SP1 Windows XP SP3

Internet Explorer 6 •

Internet Explorer 7 • •



Java 6 Update 22 • • •

Java 6 Update 23 •

Java 6 Update 27 •

Java 7 •

Java 7 Update 2 •

Silverlight 4.0.51204 •

Top Targeted Applications and Operating Systems



Top Origin of Threats



Country Rank

China 1

United States 2

Hong Kong 3

South Korea 4

Netherlands 5

Taiwan 6

Germany 7

France 8

Australia 9

India 9

United Kingdom 9

Top Command and Control Hosting by Geo



10 commonly used command and control (C&C) server locations in combination with 10 commonly used callback ports

Country/Port 25 80 81 99 3201 173 20008 40008 10086 1691

China • • • • • • •

France •

Germany • •

Hong Kong •

India •

Netherlands • •

South Korea • •

Taiwan •

United Kingdom •

United States • • •

C&C Server Locations & Callback Ports



CAWS: All Threats



CAWS: All Threats (January - June)



CAWS: Origin of Threats (January - June)



CAWS: Applications (January - June)



CAWS: Vendors (January - June)



Emerging Trends


Wekby Threat Actors Tools •   HTTPBrowser •   Xyligan a/k/a TornRAT •   HcdLoader – On Servers •   PlugX – on Win7+ •   PoisonIvy – on WinXP •   9002/NAID

Summary •   RSA Compromise •   Wekby.com •   Mincesur.com •   TG-0416 •   Dynamite Panda •   APT-18

TTPs •   Phishes

–   Wave 1 – Credential Theft –   Later Waves – VPN or

Citrix updates

•   Living off the land •   Long Term persistence •   USB key compromise(s)

–   PoisonIvy Smallfish password.


Wekby 30 June Campaign •  Modified HTTPBrowser

–  DNS C2 to it-desktop.com and get2go.com –  ROP Chain Obfuscation

•  Evasive Maneuvers by the Wekby group with Custom ROP packing and DNS Covert Channels

–  https://hitrustctx.threatstream.com/tip/1135


ROP Chain Obfuscation

•  Modify Stack for Execution flow •  Pushes values for the subsequent functions onto the stack, when the subroutine exits, EIP is popped from the stack and becomes the next function.

•   In this case the subroutine at 0x40F62E


Investigation and Protection

•  DNS C2 complicates simple searches for indicators. •  dnscmd /enumrecords it-desktop.com /type TXT •  Global Query Block List Active Directory https://technet.microsoft.com/en-us/library/cc794902(WS.10).aspx

•  Bind block via zone –  “it-desktop.com" { type master; file “blockfile"; };


Evasive Maneuvers by the Wekby group with Custom ROP-Packing and DNS Covert Channels

https://hitrustctx.threatstream.com/tip/1135


Situational Update on New Products


CSF Controls Related to Ongoing Threats


CSF Controls Related to Threats •  CSF Control for Phishing

–  Control Reference: 01.f Password Use •  Control Text: Users shall be made aware of their responsibilities for

maintaining effective access controls and shall be required to follow good security practices in the selection and use of passwords and security of equipment

•   Implementation Requirement: Users are made aware of the organization’s password policies and requirements to keep passwords confidential, select quality passwords, use unique passwords, not provide their password to any one for any reason, and change passwords when there is suspected compromise.


CSF Controls Related to Threats •   CSF Control for Suspicious Domain Registrations (Cybersquatting)

–  Control Reference: 01.i Policy on the Use of Network Services

•  Control Text: Users shall only be provided access to internal and external network services that they have been specifically authorized to use. Authentication and authorization mechanisms shall be applied to users and equipment.

•   Implementation requirement: The organization shall specify the networks and network services to which users are authorized access.


CSF Controls Related to Threats •   CSF Control for Vendor Security

–  Control Reference: 01.j User Authentication for External Connections

•  Control Text: Appropriate authentication methods shall be used to control access by remote users.

•   Implementation requirement: Remote users shall be authenticated by use of a password/passphrase and at least one of the following: Certificate, Challenge/Response, Software Token, Hardware Token, Cryptographic or Biometric Technique.


CSF Controls Related to Threats •   CSF Control for Vulnerability Patching

–   Control Reference: *10.m Control of technical vulnerabilities

•   Control Text:Timely information about technical vulnerabilities of systems being used shall be obtained; the organization's exposure to such vulnerabilities evaluated; and appropriate measures taken to address the associated risk

•   Implementation Requirement: Specific information needed to support technical vulnerability management includes the software vendor, version numbers, current state of deployment (e.g. what software is installed on what systems) and the person(s) within Appropriate, timely action shall be taken in response to the identification of potential technical vulnerabilities. Once a potential technical vulnerability has been identified, the organization shall identify the associated risks and the actions to be taken. Such action shall involve patching of vulnerable systems and/or applying other controls.


CSF Controls Related to Threats •   CSF Control for Dropper tools dropping basic Backdoors / RATs

–  Control Reference: 09.j Controls Against Malicious Code

•  Control Text: Detection, prevention, and recovery controls shall be implemented to protect against malicious code, and appropriate user awareness procedures on malicious code shall be provided.

•   Implementation Requirement: Protection against malicious code shall be based on malicious code detection and repair software, security awareness, and appropriate system access and change management controls.


Q&A SESSION


Visit www.HITRUSTAlliance.net for more information

To view our latest documents, visit the Content Spotlight

Documents

Monthly Cyber Threat Briefing - HITRUST · 2015-10-12 · Dennis Palmer: Senior Security Analyst, HITRUST Tawfiq Shah: Senior Threat Intelligence Analyst, FireHost Thomas Skybakmoen: