Embed Size (px)
Citation preview
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 1
The Human Aspect of Targeted
Cyber Attacks
Alex Lanstein
twitter:alex_lanstein
1
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 2
Conventional vs. Modern, APT Malware
Conventional Malware
• Characterized by using “spreading” techniques, custom C&C transport protocols, IRC communication
– Examples: Malware/worms such as Conficker, Blaster, Slammer, Mega-D, IRC bots
• Detectable through a variety of technologies/tactics:
– NetWitness/Solera, EnVision/Arcsight/Splunk, NIDS
– Port scanning, high windows port activity, non-http over port 80, non-web traffic, etc.
2
Copyright 2010
FireEye, Inc. - All
Rights Reserved
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 3
Organizations respond to the worm threat!
– blocked Windows protocols on external firewalls
– enforced auth. tokens and VPN usage
– bolstered patching regimens
– installed IDS/IPS @ gateway/desktop
– segmented networks to contain worm damage
3
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 4
Advanced Malware Infection Lifecycle
Desktop antivirus Losing the threat arms race
Compromised
Web server, or
Web 2.0 site
Callback Server
Perimeter Security Signature, rule-based
Other gateway List-based, signatures
System gets exploited
Drive-by attacks in casual browsing
Links in Targeted Emails
Attachments in Targeted Emails
Dropper malware installs
First step to establish control
Calls back out to criminal servers
Found on compromised sites, and
Web 2.0, user-created content sites
Malicious data theft & long-
term control established
Uploads data stolen via keyloggers,
Trojans, bots, & file grabbers
One exploit leads to dozens of
infections on same system
Criminals have built long-term control
mechanisms into system
3
2
1
DMZ
Servers
Anti-
spam
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 5
Attacks by the APT are human driven; not generally polymorphic
Copyright 2010
FireEye, Inc. - All
Rights Reserved
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 6
6
Reconnaissance (H/T google image search)
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 7
RSA two-factor tokens
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 8
8
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 9
RSA spearphish (H/T @mikko)
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 10
Copyright 2010
FireEye, Inc. - All
Rights Reserved
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 11
Copyright 2010
FireEye, Inc. - All
Rights Reserved
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 12
Copyright 2010
FireEye, Inc. - All
Rights Reserved
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 13
Copyright 2010
FireEye, Inc. - All
Rights Reserved
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 14
LaserMotive
Copyright 2010
FireEye, Inc. - All
Rights Reserved
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 15
CEOs are targeted
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 16
Could you stop this?
Copyright 2010
FireEye, Inc. - All
Rights Reserved
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 17
Human Resources make for easy targets
Copyright 2010
FireEye, Inc. - All
Rights Reserved
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 18
Builders are frequently used for B-Teamers
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 19
Copyright 2010
FireEye, Inc. - All
Rights Reserved
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 20
CVE-2009-3129
•Microsoft Excel 'FEATHEADER' Record Remote Code Execution Vulnerability (CVE-2009-3129)
•Are there exploit kits developed based on this vulnerability?
•Are there metadata info that we can analyze from the excel file to detect this class of attack?
•Is this a common attack being seen in the field?
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 21
Copyright 2010
FireEye, Inc. - All
Rights Reserved
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 22
Is Japan in the news? Hadn’t noticed….
Copyright 2010
FireEye, Inc. - All
Rights Reserved
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 23
Beef importing?
Copyright 2010
FireEye, Inc. - All
Rights Reserved
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 24
Language Specific - Taiwan
Copyright 2010
FireEye, Inc. - All
Rights Reserved
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 25
Language Specific - Taiwan
Copyright 2010
FireEye, Inc. - All
Rights Reserved
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 26
The attacker does not realize why failures occur
Copyright 2010
FireEye, Inc. - All
Rights Reserved
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 27
Different email for every run
Copyright 2010
FireEye, Inc. - All
Rights Reserved
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 28
Some OS Activity…
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 29
Decent Decoy Document
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 30
APT Callback
• Stage 1 Pingbed Trojan (Comment Team Group; aka. Shady RAT)
• Fetches Stage 2 Dropper via PNG file
• Dropper is XOR encoded inside the zTXt chunk (decoded ex. below)
http://www.cyberesi.com/2011/05/10/malware-obfuscated-within-png-files/
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 31
China is not the only threat
Copyright 2010
FireEye, Inc. - All
Rights Reserved
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 32
Links vs. Attachments by Month
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 33
Link Compromises
Copyright 2010
FireEye, Inc. - All
Rights Reserved
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 34
Copyright 2010
FireEye, Inc. - All
Rights Reserved
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 35
Copyright 2010
FireEye, Inc. - All
Rights Reserved
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 36
What will not work? Out-of-context or delayed
analysis
• Out-of-context examination of malware will fail for a variety of reasons
• For example, a light-weight Javascript or x86 emulator w/o vulnerable IE
– Exploit behavior does not manifest itself w/o matching software vulnerability
• Examination of “coarse-grain” objects only eg executables in a VM
– Web exploit can mask subsequent phases
• Simple-minded VM analysis
– No ability to detect and defeat malware counter-measures (eg VM aware malware)
• Static analysis of objects
– Not possible to examine behavior by static analysis alone (web pages or .exes)
– Highly error prone (false alerts and missed attacks)
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 37
Simple obfuscation works!
Copyright 2010
FireEye, Inc. - All
Rights Reserved
37
Desktop antivirus Losing the threat arms race
Malicious
Web server
Callback
Server
System gets exploited
Social engineering
Obfuscated JavaScript code
Exploited IE 6 zero-day vulnerability
Web server delivers malware
Servers mapped by dynamic DNS
XOR encoded malware EXE delivered
No Signatures
Malware calls home & long-term
control established
Complete control of infected system
Further payloads downloaded
C&C located here in Taiwan!
Using outbound port 443 (SSL)
3
2
1
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 42
Now lowly spam bots use this technique
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 43
43
On twitter as @alex_lanstein
