The Malware Menace - Cisco · The Malware Menace: From 30,000 Feet to the Microscope Session ID ... Cisco Public Agenda Targeted Threats Spear Phishing Malvertising Exploit Kits Ransomware

The Malware Menace: From 30,000 Feet to the Microscope Session ID 18PT

Earl Carter

Talos Threat Researcher

[email protected]

@kungchiu

mailto:[email protected]

Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public

Agenda

Targeted Threats

Spear Phishing

Malvertising

Exploit Kits

Ransomware

Coordinated Response

3

PoSeidon, A Deep Dive Into Point of Sale Malware



5

Point-of-Sale Malware a Growing Threat

Engineers Reversed Sample

Poseidon –Installs Keylogger

–Scans Memory for Credit Card Data

–Exfiltrates Data



6


Defending Against PoSeidon

7

We encourage organizations to consider security best practices, starting with a threat-centric approach. Given the dynamic threat landscape, we advocate this threat-centric and operationalized approach that implements protections across the extended network – and across the full attack continuum - before, during, and after an attack. This approach is predicated upon superior visibility, continuous control, and advanced threat protection across the extended network and the entire attack continuum

Before – During – After

Visit our blog for further analysis:

http://blogs.cisco.com/talos/poseidon

Spear Phishing


Phishing Landscape

Constant Ongoing Threat

Campaigns More Targeted

More Short Duration Campaigns

9

http://www.senderbase.org/static/malware


Phishing for your banking info..

Upatre

– Malicious Downloader

– Distributed primarily via SPAM (.zip/.rar attachments)

– Dyre(Banking Trojan) primary downloaded malware

SPAM Campaigns

– Frequent (New campaigns almost daily)

– Short lived (Usually 1 day)

– Use compromised systems

– Used password protected Rar Archive (Shown)

– Dropped PDF to display to user (Anti-Drone)

10


And the Campaigns Begin…

11

Identified at least 15 distinct campaigns

Initial Campaign – March 31st

ZIP File Attachment

From: [email protected]





Dyre Installed While Displaying Decoy Files

12

First Seen in June 2014

Steals Banking Credentials

Performs Man-In-The-Middle Attack Through Browser


Easily Identifiable Traffic Characteristics

13

HTTP Plain Text

Unique User Agent

Campaign Identified in Request


More Variations

14

Two more campaigns on March31st

Product Quote & 2015 Expenses

Still Using ZIP File Attachment

From Addresses

– <[email protected]>

– <[email protected]>






A Change in Tactics

15

Started on April 7th

ZIP attachment gone

New Attachment – Enrypted RAR File

Password in Email


Yet Another Shift

16

Started on April 16th

ZIP attachment is back


Communication is Now Encrypted

17

99% of Traffic Using HTTPS


Protecting The Customer

ESA flagged the emails as Spam even without AV detection

AMP detected activity and blocked new variants

CWS/WSA can block malicious payloads

NGIPS/NGFW signatures for network activity

18


Rombertik Phishing for Everything

19


Rombertik

20


Rombertik

21

Anti-Analysis Code Unpacking Code

Advance in Exploit Kits: Domain Shadowing


Angler Lurking in the Domain Shadow

23

Domain Shadowing

– Using sub domains of legitimate domains

– (i.e. bad.legit.com)

– Next Evolution in exploit kits

– Advanced Evasion of blacklisting

– technologies

– Actors using random domains

– Discovered hundreds of compromised accounts

– Thousands of affected Domains

Delivered via malvertising

Multiple Tiers of subdomains being used for redirection


Evasion Evolution

Exploit Kit Evolution

Static IP Address

Registered Domains

Fast Flux DNS

Dynamic DNS

Domain Shadowing



Cisco AMP & Network Security IDS & NGFW detected and blocked immediately

Defense-in-Depth is still best approach to protect your environment

Expect this technique to increase in popularity

25

Malvertising


The Malvertising Ecosystem

27


Walkthrough

28


The Normal Web

29

cnn.com:

26 domains

39 hosts

171 objects

557 connections


Threat: Malvertising

30

Kyle & Stan


Kyle & Stan

32

• Malicious ads served

on major websites

such as Amazon,

Yahoo, and YouTube

• Malware disguised as

a legitimate

application


Example Attack Sequence

33



6941 domains blocked

Web Security Appliance

Cloud Web Security

AMP

34


http://blogs.cisco.com/talos/kyle-and-stan

Ransomware


Cryptowall 2.0

Data is the new target

Ransomware – Becoming more popular

– Using more evasive techniques

36


Cryptowall 2.0 Functionality

37

Encrypted Binary

Anti-VM check

Uses TOR for Command & Control

Runs 32-bit & 64-bit code simultaneously


Cryptowall 3.0 Functionality

38

Moving to Exploit Kit Delivery

Still has Encrypted Binary

Uses TOR & I2P for C&C

Dropper

Decryption

Process

Run

Cryptowall

No Exploits

No 32/64

switching

No Anti-VM

Check



Before:

– ESA Stops the spam which is the primary infection vector.

During:

– AMP, NGFW, IPS in addition to CWS & WSA detect and block attempts at downloading malware.

After:

– IPS & NGFW identify and block malware operation and spread.

39


http://blogs.cisco.com/talos/cryptowall-3-0

Combating SSHPsychos


SSHPsychos

• SSHPsychos

• Brute Force SSH Attacks

• 300K Unique Passwords

• Accounted for 1/3 of all SSH Traffic

• Attack

• Brute Force System until password guess

• Login from different address space

• Drop DDoS Rootkit on server


SSHPsychos: Action Taken

• Engaged Level 3

• Sudden Pivot

• Null Routed

• Call to Action

• Effectively limited


Common Goals

• Blacklisted Domains

• Malware Downloaders

• C & C

• Domains for Tools

• eMail & Web

• Blacklisted Address Space

• For Malware

• For C & C

• For their Tools

• Published NGIPS Detection

• Tools Activity

• C & C Activity

• Gave it to the Community – Free, Gratis, Nada

• Published AV Detection

• Tools

• Malware

• AMP

Stopping The Bad Guys – A Good Thing™


Q & A

Talos information:

– Web: http://www.snort.org/

http://www.clamav.net/

– Blog: http://blogs.cisco.com/talos/

http://vrt-blog.snort.org/

– Twitter: @TalosSecurity

– Labs: http://labs.snort.org

44

http://www.snort.org/

http://www.clamav.net/

http://blogs.cisco.com/talos/




http://labs.snort.org

Backup Slides

Heartbleed


HeartBleed

• If the specified heartbeat request length is larger than its actual length, this memcpy() will read memory past the request buffer and store it in the response buffer which is sent to the attacker

• OpenSSL1.0.1 – 1.0.1f are vulnerable

• Bug was introduced in December 2011

• Approximate 534,156 services are vulnerable

• Cisco was one of the first IPS companies to provide coverage

• This IS being exploited in the wild..

48


Background

Exploitation Allows Access to Device Memory Contents

• Attackers could potentially extract sensitive information

• Cryptographic keys and certificates are of particular concern

Impact of Exploitation Depends on Multiple Factors

• Role of affected device in the network

• How OpenSSL is used on the device

49


Cisco Response

Announced Publicly on April 7th 2014 • No industry coordination; vulnerability was disclosed before

vendors were informed

Cisco PSIRT Coordinating Response and Investigation

Cisco Security Advisory published April 9th • Cisco among the first vendors to respond

• Initial focus on accurate listing of Cisco products and services

• Updated daily as new information is discovered

Detection and Mitigation Strategies Include: • Cisco Sourcefire and Cisco IPS signatures are available

• Technology-specific guidance and best practices

50


Security Impact

Bigger than 443

• Any SSL service is being targeted

• Most prominent sites have already patched

• Many, many, smaller sites are not patched…

Worst case: Private keys, credentials and more leaked

• Hijacked accounts -> more exploit kits

• Embedded devices are unlikely to patch

• May enable lateral movement

• Without security monitoring there is no real way to know if you were exploited

The client side attack is also concerning

51


Timeline

52

April 9 2014 8 10 11 7

April 7

Vulnerability announced

Exploit designed for QA within 6 hours of initial report

IPS Rules Developed


April 9 2014 8 10 11 7

Timeline

53

April 8

IPS Rules released

Public exploits surface

Initial VRT blog posted


April 9 2014 8 10 11 7

Timeline

54

April 9

Coverage extended to more SSL services

Client side exploitability discovered

Additional exploits released including MSF

Vendor A coverage released

Vendor B coverage released

Vendor C coverage released


April 9 2014 8 10 11 7

Timeline

55

April 10

Rules released to cover client side exploitation

VRT blog posted regarding client side exploitation

SEU/SRU released

Cisco rules detect to all known public exploits

Vendor D coverage released


Services Being Targeted

56

Destination Port/

465 (smtps)/tcp

995 (pop3s)/tcp

993 (imaps)/tcp

443 (https)/tcp


Heartbleed IOCs

Sourcefire IPS

• 30510 - 30513 inbound connection attempts beyond a normal threshold

• 30514 - 30517 large outbound heartbeat responses (successful exploitation)

• 30520 - 30525 outbound vulnerable client traffic

Cisco Legacy IPS

• 4187-3 - inbound connection attempts beyond a normal threshold

• 4187-4 - large outbound heartbeat responses (successful exploitation)/outbound vulnerable client traffic

57

A match made in heaven, malvertising, exploit kits and dynamic DNS


Fiesta Exploit Kit

January of 2014 alone over 300 companies affected

Drive by download attack

59


Fiesta Exploit Kit: File Types

Malicious file types for all web content during campaign.

60


Fiesta Exploit Kit: Exploits Utilized

61


Fiesta Exploit Kit: Geographic Distribution

62


Dynamic DNS

63


Fiesta Exploit Kit: Dynamic DNS

64


Dynamic Detection of Malicious DNS - Reputation

65

Average

Baseline

65


Dynamic Detection of Malicious DNS

What are we blocking with AV?

66


Dynamic Detection of Malicious DNS

67



Web security appliances / Cloud Web security

Reputation systems

Block some/all Dynamic DNS providers using RPZ

Client side protection

– Antivirus

– HIPS

– AMP Everywhere

68

For more information, see our blog entry: http://blogs.cisco.com/security/fiesta-exploit-pack-is-no-party-for-

drive-by-victims

http://blogs.cisco.com/security/talos/cryptowall-2

http://blogs.cisco.com/security/talos/cryptowall-2

Snow Shoe Spam


Spam Landscape

70


Snow Shoe Spam

71


Spam Distribution

72

Spam broken down by Sender Type


Snow Shoe Spam Mitigations

Cisco Outbreak Filters

– 14 hour lead time over traditional AV

Delay Quarantine

Intelligent Multiscan

– More detection engines can detect more spam

Use DNS

– Look for hundreds of hostnames using a single IP or hundreds of IPs without hostnames

Advanced Malware Protection (AMP)

73

For more information, see our blog entry: http://blogs.cisco.com/talos/snowshoe-flurry


Don’t forget to activate your Cisco Live Virtual

account for access to all session material,

communities, and on-demand and live

activities throughout the year. Activate your

account at the Cisco booth in the World of

Solutions or visit www.ciscolive.com.

Complete Your Online Session Evaluation

Give us your feedback and you could win fabulous prizes. Winners announced daily.

Receive 20 Passport points for each session evaluation you complete.

Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center.

Note: This slide is now a Layout choice

74

http://www.ciscolive.com

Documents

The Malware Menace - Cisco · The Malware Menace: From 30,000 Feet to the Microscope Session ID ... Cisco Public Agenda Targeted Threats Spear Phishing Malvertising Exploit Kits Ransomware