© 2014, fireeye, inc. all rights reserved. 1 tobin sears, fireeye zero-days, ghost malware, and...

© 2014, FireEye, Inc. All rights reserved. 1

Tobin Sears, FireEye

Zero-Days, Ghost Malware, and Other Current Trends

© 2014, FireEye, Inc. All rights reserved. 2 © 2014, FireEye, Inc. All rights reserved.

FROM THE FRONT LINES:M-TRENDS® 2015


Agenda

By the Numbers

Trend 1: Struggling with Disclosure

Trend 2: Retail in the Crosshairs

Trend 3: The Evolving Attack Lifecycle

Trend 4: Blurred Lines – Criminal and APT Actors Take a Page from Each Others’ Playbook

Ghost Malware and Zero-Days

Note: Some information has been sanitized to protect our clients’ interests.


BY THE NUMBERS


Who’s a Target?


How Compromises Are Being Detected


Dwell Time

24 days less than 2013

Longest Presence: 2,982 days


APT Phishing


TREND 1Struggling with Disclosure


Trend 1: Struggling with Disclosure

Mandiant worked with over 30 companies that publicly disclosed a compromise

Public is asking more informed questions

- Attribution

- Malware

- Attacker TTPs

Public speculation starting to affect investigations


Why the Increase in Notifications?

Mandiant worked an increased number of cases where protected data was lost

- Cardholder data, Personally identifiable information (PII), and Protected Health Information (PHI)

- Contractual and legal obligation to notify

69% of victims did not self-detect

- Increased pressure to notify

More companies willing to notify

- Companies feel like it’s the right thing to do

- Being a breach victim is less taboo than in the past


Critical Investigation Questions

Questions you should have answers to during the investigation

- How did the attacker gain initial access to the environment?

- How did the attacker maintain access to the environment?

- What is the storyline of the attack?

- What data was stolen from the environment?

- Have you contained the incident?


The Takeaways

Breaches are inevitable

- Have an effective communication strategy available

Consistent communication is key

- Based on factual investigative findings

Public speculation will happen

- Avoid distracting the investigation

CAUTIONInvestigation Hazard


TREND 2Retail in the Crosshairs


Trend 2: Retail in the Crosshairs

Retailers thrust into the spotlight in 2014

- Mandiant responded to many headlines

New groups getting into the game

Small misconfigurations led to greater compromise


Themes of Financial-Motivated Attackers in 2014

Application virtualization servers used as an entry point

- Valid credentials used to authenticate

- Misconfigurations / lack of network segmentation allowed greater access

New tools, tactics, and procedures

- Highly sophisticated malware

- Publically available tools

Increased number of attacks against e-commerce in locations that deployed chip-and-PIN technology

- Attackers shifting focus to lowest hanging fruit


Initial Access To Environment

Attacker authenticated to a virtual application server

- Already had legitimate credentials, no failed logons

Escaped from “jailed” environment to gain additional control over the system

Misconfiguration in virtual application server resulted in greater access to environment

- No segmentation

Same local administrator password on all systems

- Allowed attacker privileged access to systems


Lateral Movement - Forensic Artifacts

Attacker used the “psexec_command” Metasploit module to execute commands on remote systems

- Mimics command execution capability of the SysInternals PsExec utility

Windows 7/Server 2008 System event logs tracked installation of service


Persistence - Sophisticated Malware

Backdoor targeted Windows XP systems

Used a sophisticated packer

Backdoor gets capabilities from shellcode

Ability to download additional shellcode

- Makes for a versatile backdoor


Data Theft

Attacker used domain controller as pivot point into retail environment

- The retail domain had a two-way trust with the corporate domain

- The store registers ran Microsoft Windows XP

- The store registers were joined to the retail domain

Deployed card harvesting malware to registers throughout the environment

Malware wrote stolen track data to temporary MSSQL database

Attacker queried database to collect stolen track data

Transferred files off of network using FTP


A Retailer Case Study


Protect Yourself

Secure remote access

- Two-factor authentication required

Secure access to the PCI environment

- Segment the PCI environment

- Require access through internal jump server

Deploy application-whitelisting on critical assets

- Protect the POS servers and registers

Managed privileged accounts

- Control access


TREND 3The Evolving Attack Lifecycle


Trend 3: The Evolving Attack Lifecycle

Threat actors have used stealthy new tactics to move laterally and maintain persistence in victim environments.


Attack Lifecycle


Hijacking the VPN

Heartbleed vulnerability

Single-factor authentication & credential theft

Bypassing two-factor authentication

Dumping certificates with Mimikatz (Image Source: www.darkoperator.com)


Password Harvesting

Clear-text passwords in memory

“Golden Ticket” Kerberos attack

Malicious security packages

“Victims quickly learned that the path from a few infected systems to complete compromise of an Active Directory domain could be incredibly short.”


Persisting with WMI


TREND 4Blurred Lines – Criminal and APT Actors Take a Page from Each Others’ Playbook


Trend 4: Blurred Lines – Criminal and APT Actors Take a Page from Each Others’ Playbook

As actors' tactics merge, discerning their goals becomes critical to gauging the impact of incidents.


Tactical Overlaps between Cybercriminals and APT Groups

Interactive social engineering & social media presence

Custom malware and tools, development on the fly

Effective lateral movement and long-term persistence

Repeated, wide scale data theft


From Russia with Ambiguity: Intent Matters

Russia-based cyber activity

- Nation state espionage

- Cybercrime

- Gray area...

APT28 and “Sandworm”

- Use of BlackEnergy (traditionally crimeware) to target Industrial Control Systems

Intent & motive matters


Conclusion

Organizations are under increasing pressure to disclosure details on breaches and provide attribution

Retail remains a top target as attackers found more victims

Threat actors have adopted stealthy new tactics to hide in compromised environments

Attribution is becoming harder as the lines blur between tactics used by cyber criminals and nation-state actors


GHOST MALWARE AND ZERO-DAYSInteresting Data Points and Trends


Malware Lifespan AnalysisTotal pool of malware samples versus lifespan (in hours)

0 1 2 3 4 5 6 70

50000

100000

150000

200000

250000

300000

2012 2013 2014


Ghost Hunting with Antivirus

Source - http://www.fireeye.com/blog/corporate/2014/05/ghost-hunting-with-anti-virus.html

of Malware Exists Only Once

of Malware Disappears After One Hour

70%

82%


Malware Lifecycle Development – Supply Chain Comparison

Source - http://www.fireeye.com/blog/corporate/2014/05/ghost-hunting-with-anti-virus.html

Lifecycle – Days to Weeks

Lifecycle – Days


Document Exploit Kits

Effective document exploit kits emerging in underground forums

New version of Microsoft Word Intruder (MWI) includes ability to track the effectiveness of the campaign

- Marketed as an APT tool. Author limits user base and forbids use as part of spam campaigns.

- Allows the operators to track multiple campaigns, conversion rates (i.e. successful exploitations), and information about their victims using MWISTAT package

- The latest version of MWI 4.0 has been advertised as containing multiple exploits, including:

• CVE-2010-3333

• CVE-2012-0158

• CVE-2013-3906

• CVE-2014-1761

• Payload – Chthonic (Zeus variant with Andromeda packaging characteristics)

Huge increase in macros versus exploits


Flash Exploits in 2015

Web exploit targets in the last few years

- Java – packed in 2013 but dropped in January 2014 when Oracle blocked the execution of unsigned applets

- Internet Explorer – Decreased in June 2014 when MSFT introduced multiple heap corruption mitigations

- Adobe Flash – shift to Flash exploitation starting at the end of 2014

• Existing ASLR bypass mechanisms continue to allow for bug exploitation

• Advanced obfuscation techniques used to avoid detection

- Environmental checks (debugger, software version, OS language, browser type, …)

- Encryption, compression, FlashVars, data in external resource, …

- Multiple commercial Flash obfuscation tools available: DoSWF and SecureSWF

» Slows down automated analysis


Flash Campaign to Payload Mappings


VirusTotal (VT) Detection Rates vs Time for earliest samples utilizing high-profile Flash and IE/Flash exploits


THANK YOU


Free Resources

Available on www.mandiant.com

‒ Redline

‒ IOC Editor

‒ IOC Finder

‒ Memoryze

‒ Memoryze for Mac

‒ Highlighter

‒ ApateDNS

‒ Heap Inspector

‒ PdbXtract

http://www.mandiant.com/

© 2014, fireeye, inc. all rights reserved. 1 tobin sears, fireeye zero-days, ghost malware, and...

Documents

protected data

days note

lostcardholder data

dwell time24 days

identifiable information

greater compromise

playbookghost malware

apt actors