ashwin & rushikesh as an attack... · amazon s3 → downloader, c&c getnativesysteminfo os...
TRANSCRIPT
![Page 1: Ashwin & Rushikesh As an Attack... · Amazon S3 → Downloader, C&C GetNativeSystemInfo OS Check → Monero addresses allocated for 32 bit and 64 bit OS 401.52 XMR (~$100,000) using](https://reader034.vdocuments.us/reader034/viewer/2022050511/5f9b6e787c900e5b154268d0/html5/thumbnails/1.jpg)
2020 © Netskope. All rights reserved.
Cloud as an attack vectorAshwin & Rushikesh
![Page 2: Ashwin & Rushikesh As an Attack... · Amazon S3 → Downloader, C&C GetNativeSystemInfo OS Check → Monero addresses allocated for 32 bit and 64 bit OS 401.52 XMR (~$100,000) using](https://reader034.vdocuments.us/reader034/viewer/2022050511/5f9b6e787c900e5b154268d0/html5/thumbnails/2.jpg)
Rushikesh Vishwakarma
● Member of Technical Staff, Netskope
○ Cloud Security Enthusiast
○ Identifying the malware & phishing services using cloud
○ https://www.netskope.com/blog/author/rushikeshvishwakarma
![Page 3: Ashwin & Rushikesh As an Attack... · Amazon S3 → Downloader, C&C GetNativeSystemInfo OS Check → Monero addresses allocated for 32 bit and 64 bit OS 401.52 XMR (~$100,000) using](https://reader034.vdocuments.us/reader034/viewer/2022050511/5f9b6e787c900e5b154268d0/html5/thumbnails/3.jpg)
Ashwin Vamshi
● Staff Security Research Engineer, Netskope
○ Interest in targeted attacks and malwares using cloud services
○ Speaker @ RSA, Defcon, Bsides
○ https://www.netskope.com/blog/author/ashwinvamshi
○ https://www.linkedin.com/in/ashwinvamshi
![Page 4: Ashwin & Rushikesh As an Attack... · Amazon S3 → Downloader, C&C GetNativeSystemInfo OS Check → Monero addresses allocated for 32 bit and 64 bit OS 401.52 XMR (~$100,000) using](https://reader034.vdocuments.us/reader034/viewer/2022050511/5f9b6e787c900e5b154268d0/html5/thumbnails/4.jpg)
Cloud Transformation
❖ Enterprises are moving towards Cloud
➢ The traffic has moved from static websites to cloud
❖ Evaluations ?
➢ Do we know what is shared responsibility ?
■ Are we having enough controls ?
➢ What is our security posture ?
❖ Threat actors
➢ I can haz Cloud
![Page 5: Ashwin & Rushikesh As an Attack... · Amazon S3 → Downloader, C&C GetNativeSystemInfo OS Check → Monero addresses allocated for 32 bit and 64 bit OS 401.52 XMR (~$100,000) using](https://reader034.vdocuments.us/reader034/viewer/2022050511/5f9b6e787c900e5b154268d0/html5/thumbnails/5.jpg)
![Page 6: Ashwin & Rushikesh As an Attack... · Amazon S3 → Downloader, C&C GetNativeSystemInfo OS Check → Monero addresses allocated for 32 bit and 64 bit OS 401.52 XMR (~$100,000) using](https://reader034.vdocuments.us/reader034/viewer/2022050511/5f9b6e787c900e5b154268d0/html5/thumbnails/6.jpg)
Cloud Security Posture
![Page 7: Ashwin & Rushikesh As an Attack... · Amazon S3 → Downloader, C&C GetNativeSystemInfo OS Check → Monero addresses allocated for 32 bit and 64 bit OS 401.52 XMR (~$100,000) using](https://reader034.vdocuments.us/reader034/viewer/2022050511/5f9b6e787c900e5b154268d0/html5/thumbnails/7.jpg)
File Infrastructure Platform
Malware in the Cloud
![Page 8: Ashwin & Rushikesh As an Attack... · Amazon S3 → Downloader, C&C GetNativeSystemInfo OS Check → Monero addresses allocated for 32 bit and 64 bit OS 401.52 XMR (~$100,000) using](https://reader034.vdocuments.us/reader034/viewer/2022050511/5f9b6e787c900e5b154268d0/html5/thumbnails/8.jpg)
Motivation for Threat actors to use Cloud
❖ Implicit trust
❖ Ease of use and abuse
❖ Reduces the infrastructure overhead
❖ More powerful than traditional hosting or computing services
❖ Significantly cheaper than traditional attack methods (No DGA or BPH needed)
❖ Protection by default (encrypted traffic, API driven communication, etc)
![Page 9: Ashwin & Rushikesh As an Attack... · Amazon S3 → Downloader, C&C GetNativeSystemInfo OS Check → Monero addresses allocated for 32 bit and 64 bit OS 401.52 XMR (~$100,000) using](https://reader034.vdocuments.us/reader034/viewer/2022050511/5f9b6e787c900e5b154268d0/html5/thumbnails/9.jpg)
Alright … Light, action, Cloud
![Page 11: Ashwin & Rushikesh As an Attack... · Amazon S3 → Downloader, C&C GetNativeSystemInfo OS Check → Monero addresses allocated for 32 bit and 64 bit OS 401.52 XMR (~$100,000) using](https://reader034.vdocuments.us/reader034/viewer/2022050511/5f9b6e787c900e5b154268d0/html5/thumbnails/11.jpg)
Agenda
❖ Detail specific attack patterns with the theme: Malware in the Cloud (MITC)
➢ Cloud as a malware hosting platform
➢ Cloud as a command and control channel
➢ Cloud as a platform to spread malware
➢ Cloud as a platform to host Crimeware as a Service
❖ How to protect against cloud threats
![Page 12: Ashwin & Rushikesh As an Attack... · Amazon S3 → Downloader, C&C GetNativeSystemInfo OS Check → Monero addresses allocated for 32 bit and 64 bit OS 401.52 XMR (~$100,000) using](https://reader034.vdocuments.us/reader034/viewer/2022050511/5f9b6e787c900e5b154268d0/html5/thumbnails/12.jpg)
2020 © Netskope. All rights reserved.
Cloud as a malware hosting platform
![Page 13: Ashwin & Rushikesh As an Attack... · Amazon S3 → Downloader, C&C GetNativeSystemInfo OS Check → Monero addresses allocated for 32 bit and 64 bit OS 401.52 XMR (~$100,000) using](https://reader034.vdocuments.us/reader034/viewer/2022050511/5f9b6e787c900e5b154268d0/html5/thumbnails/13.jpg)
Cloud squirrel
❖ Infostealer campaign
➢ Targets Brazilian users
❖ Infection vector
➢ Phishing email attachment with double extension
➢ Embedded link to a cloud service → JAR file
❖ Multi-stage cloud app abuse
➢ Jelastic → CloudApp → AmazonAWS → Dropbox
❖ Downloads next stage DES encrypted payloads
https://www.netskope.com/blog/netskope-threat-research-labs-technical-analysis-cloudsquirrel-malware-2
![Page 14: Ashwin & Rushikesh As an Attack... · Amazon S3 → Downloader, C&C GetNativeSystemInfo OS Check → Monero addresses allocated for 32 bit and 64 bit OS 401.52 XMR (~$100,000) using](https://reader034.vdocuments.us/reader034/viewer/2022050511/5f9b6e787c900e5b154268d0/html5/thumbnails/14.jpg)
Servint Jelastic
AWS
CnC
View.exe
Views.exe
igftray.exe
OutFileBreak.exe
Olgfnswv.exe
Encrypted DESPayloads
JAR File
Exfiltrated Data
Machine Data
CloudApp
Cloud squirrel depiction
DropBox
CnC
CnCClean up
1
2
3
![Page 15: Ashwin & Rushikesh As an Attack... · Amazon S3 → Downloader, C&C GetNativeSystemInfo OS Check → Monero addresses allocated for 32 bit and 64 bit OS 401.52 XMR (~$100,000) using](https://reader034.vdocuments.us/reader034/viewer/2022050511/5f9b6e787c900e5b154268d0/html5/thumbnails/15.jpg)
ShortJSRAT
❖ Scriptlets using the “Squiblydoo” technique
❖ Bypasses application whitelisting solutions like Windows Applocker
❖ Uses Cloud services for downloading the next stage payloads
➢ Google Shortener, Dropbox, Github
https://www.netskope.com/blog/shortjsrat-leverages-cloud-scriptlets
![Page 16: Ashwin & Rushikesh As an Attack... · Amazon S3 → Downloader, C&C GetNativeSystemInfo OS Check → Monero addresses allocated for 32 bit and 64 bit OS 401.52 XMR (~$100,000) using](https://reader034.vdocuments.us/reader034/viewer/2022050511/5f9b6e787c900e5b154268d0/html5/thumbnails/16.jpg)
Dropbox Cloud Storage
http://goo.gl/kq92ka
Dropbox/1.sct
1.sct
2.sct
ShortJSRAT Depiction
1
2
Dropbox/2.sct
![Page 17: Ashwin & Rushikesh As an Attack... · Amazon S3 → Downloader, C&C GetNativeSystemInfo OS Check → Monero addresses allocated for 32 bit and 64 bit OS 401.52 XMR (~$100,000) using](https://reader034.vdocuments.us/reader034/viewer/2022050511/5f9b6e787c900e5b154268d0/html5/thumbnails/17.jpg)
2020 © Netskope. All rights reserved.
Cloud as a command and control channel
![Page 18: Ashwin & Rushikesh As an Attack... · Amazon S3 → Downloader, C&C GetNativeSystemInfo OS Check → Monero addresses allocated for 32 bit and 64 bit OS 401.52 XMR (~$100,000) using](https://reader034.vdocuments.us/reader034/viewer/2022050511/5f9b6e787c900e5b154268d0/html5/thumbnails/18.jpg)
Xbooster parasitic miner
❖ Parasitic Monero mining malware campaign
❖ Pay-per-install (PPI) & pay-per-click (PPC)
❖ Amazon S3 → Downloader, C&C
❖ GetNativeSystemInfo OS Check → Monero addresses allocated for 32 bit and 64 bit OS
■ 401.52 XMR (~$100,000) using 21 unique Monero accounts & 293 workers
https://www.netskope.com/blog/xbooster-parasitic-monero-mining-campaign
![Page 19: Ashwin & Rushikesh As an Attack... · Amazon S3 → Downloader, C&C GetNativeSystemInfo OS Check → Monero addresses allocated for 32 bit and 64 bit OS 401.52 XMR (~$100,000) using](https://reader034.vdocuments.us/reader034/viewer/2022050511/5f9b6e787c900e5b154268d0/html5/thumbnails/19.jpg)
Drive by Download
Pay per Install
1
3
2
4
DistribLauncher.exe
Xmrig.exe
Distrib.zip
Manager.exe
DBupdater.exe log.txt
Victim Machine details
Amazonytracker.cf/click.php?cnv_id
Xbooster Depiction
EC2/Silent updater
stratum+tcp://xmr-eu1.nanopoll.org:14444
AWS/distrib.zip
AWS/DBUpdater.exe
![Page 20: Ashwin & Rushikesh As an Attack... · Amazon S3 → Downloader, C&C GetNativeSystemInfo OS Check → Monero addresses allocated for 32 bit and 64 bit OS 401.52 XMR (~$100,000) using](https://reader034.vdocuments.us/reader034/viewer/2022050511/5f9b6e787c900e5b154268d0/html5/thumbnails/20.jpg)
2020 © Netskope. All rights reserved.
Cloud as a platform to spread malware
![Page 21: Ashwin & Rushikesh As an Attack... · Amazon S3 → Downloader, C&C GetNativeSystemInfo OS Check → Monero addresses allocated for 32 bit and 64 bit OS 401.52 XMR (~$100,000) using](https://reader034.vdocuments.us/reader034/viewer/2022050511/5f9b6e787c900e5b154268d0/html5/thumbnails/21.jpg)
Malware fanout
❖ Malware infection spreading through cloud
❖ Virlock (Wormed Ransomware )
➢ Infects and encrypts files
➢ Infected files propagate via cloud
➢ Victims implicitly trust internally shared files
❖ Rapidly the entire peer network is infected
https://www.netskope.com/blog/cloud-malware-fan-virlock-ransomware
https://www.netskope.com/blog/stepping-stone-attack-launches-eternalblue-internally
![Page 22: Ashwin & Rushikesh As an Attack... · Amazon S3 → Downloader, C&C GetNativeSystemInfo OS Check → Monero addresses allocated for 32 bit and 64 bit OS 401.52 XMR (~$100,000) using](https://reader034.vdocuments.us/reader034/viewer/2022050511/5f9b6e787c900e5b154268d0/html5/thumbnails/22.jpg)
Cloud Sync
Cloud Storage
Embedded LNK document EternalBlue Exploit
Embedded LNK document
Embedded LNK document
EternalBlue Exploit
Shared Users
Eternal Blue + cloud fanout
Email Attachment with Embedded LNK
![Page 23: Ashwin & Rushikesh As an Attack... · Amazon S3 → Downloader, C&C GetNativeSystemInfo OS Check → Monero addresses allocated for 32 bit and 64 bit OS 401.52 XMR (~$100,000) using](https://reader034.vdocuments.us/reader034/viewer/2022050511/5f9b6e787c900e5b154268d0/html5/thumbnails/23.jpg)
Cloud phishing fanout
❖ Victim shares bait via cloud app
➢ Secondary propagation vector - cloud sync email attachments
➢ Secondary victims lose context - where did the file originally come from?
❖ “Default allow” action in popular PDF readers
➢ No warnings after you allow a domain
➢ Attacker can easily deploy multiple attacks over same domain
https://www.netskope.com/blog/decoys-phishing-cloud-latest-fan-effect
![Page 24: Ashwin & Rushikesh As an Attack... · Amazon S3 → Downloader, C&C GetNativeSystemInfo OS Check → Monero addresses allocated for 32 bit and 64 bit OS 401.52 XMR (~$100,000) using](https://reader034.vdocuments.us/reader034/viewer/2022050511/5f9b6e787c900e5b154268d0/html5/thumbnails/24.jpg)
Whats next !!!
https://www.dropbox.com/s/31x4e7a25kp2tuk/scan_0009182764501.exe?dl=1
![Page 25: Ashwin & Rushikesh As an Attack... · Amazon S3 → Downloader, C&C GetNativeSystemInfo OS Check → Monero addresses allocated for 32 bit and 64 bit OS 401.52 XMR (~$100,000) using](https://reader034.vdocuments.us/reader034/viewer/2022050511/5f9b6e787c900e5b154268d0/html5/thumbnails/25.jpg)
Default Allow policy
![Page 26: Ashwin & Rushikesh As an Attack... · Amazon S3 → Downloader, C&C GetNativeSystemInfo OS Check → Monero addresses allocated for 32 bit and 64 bit OS 401.52 XMR (~$100,000) using](https://reader034.vdocuments.us/reader034/viewer/2022050511/5f9b6e787c900e5b154268d0/html5/thumbnails/26.jpg)
Did you audit trust manager ?
![Page 27: Ashwin & Rushikesh As an Attack... · Amazon S3 → Downloader, C&C GetNativeSystemInfo OS Check → Monero addresses allocated for 32 bit and 64 bit OS 401.52 XMR (~$100,000) using](https://reader034.vdocuments.us/reader034/viewer/2022050511/5f9b6e787c900e5b154268d0/html5/thumbnails/27.jpg)
Pardot CRM attack
❖ Spreads via Salesforce Pardot
➢ 12 unique URLs
❖ Pardot delivers infected zip
❖ Zip contains malicious lnk file
❖ Lnk file downloads Trickbot from Google docs
https://www.netskope.com/blog/pardot-crm-attack
![Page 28: Ashwin & Rushikesh As an Attack... · Amazon S3 → Downloader, C&C GetNativeSystemInfo OS Check → Monero addresses allocated for 32 bit and 64 bit OS 401.52 XMR (~$100,000) using](https://reader034.vdocuments.us/reader034/viewer/2022050511/5f9b6e787c900e5b154268d0/html5/thumbnails/28.jpg)
Google Drive
Pardot CRM
Readme_print_doc.lnk
Partner
Vendor
User
Victim
storage.pardot.com/../Readm_Print.zip
NaFhl.exe
docs.google.com/../3829_93_93.pdf
Pardot CRM Attack Depiction
1
23
4
![Page 29: Ashwin & Rushikesh As an Attack... · Amazon S3 → Downloader, C&C GetNativeSystemInfo OS Check → Monero addresses allocated for 32 bit and 64 bit OS 401.52 XMR (~$100,000) using](https://reader034.vdocuments.us/reader034/viewer/2022050511/5f9b6e787c900e5b154268d0/html5/thumbnails/29.jpg)
2020 © Netskope. All rights reserved.
Cloud as a platform to host crimeware as a service
![Page 30: Ashwin & Rushikesh As an Attack... · Amazon S3 → Downloader, C&C GetNativeSystemInfo OS Check → Monero addresses allocated for 32 bit and 64 bit OS 401.52 XMR (~$100,000) using](https://reader034.vdocuments.us/reader034/viewer/2022050511/5f9b6e787c900e5b154268d0/html5/thumbnails/30.jpg)
![Page 31: Ashwin & Rushikesh As an Attack... · Amazon S3 → Downloader, C&C GetNativeSystemInfo OS Check → Monero addresses allocated for 32 bit and 64 bit OS 401.52 XMR (~$100,000) using](https://reader034.vdocuments.us/reader034/viewer/2022050511/5f9b6e787c900e5b154268d0/html5/thumbnails/31.jpg)
❖ PhaaS: Hosted in Amazon, Evennode, Now.
❖ Phishing pages hosted in Pomf clones
➢ SSL powered
➢ Designed to mimic login pages of
popular services like Microsoft, Google
Docs, Dropbox, and DocuSign
❖ Victims credentials recorded via websockets
Hackshit - Phishing as a Service
https://www.netskope.com/blog/resurgence-of-phishing-as-a-service-phaas-platforms
![Page 32: Ashwin & Rushikesh As an Attack... · Amazon S3 → Downloader, C&C GetNativeSystemInfo OS Check → Monero addresses allocated for 32 bit and 64 bit OS 401.52 XMR (~$100,000) using](https://reader034.vdocuments.us/reader034/viewer/2022050511/5f9b6e787c900e5b154268d0/html5/thumbnails/32.jpg)
Hackshit PhaaS - Generator Page
![Page 33: Ashwin & Rushikesh As an Attack... · Amazon S3 → Downloader, C&C GetNativeSystemInfo OS Check → Monero addresses allocated for 32 bit and 64 bit OS 401.52 XMR (~$100,000) using](https://reader034.vdocuments.us/reader034/viewer/2022050511/5f9b6e787c900e5b154268d0/html5/thumbnails/33.jpg)
Cloud-enabled kill chain
33
Cloud Security Posture
TacticsTechniquesProcedures
SSL poweredValid domain / Certificate
CollaborationSyncFanout effects
Cloud Payloads / MalwareWhitelisted / Popular Domains/IPs
Stage downloaderC&C
Data ExfiltrationLateral Movement
![Page 34: Ashwin & Rushikesh As an Attack... · Amazon S3 → Downloader, C&C GetNativeSystemInfo OS Check → Monero addresses allocated for 32 bit and 64 bit OS 401.52 XMR (~$100,000) using](https://reader034.vdocuments.us/reader034/viewer/2022050511/5f9b6e787c900e5b154268d0/html5/thumbnails/34.jpg)
Cloud malware commonalities
❖ Users trust cloud services
❖ Users trust cloud files shared by coworkers and partners
❖ Blocking cloud malware is hard - you can’t just block the app
![Page 35: Ashwin & Rushikesh As an Attack... · Amazon S3 → Downloader, C&C GetNativeSystemInfo OS Check → Monero addresses allocated for 32 bit and 64 bit OS 401.52 XMR (~$100,000) using](https://reader034.vdocuments.us/reader034/viewer/2022050511/5f9b6e787c900e5b154268d0/html5/thumbnails/35.jpg)
Recommendations
❖ Inspect your cloud traffic
❖ Block services you don’t need
❖ Block unsanctioned instances of services you do need
![Page 36: Ashwin & Rushikesh As an Attack... · Amazon S3 → Downloader, C&C GetNativeSystemInfo OS Check → Monero addresses allocated for 32 bit and 64 bit OS 401.52 XMR (~$100,000) using](https://reader034.vdocuments.us/reader034/viewer/2022050511/5f9b6e787c900e5b154268d0/html5/thumbnails/36.jpg)
Thank You!
Blognetskope.com/threat-labs
Reportnetskope.com/cloudreport