Upload File

ashwin & rushikesh as an attack... · amazon s3 → downloader, c&c getnativesysteminfo os...

  • Home
  • Documents
  • Ashwin & Rushikesh As an Attack... · Amazon S3 → Downloader, C&C GetNativeSystemInfo OS Check → Monero addresses allocated for 32 bit and 64 bit OS 401.52 XMR (~$100,000) using
36
2020 © Netskope. All rights reserved. Cloud as an attack vector Ashwin & Rushikesh

Upload: others

Post on 07-Aug-2020

2 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Ashwin & Rushikesh As an Attack... · Amazon S3 → Downloader, C&C GetNativeSystemInfo OS Check → Monero addresses allocated for 32 bit and 64 bit OS 401.52 XMR (~$100,000) using

2020 © Netskope. All rights reserved.

Cloud as an attack vectorAshwin & Rushikesh

Page 2: Ashwin & Rushikesh As an Attack... · Amazon S3 → Downloader, C&C GetNativeSystemInfo OS Check → Monero addresses allocated for 32 bit and 64 bit OS 401.52 XMR (~$100,000) using

Rushikesh Vishwakarma

● Member of Technical Staff, Netskope

○ Cloud Security Enthusiast

○ Identifying the malware & phishing services using cloud

○ https://www.netskope.com/blog/author/rushikeshvishwakarma

Page 3: Ashwin & Rushikesh As an Attack... · Amazon S3 → Downloader, C&C GetNativeSystemInfo OS Check → Monero addresses allocated for 32 bit and 64 bit OS 401.52 XMR (~$100,000) using

Ashwin Vamshi

● Staff Security Research Engineer, Netskope

○ Interest in targeted attacks and malwares using cloud services

○ Speaker @ RSA, Defcon, Bsides

○ https://www.netskope.com/blog/author/ashwinvamshi

○ https://www.linkedin.com/in/ashwinvamshi

Page 4: Ashwin & Rushikesh As an Attack... · Amazon S3 → Downloader, C&C GetNativeSystemInfo OS Check → Monero addresses allocated for 32 bit and 64 bit OS 401.52 XMR (~$100,000) using

Cloud Transformation

❖ Enterprises are moving towards Cloud

➢ The traffic has moved from static websites to cloud

❖ Evaluations ?

➢ Do we know what is shared responsibility ?

■ Are we having enough controls ?

➢ What is our security posture ?

❖ Threat actors

➢ I can haz Cloud

Page 5: Ashwin & Rushikesh As an Attack... · Amazon S3 → Downloader, C&C GetNativeSystemInfo OS Check → Monero addresses allocated for 32 bit and 64 bit OS 401.52 XMR (~$100,000) using
Page 6: Ashwin & Rushikesh As an Attack... · Amazon S3 → Downloader, C&C GetNativeSystemInfo OS Check → Monero addresses allocated for 32 bit and 64 bit OS 401.52 XMR (~$100,000) using

Cloud Security Posture

Page 7: Ashwin & Rushikesh As an Attack... · Amazon S3 → Downloader, C&C GetNativeSystemInfo OS Check → Monero addresses allocated for 32 bit and 64 bit OS 401.52 XMR (~$100,000) using

File Infrastructure Platform

Malware in the Cloud

Page 8: Ashwin & Rushikesh As an Attack... · Amazon S3 → Downloader, C&C GetNativeSystemInfo OS Check → Monero addresses allocated for 32 bit and 64 bit OS 401.52 XMR (~$100,000) using

Motivation for Threat actors to use Cloud

❖ Implicit trust

❖ Ease of use and abuse

❖ Reduces the infrastructure overhead

❖ More powerful than traditional hosting or computing services

❖ Significantly cheaper than traditional attack methods (No DGA or BPH needed)

❖ Protection by default (encrypted traffic, API driven communication, etc)

Page 9: Ashwin & Rushikesh As an Attack... · Amazon S3 → Downloader, C&C GetNativeSystemInfo OS Check → Monero addresses allocated for 32 bit and 64 bit OS 401.52 XMR (~$100,000) using

Alright … Light, action, Cloud

Page 10: Ashwin & Rushikesh As an Attack... · Amazon S3 → Downloader, C&C GetNativeSystemInfo OS Check → Monero addresses allocated for 32 bit and 64 bit OS 401.52 XMR (~$100,000) using

10

https://exceldocshare.blob.core.windows.net

q3vdQApX

[email protected]

Page 11: Ashwin & Rushikesh As an Attack... · Amazon S3 → Downloader, C&C GetNativeSystemInfo OS Check → Monero addresses allocated for 32 bit and 64 bit OS 401.52 XMR (~$100,000) using

Agenda

❖ Detail specific attack patterns with the theme: Malware in the Cloud (MITC)

➢ Cloud as a malware hosting platform

➢ Cloud as a command and control channel

➢ Cloud as a platform to spread malware

➢ Cloud as a platform to host Crimeware as a Service

❖ How to protect against cloud threats

Page 12: Ashwin & Rushikesh As an Attack... · Amazon S3 → Downloader, C&C GetNativeSystemInfo OS Check → Monero addresses allocated for 32 bit and 64 bit OS 401.52 XMR (~$100,000) using

2020 © Netskope. All rights reserved.

Cloud as a malware hosting platform

Page 13: Ashwin & Rushikesh As an Attack... · Amazon S3 → Downloader, C&C GetNativeSystemInfo OS Check → Monero addresses allocated for 32 bit and 64 bit OS 401.52 XMR (~$100,000) using

Cloud squirrel

❖ Infostealer campaign

➢ Targets Brazilian users

❖ Infection vector

➢ Phishing email attachment with double extension

➢ Embedded link to a cloud service → JAR file

❖ Multi-stage cloud app abuse

➢ Jelastic → CloudApp → AmazonAWS → Dropbox

❖ Downloads next stage DES encrypted payloads

https://www.netskope.com/blog/netskope-threat-research-labs-technical-analysis-cloudsquirrel-malware-2

https://www.netskope.com/blog/netskope-threat-research-labs-technical-analysis-cloudsquirrel-malware-2
Page 14: Ashwin & Rushikesh As an Attack... · Amazon S3 → Downloader, C&C GetNativeSystemInfo OS Check → Monero addresses allocated for 32 bit and 64 bit OS 401.52 XMR (~$100,000) using

Servint Jelastic

AWS

CnC

View.exe

Views.exe

igftray.exe

OutFileBreak.exe

Olgfnswv.exe

Encrypted DESPayloads

JAR File

Exfiltrated Data

Machine Data

CloudApp

Cloud squirrel depiction

DropBox

CnC

CnCClean up

1

2

3

Page 15: Ashwin & Rushikesh As an Attack... · Amazon S3 → Downloader, C&C GetNativeSystemInfo OS Check → Monero addresses allocated for 32 bit and 64 bit OS 401.52 XMR (~$100,000) using

ShortJSRAT

❖ Scriptlets using the “Squiblydoo” technique

❖ Bypasses application whitelisting solutions like Windows Applocker

❖ Uses Cloud services for downloading the next stage payloads

➢ Google Shortener, Dropbox, Github

https://www.netskope.com/blog/shortjsrat-leverages-cloud-scriptlets

https://www.netskope.com/blog/shortjsrat-leverages-cloud-scriptlets
Page 16: Ashwin & Rushikesh As an Attack... · Amazon S3 → Downloader, C&C GetNativeSystemInfo OS Check → Monero addresses allocated for 32 bit and 64 bit OS 401.52 XMR (~$100,000) using

Dropbox Cloud Storage

http://goo.gl/kq92ka

Dropbox/1.sct

1.sct

2.sct

ShortJSRAT Depiction

1

2

Dropbox/2.sct

Page 17: Ashwin & Rushikesh As an Attack... · Amazon S3 → Downloader, C&C GetNativeSystemInfo OS Check → Monero addresses allocated for 32 bit and 64 bit OS 401.52 XMR (~$100,000) using

2020 © Netskope. All rights reserved.

Cloud as a command and control channel

Page 18: Ashwin & Rushikesh As an Attack... · Amazon S3 → Downloader, C&C GetNativeSystemInfo OS Check → Monero addresses allocated for 32 bit and 64 bit OS 401.52 XMR (~$100,000) using

Xbooster parasitic miner

❖ Parasitic Monero mining malware campaign

❖ Pay-per-install (PPI) & pay-per-click (PPC)

❖ Amazon S3 → Downloader, C&C

❖ GetNativeSystemInfo OS Check → Monero addresses allocated for 32 bit and 64 bit OS

■ 401.52 XMR (~$100,000) using 21 unique Monero accounts & 293 workers

https://www.netskope.com/blog/xbooster-parasitic-monero-mining-campaign

https://www.netskope.com/blog/xbooster-parasitic-monero-mining-campaign
Page 19: Ashwin & Rushikesh As an Attack... · Amazon S3 → Downloader, C&C GetNativeSystemInfo OS Check → Monero addresses allocated for 32 bit and 64 bit OS 401.52 XMR (~$100,000) using

Drive by Download

Pay per Install

1

3

2

4

DistribLauncher.exe

Xmrig.exe

Distrib.zip

Manager.exe

DBupdater.exe log.txt

Victim Machine details

Amazonytracker.cf/click.php?cnv_id

Xbooster Depiction

EC2/Silent updater

stratum+tcp://xmr-eu1.nanopoll.org:14444

AWS/distrib.zip

AWS/DBUpdater.exe

Page 20: Ashwin & Rushikesh As an Attack... · Amazon S3 → Downloader, C&C GetNativeSystemInfo OS Check → Monero addresses allocated for 32 bit and 64 bit OS 401.52 XMR (~$100,000) using

2020 © Netskope. All rights reserved.

Cloud as a platform to spread malware

Page 21: Ashwin & Rushikesh As an Attack... · Amazon S3 → Downloader, C&C GetNativeSystemInfo OS Check → Monero addresses allocated for 32 bit and 64 bit OS 401.52 XMR (~$100,000) using

Malware fanout

❖ Malware infection spreading through cloud

❖ Virlock (Wormed Ransomware )

➢ Infects and encrypts files

➢ Infected files propagate via cloud

➢ Victims implicitly trust internally shared files

❖ Rapidly the entire peer network is infected

https://www.netskope.com/blog/cloud-malware-fan-virlock-ransomware

https://www.netskope.com/blog/stepping-stone-attack-launches-eternalblue-internally

https://www.netskope.com/blog/cloud-malware-fan-virlock-ransomware
https://www.netskope.com/blog/stepping-stone-attack-launches-eternalblue-internally
Page 22: Ashwin & Rushikesh As an Attack... · Amazon S3 → Downloader, C&C GetNativeSystemInfo OS Check → Monero addresses allocated for 32 bit and 64 bit OS 401.52 XMR (~$100,000) using

Cloud Sync

Cloud Storage

Embedded LNK document EternalBlue Exploit

Embedded LNK document

Embedded LNK document

EternalBlue Exploit

Shared Users

Eternal Blue + cloud fanout

Email Attachment with Embedded LNK

Page 23: Ashwin & Rushikesh As an Attack... · Amazon S3 → Downloader, C&C GetNativeSystemInfo OS Check → Monero addresses allocated for 32 bit and 64 bit OS 401.52 XMR (~$100,000) using

Cloud phishing fanout

❖ Victim shares bait via cloud app

➢ Secondary propagation vector - cloud sync email attachments

➢ Secondary victims lose context - where did the file originally come from?

❖ “Default allow” action in popular PDF readers

➢ No warnings after you allow a domain

➢ Attacker can easily deploy multiple attacks over same domain

https://www.netskope.com/blog/decoys-phishing-cloud-latest-fan-effect

https://www.netskope.com/blog/decoys-phishing-cloud-latest-fan-effect
Page 24: Ashwin & Rushikesh As an Attack... · Amazon S3 → Downloader, C&C GetNativeSystemInfo OS Check → Monero addresses allocated for 32 bit and 64 bit OS 401.52 XMR (~$100,000) using

Whats next !!!

https://www.dropbox.com/s/31x4e7a25kp2tuk/scan_0009182764501.exe?dl=1

Page 25: Ashwin & Rushikesh As an Attack... · Amazon S3 → Downloader, C&C GetNativeSystemInfo OS Check → Monero addresses allocated for 32 bit and 64 bit OS 401.52 XMR (~$100,000) using

Default Allow policy

Page 26: Ashwin & Rushikesh As an Attack... · Amazon S3 → Downloader, C&C GetNativeSystemInfo OS Check → Monero addresses allocated for 32 bit and 64 bit OS 401.52 XMR (~$100,000) using

Did you audit trust manager ?

Page 27: Ashwin & Rushikesh As an Attack... · Amazon S3 → Downloader, C&C GetNativeSystemInfo OS Check → Monero addresses allocated for 32 bit and 64 bit OS 401.52 XMR (~$100,000) using

Pardot CRM attack

❖ Spreads via Salesforce Pardot

➢ 12 unique URLs

❖ Pardot delivers infected zip

❖ Zip contains malicious lnk file

❖ Lnk file downloads Trickbot from Google docs

https://www.netskope.com/blog/pardot-crm-attack

https://www.netskope.com/blog/pardot-crm-attack
Page 28: Ashwin & Rushikesh As an Attack... · Amazon S3 → Downloader, C&C GetNativeSystemInfo OS Check → Monero addresses allocated for 32 bit and 64 bit OS 401.52 XMR (~$100,000) using

Google Drive

Pardot CRM

Readme_print_doc.lnk

Partner

Vendor

User

Victim

storage.pardot.com/../Readm_Print.zip

NaFhl.exe

docs.google.com/../3829_93_93.pdf

Pardot CRM Attack Depiction

1

23

4

Page 29: Ashwin & Rushikesh As an Attack... · Amazon S3 → Downloader, C&C GetNativeSystemInfo OS Check → Monero addresses allocated for 32 bit and 64 bit OS 401.52 XMR (~$100,000) using

2020 © Netskope. All rights reserved.

Cloud as a platform to host crimeware as a service

Page 30: Ashwin & Rushikesh As an Attack... · Amazon S3 → Downloader, C&C GetNativeSystemInfo OS Check → Monero addresses allocated for 32 bit and 64 bit OS 401.52 XMR (~$100,000) using
Page 31: Ashwin & Rushikesh As an Attack... · Amazon S3 → Downloader, C&C GetNativeSystemInfo OS Check → Monero addresses allocated for 32 bit and 64 bit OS 401.52 XMR (~$100,000) using

❖ PhaaS: Hosted in Amazon, Evennode, Now.

❖ Phishing pages hosted in Pomf clones

➢ SSL powered

➢ Designed to mimic login pages of

popular services like Microsoft, Google

Docs, Dropbox, and DocuSign

❖ Victims credentials recorded via websockets

Hackshit - Phishing as a Service

https://www.netskope.com/blog/resurgence-of-phishing-as-a-service-phaas-platforms

https://www.netskope.com/blog/resurgence-of-phishing-as-a-service-phaas-platforms
Page 32: Ashwin & Rushikesh As an Attack... · Amazon S3 → Downloader, C&C GetNativeSystemInfo OS Check → Monero addresses allocated for 32 bit and 64 bit OS 401.52 XMR (~$100,000) using

Hackshit PhaaS - Generator Page

Page 33: Ashwin & Rushikesh As an Attack... · Amazon S3 → Downloader, C&C GetNativeSystemInfo OS Check → Monero addresses allocated for 32 bit and 64 bit OS 401.52 XMR (~$100,000) using

Cloud-enabled kill chain

33

Cloud Security Posture

TacticsTechniquesProcedures

SSL poweredValid domain / Certificate

CollaborationSyncFanout effects

Cloud Payloads / MalwareWhitelisted / Popular Domains/IPs

Stage downloaderC&C

Data ExfiltrationLateral Movement

Page 34: Ashwin & Rushikesh As an Attack... · Amazon S3 → Downloader, C&C GetNativeSystemInfo OS Check → Monero addresses allocated for 32 bit and 64 bit OS 401.52 XMR (~$100,000) using

Cloud malware commonalities

❖ Users trust cloud services

❖ Users trust cloud files shared by coworkers and partners

❖ Blocking cloud malware is hard - you can’t just block the app

Page 35: Ashwin & Rushikesh As an Attack... · Amazon S3 → Downloader, C&C GetNativeSystemInfo OS Check → Monero addresses allocated for 32 bit and 64 bit OS 401.52 XMR (~$100,000) using

Recommendations

❖ Inspect your cloud traffic

❖ Block services you don’t need

❖ Block unsanctioned instances of services you do need

Page 36: Ashwin & Rushikesh As an Attack... · Amazon S3 → Downloader, C&C GetNativeSystemInfo OS Check → Monero addresses allocated for 32 bit and 64 bit OS 401.52 XMR (~$100,000) using

Thank You!

Blognetskope.com/threat-labs

Reportnetskope.com/cloudreport


Build Your Own 32 Bit OS

User ManUal - Digicel · 6 OS supported Windows (32 bit & 64 bit) 7/8/8.1/10 Mac OS X 10.6 to 10.11 with the latest upgrade Connect your Wi-Fi device to your Mobile Hotspot

Hardware/OS Recommendations & General IT Guidelines for · Windows Vista Business or Ultimate 3. Windows 7 Pro or Ultimate (Both 32-bit and 64-bit versions are supported). (OS is

Link-OS Release Notes - Zebra Technologies · •Zebra is announcing that the WLAN securities 40-bit WEP and 128-bit WEP will be removed in the future “Version 6” release of Link-OS

View Power 件介 · Linux SUSE 10 (32-bit & 64-bit) Linux Cent OS 5.x ,6.x(32-bit & 64-bit) Linux Ubuntu 8.X, 9.X, 10.X (32-bit ) Linux Ubuntu 10.X (64-bit) Linux Ubuntu 12.04 (32-bit

64-Bit z/OS Assembler Coding - Tachyon Softwaretachyonsoft.com/s8158.pdf · 64-Bit z/OS Assembler Coding SHARE 101 Washington, DC Session 8158 August, 2003 David Bond Tachyon Software

Redbooks Paper z/OS 64-bit C/C++ and Java Programming Environment Address space size ... to the c89 command to compile 64-bit code under z/OS UNIX System Services

HP Z800 Workstation QuickSpecs - …static.highspeedbackbone.net/pdf/HP_Z800_Workstation_QuickSpecs...HP Linux Installer Kit for Linux (includes drivers for both 32-bit & 64-bit OS

THERMAL PHOTO PRINTER ASK-300 PRINTER DRIVER SOFTWARE · OS : Windows XP, Windows Vista (32-bit or 64-bit type), Windows 7 (32-bit or 64-bit type), Windows 8 (32-bit or 64-bit type)

XMR™ Basics - Ultraflex...Run Campaign on XMR. 11 From initial roll-out to final change-out, XMR is the ideal solution for cutting edge campaigns. Adhesive Vinyl Rigid Board XMR

electrical xmr

OS X Mountain Lion - Apple · OS X was the first operating system to ship as a single install that could boot into either a 32-bit or 64-bit kernel, either of which could run 32-bit

Vembu BDR Backup Server & OffsiteDR Server · Microsoft Windows Server 2008 R2 (64-bit) Ubuntu 12.04 LTS (64-bit) Ubuntu 14.04 LTS (64-bit) OS Backup and Replication ... OffsiteDR

32 bit OS

64 bit CPU Android 5.1.1 os Android 5.1.1 os HDMI 2.0 HDMI 2.0 I68 TV BOX is the newest one

Oracle 10.2 for z/OS Outsmarting the 31 Bit Line

Windows CE. Product Overview Windows CE What Is Windows CE? 32-bit, real-time, multitasking OS 32-bit, real-time, multitasking OS Highly componentized

Example XmR Chart

PGI Release Notes for Intel 64 and AMD64 CPUs · ‣ 64-bit OS X – supported on 64-bit Apple operating systems running on a 64-bit Intel-based Mac system. Both 64-bit and 32-bit

Sailfish OS Hardware Adaptation Development Kit …...Sailfish OS Hardware Adaptation Development Kit Documentation v3.3.0.0 2.2Build Machine •A 64-bit x86 machine with a 64-bit

Enterprise Suite 3.1 and Explorer for Administration · ES 3.1 - SOAP Gateway •64-bit support for z/OS –SOAP Gateway now runs on the z/OS platform in 64-bit mode, allowing organizations

Promira Serial Platform - Total Phase · 5.1.4 Mac OS X Compatibility The Promira Serial Platform software is compatible 32-bit and 64-bit Intel versions of Mac OS X 10.7 Lion, 10.8

Intel® VTune™ Amplifier XE 2017 Release Notes - OS X* · • OS X* 10.10.* • OS X* 10.11.* NOTE: • 32-bit graphical user interface support is removed. A 64-bit operating system

64 bit RHEL 6 Update 2 OS Upgrade

Blackboard Collaborate 11 - ...1.Mac o OS X 10.5 (32 bit with 32 bit JVM) o OS X 10.6 (64 bit with 32 bit JVM) ... the problem, contact Blackboard Collaborate’s 24x7 support team

NetIron XMR & NetIron MLX Diagnostic Reference - Netadm · NetIron XMR and NetIron MLX Diagnostic Reference Guide iii 53-1001729-01 DRAFT: BROCADE CONFIDENTIAL ... NetIron XMR and

Linux OS (Or) Open Source Operating System · PDF file1 Linux OS (Or) Open Source Operating System Getting Start with Linux OS What is Linux? Linux OS [m True 32-bit Operating System

Installation of Php-mysql-joomla on Windows Server 2008 32 Bit OS

OS X Yosemite - Appleat full native performance. OS X now exclusively uses a 64-bit kernel, but it continues to run both 32-bit and 64-bit applications. With its 64-bit kernel, OS

MICRO-BIT TECHNOLOGY, INC. MP200 Presentation. Micro-Bit MP200 Presentation Overview l Operator Interface l Discrete I/Os l Analog I/Os l Motion controller

Kaye LabWatch® LT - Instrumart• Dialogic Diva Analog 2p PCIe Board • Dialogic Diva 64 bit (for 64 bit OS), 32 bit (for 32 bit OS) drivers. • OS: Windows XP or Windows 7 (32

XMR Intro Presentation - 2015

Epiphan AV.io HD™ · AV.ioHDUserGuide Technicalspecifications cannotbecaptured LED LEDindicatesthestatusofAV.ioHD OS support (32-bit and 64-bit) Windows7,Windows8.1,Windows10

DATA SHEET BROCADE NETIRON XMR 4000, 8000 16000, …...(VOQ) architectures, packet buffering, and packet scheduling, the NetIron XMR routers offer non-blocking packet forwarding and

FileMaker Server 11 · Mac OS X und Mac OS X Server Version 10.6.1 8 ... Hinweis Unter Windows 64-Bit-Editionen benö tigt FileMaker Server die 32-Bit- Version von Java 6 Update 16