csw2017 kyle ehmke lots of squats- ap-ts never miss leg day
TRANSCRIPT
© 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary@ThreatConnect
Lots of Squats:APTs Never Miss Leg DayMarch 17, 2017
© 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary
Agenda
• Spoofed domains
• Notable breaches
• Tools
• Strategic view of spoofed domain registrations
• Tactical view
• Conclusions
© 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary
3
The First Look Vulnerability
Rescuing Leia
• Because everything has a Star Wars corollary
Spoofed domains
• Exploit the inherent and immediate trust that we place in the familiar
• Target the organization or another organization/technology pertinent to operation
Types
• Typosquats
• Look alikes
• Letter swaps
• Sticky keys
© 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary
4
A) gooqle.comB) googIe.comC) qoogle.comD) gcogle.com
Pop Quiz Example
© 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary
5
Pop Quiz Example
gooqle.com
gI
qoogle.com
Use a lowercase “Q” in place of a “g”
gooqle.com
qoogle.com
© 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary
6
Pop Quiz Example
Use a “c” in place of an “o”
gcogle.com
© 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary
7
Pop Quiz Example
Use an uppercase “i” instead of a lowercase “L”
googIe.com
© 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary
8
Advanced Persistent Threats (APTs)
Everybody’s doing it• China
• Russia
Why• Relatively cheap
• Easy to do
• Effective
• Can obfuscate origin
Operations• Delivery
• Exploitation
• Command and control
Notable breaches• Anthem/BCBS entities
• OPM
• DNC/DCCC
Operation types• Credential harvesting
• Malware dissemination
© 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary
9
Notable Breaches
China – DEEP PANDA
Anthem/BCBS
• we11point[.]com
• prennera[.]com
• Chinese registrant resellers
OPM
• opm-learning[.]org
• opmsecurity[.]org
• The Avengers registrants
Russia – FANCY BEAR
DNC/DCCC
• misdepatrment[.]com
• actblues[.]com
• Fake personas
© 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary
10
So What?
Has become a TTP
• Specific actors employing spoofing against specific sectors• There is a trend to look for
Domain registration precedes operation
• Timeline varies
Operationalize domain registration information
• WHOIS as threat intelligence
© 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary
11
We’re Not Playing Whack-a-Mole
Simply reacting on a one-off basis won’t suffice
• Active state• Predictive state
Leveraging domain registrations as threat intel
• Higher-level strategic intelligence• Informs organizational or sector awareness
• In-depth tactical intelligence• Provides situational awareness during incidents
Operationalize domain registration information
• Trends in spoofed domain registrations• Identifying and leveraging APT TTPs
© 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary
12
Tools of the Trade
DNSTwist and URLCrazy
• Open source
• Identify spoofed domains for a given domain
DomainTools
• WHOIS
• Typo Finder
• Reverse NS Lookup
• IRIS
© 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary
Domain Registrations as Strategic Intel
© 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary
14
Trends in Registrations
Process• Identify all domains registered during a given
timeframe that spoof provided domains• Get WHOIS information for all domains
• Registrant, registrar, create date, registrant email address, country of origin
• Used Excel• Remove legitimate registrations as possible• Investigate WHOIS information to identify trends or
patterns• Correlate possible spikes in activity to current events
Hypothesis• Keeping track of all of the
spoofed domains targeting a given organization or sector can help identify potential activity against that organization or sector.
© 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary
15
OrganizationalExample
Research
• Spoofed domains targeting Anthem BCBS legitimate domains
• 10 domains/organizations
Anthem BCBS Identified
• Over 1400 spoofed domains• Over 280 in 2015
• 59 of which came from China
© 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary16
Number of Spoofed Domain Registrations from China Targeting BCBS Entities, 2015
© 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary17
Number of Spoofed Domain Registrations from China Targeting BCBS Entities, 2015
© 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary18
Number of Spoofed Domain Registrations from China Targeting BCBS Entities, 2015
© 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary
19
Sector Example
Research
• Spoofed domains targeting six major pharmaceutical companies
Pharmaceutical Industry Identified
• Over 2000 spoofed domains• 304 in 2015
• At least 70 from China
© 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary
20
Findings
Novartis – March 2015• Three spoofed domains in March• FDA approves first biosimilar drug• Beijing lifts price controls on pharmaceuticals
Lilly – November 2015• Eight spoofed domains in Oct
• Twelve in Nov• Eli Lilly and China's Innovent expand partnership• FDA approves cancer drug
Sanofi – April 2016• Twelve spoofed domains in April
• Two rest of 2016• Bids for Medivation• Eczema drug clears trials
© 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary
21
What Does This Mean for an Org/Sector?
Spikes in registration activity• Potentially portend malicious activity
• Necessitate heightened awareness
• May not be malicious• May be related to non-cyber events• Situational awareness for sectors
WHOIS• Registrants, email addresses for tracking
• Identify other domains that individuals targeting your organization register
Helps identify threats• Consistencies with previously identified APTs
• Capabilities, TTPs, and other infrastructure to be aware of
© 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary
Domain Registrations as Tactical Intel
© 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary
23
Pivoting from One Spoofed Domain to Others
Process• Identify spoofed domain that is particularly suspicious
or has been leveraged in malicious activity• Get WHOIS and/or SOA information for domain
• Registrant, registrar, create date, registrant email address, country of origin, name server, etc.
• Identify the most unique registration information• Pivot to other domains using the most unique
registration information
Hypothesis• WHOIS information for an
encountered spoofed domain can help us identify an actor’s other spoofed domains that may be leveraged against the same or other targets.
© 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary
24
DNC and DCCC Attacks
DNC• CrowdStrike analysis from mid June
• Identified a FANCY BEAR IP address • ThreatConnect identified
misdepatrment[.]com• Spoofs MIS Department
DCCC• Reporting from mid July identified that same
actors compromised DCCC• Used spoofed domain targeting donation
website• Fidelis identified actblues[.]com vs
actblue[.]com• Registered day after DNC attack
publicized
© 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary
25
WHOIS/SOA Information for FB Domains
misdepatrment[.]com actblues[.]com
© 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary
26
What Can We Pivot from that is Unique?
misdepatrment[.]com actblues[.]com
© 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary
27
What Can We Pivot from that is Unique?
misdepatrment[.]com actblues[.]com
httpconnectsys[.]comfastcontech[.]comintelsupportcenter[.]comintelsupportcenter[.]net
© 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary
28
What Can We Pivot from that is Unique?
misdepatrment[.]com actblues[.]com
httpconnectsys[.]comfastcontech[.]comintelsupportcenter[.]comintelsupportcenter[.]net
© 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary
29
What Can We Pivot from that is Unique?
misdepatrment[.]com actblues[.]com
httpconnectsys[.]comfastcontech[.]comintelsupportcenter[.]comintelsupportcenter[.]net
© 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary
30
What Can We Pivot from that is Unique?
misdepatrment[.]com actblues[.]com
httpconnectsys[.]comfastcontech[.]comintelsupportcenter[.]comintelsupportcenter[.]net
© 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary
Domains4Bitcoins (1a7ea920.bitcoin-dns.hosting)
• Bitcoins• ~2500 domains• Previous associations to FB
•militaryobserver[.]net•sysprofsvc[.]com•euronews24[.]info•naoasch[.]com•storsvc[.]org
ITitch (ns1.ititch.com)• Bitcoins• ~2100 domains
31
Name Servers
© 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary
32
Hundreds of Spoofed Domains on Name Servers• access-google[.]com• actblues[.]com• adobeflashdownload[.]de• adobeflashplayer[.]me• adobeflashplayer[.]space• adobeupdater[.]org• adobeupdatetechnology[.]com• adoble[.]net• akamaitechnologysupport[.]com• akamaitechupdate[.]com• appclientsupport[.]ca• appleappcache[.]com• appleauthservice[.]com• applerefund[.]com• archivenow[.]org• bbcupdatenews[.]com• bit-co[.]org• bitsdelivery[.]com• buy0day[.]com• cdn-google[.]com• cdncloudflare[.]com• cloudfiare[.]com• dynamicnewsfeeds[.]com• ebiqiuty[.]com
• egypressoffice[.]com• eigsecure[.]com• facebook-profiles[.]com• flashplayer2015[.]xyz• goaarmy[.]org• govsh[.]net• great-support[.]com• hackborders[.]net• helper-akamai[.]com• honeyvvell[.]co• intelintelligence[.]org• intelsupportcenter[.]com• intelsupportcenter[.]net• login-hosts[.]com• logmein-careservice[.]com• marshmallow-google[.]com• micoft[.]com• microsoft-updates[.]me• mofa-uae[.]com• ms-drivadptrwin[.]com• ms-sus6[.]com• ms-updates[.]com• nato-org[.]com• natoadviser[.]com• new-ru[.]org
• newflashplayer2015[.]xyz• passwordreset[.]co• pdf-online-viewer[.]com• sec-verified[.]com• securesystemwin[.]com• securityresearch[.]cc• services-gov[.]co[.]uk• social-microsoft[.]com• socialmedia-lab[.]com• symantecupdates[.]com• terms-google[.]com• theguardiannews[.]org• theguardianpress[.]com• thehufflngtonpost[.]com• vortex-sandbox-microsoft[.]com• vpssecurehost[.]com• win-wnigarden[.]com• wincodec[.]com• windowsnewupdated[.]com• winliveupdate[.]top• winninggroup-sg[.]com• wm-z[.]biz• wmepadtech[.]com• wsjworld[.]com• yourflashplayer[.]xyz
© 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary
33
Subset for 1&1 Email Domains
Domains4Bitcoins (1a7ea920.bitcoin-dns.hosting)• akamaitechnologysupport[.]com• akamaitechupdate[.]com• micoft[.]com• ms-drivadptrwin[.]com• ms-sus6[.]com• securesystemwin[.]com• wmepadtech[.]com• natoadviser[.]com• theguardiannews[.]org• wsjworld[.]com
ITitch (ns1.ititch.com)• bitsdelivery[.]com• apptaskserver[.]com• aptupdates[.]org• contentupdate[.]org• defenceglobaladviser[.]com• dowssys[.]com• gmailservicegroup[.]com• i-aol-mail[.]com• msmodule[.]net• officeupdater[.]com• systemsv[.]org• updmanager[.]net
© 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary
34
What Does This Mean for an Org/Sector?
Relevant threat intelligence• During incidents
• Actor pivoting• Historical registrations for reviewing previous activity
WHOIS• Identify other domains that individuals targeting your
organization register
Future tracking• Registrant email addresses• Name servers• Confluence of WHOIS information
© 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary35
Caveats
Findings merit additional research• Spoofed domains are not necessarily malicious• Tracking domains may help identify if/when they are operationalized
• Hosting information• Slice and dice the WHOIS
Legitimate domains• Some domains, like lilly.com, inherently have false positives
• Baseline activity to identify spikes• Also requires an understanding of your organization’s assets
Importance of sharing• Impossible to do this type of research for all of the
organizations/technologies that your organization may be involved with• Sharing intelligence derived from this type of research facilitates other
organizations’ defensive efforts
© 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary
36
Conclusions
Leverage intelligence from spoofed domain registrations
Not cost prohibitive• Lower amount of resources• Some tools openly available
Strategic and tactical research• Focuses on a common TTP• Provides situational and tactical
awareness
Helps defend your organization and others• Sharing is caring• Cyber security karma