monthly cyber threat briefing - hitrust€¦ · 3 855.hitrust (855.448.7878) © 2015 hitrust...
TRANSCRIPT
1 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
Monthly Cyber Threat Briefing September 2015
2 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
Presenters/Agenda
• Majed Oweis: Team Lead, US-CERT • Thomas Skybakmoen: Research Vice President, NSS Labs, Inc.
• Tawfiq Shah: Senior Threat Intelligence Analyst, Armor • Aaron Shelmire: Senior Security Researcher, Threatstream
• Dennis Palmer: Senior Security Analyst, HITRUST
• Q&A Session
3 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
NCCIC/US-CERT REPORT
4 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
Joint Analysis Report (JAR)-15-20098: A Look at the PlugX Malware • Remote Access Trojan (RAT) used by APT actors to infiltrate U.S.
Government, various industries and sectors. • The JAR describes changes to the RAT observed over the past year and
provides a comprehensive list of indicators of compromise (IOCs). • Variants of PlugX were used to exfiltrate large quantities of PII. • Gains significant control of infected hosts to include:
– Remote access – Full control of system services – Keystroke logging
5 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
Observations Over the Past Year • No significant changes to the PlugX underlying framework. • Focus of refinement:
– Feature enhancements – for example, P2P PlugX permits communication with 16 C2 servers and allows P2P communication between infected hosts.
– Produce more packed variants that use the legacy unpacking process
– Use executables signed by well-known vendors to avoid host-based IDS and AV.
6 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
JAR-15-20098 is on the US-CERT Portal at: • PDF: https://portal.us-cert.gov/member/libraryV3/main.cfm?action=9&returnAction=17&cf=2&st=20098&libid=565702
• STIX (IOCs): https://portal.us-cert.gov/member/libraryV3/main.cfm?action=9&returnAction=17&cf=2&st=20098&libid=565065
7 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
Questions? Comments? Contact US-CERT at: • Email: [email protected] • Phone: 1-888-282-0870 • Website: www.us-cert.gov
Contact CISCP at: [email protected]
8 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
NSS LABS REPORT
9 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
Threat Capabilities Report • NSS observed an increase in command and control activity in the Asia-Pacific region in the month of August compared to the month of July.
• Exploits and attack campaigns primarily targeted Adobe and Internet Explorer.
• Java and Silverlight attacks continued to decline in August. • The majority of attacks continued to focus on popular enterprise operating systems such as Windows 7 SP1 (80%) and Windows XP SP3 (9%).
10 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
Top Targeted Applications and Operating Systems
Application/OS Combination Windows 7 SP1 Windows Vista SP1 Windows XP SP3
Adobe Flash Player 10.0.32.18 • • •
Adobe Flash Player 10.2.152.26 • • •
Adobe Flash Player 11.1.102.62 • • •
Adobe Flash Player 11.4 •
Adobe Flash Player 17.0.0.188 •
Adobe Flash Player 9.0.289 • • •
Adobe Reader 8.1.1 • • •
Internet Explorer 7 • •
Internet Explorer 8 •
Internet Explorer 9 • • •
11 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
Data from August 2015 - NSS Labs
China, 2.1% Hong Kong,
0.5%
Iceland, 0.5% Italy, 0.6% Korea, 0.7%
Netherland, 0.5%
Romania, 2.1%
Russia, 39.5%
Ukraine, 2.6%
United States, 51.1%
Action: While not feasible to remove access to popular domains in the United States, removing access to e.g. Russia and other countries might be, however.
Top Origin of Threats
12 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
Top Command and Control Hosting by Geo Country Rank
United States 1
China 2
Japan 3
Germany 4
South Korea 5
United Kingdom 6
Netherlands 7
France 8
Brazil 9
Portugal 10
Data from August 2015 - NSS Labs
13 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
C&C Server Locations & Callback Ports 10 commonly used command and control (C&C) server locations in combination with 10 commonly used callback ports
Action: Track C&C port behavior to limit data breaches. Data from August 2015 - NSS Labs
Country/Port 80 443 6666 8008 8080 82 8800 3599 118 40017 Brazil • • China • • • • • • France • • • Germany • • • Japan • • • Netherlands • • Portugal • South Korea • • • United Kingdom • • • United States • • • • • • •
14 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
Data from August 2015 - NSS Labs
CAWS: All Threats
15 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
Data from August 2015 - NSS Labs
CAWS: Top 3 Vendors
16 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
Data from August 2015 - NSS Labs
CAWS: Top 5 Applications
17 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
Data from August 2015 - NSS Labs
CAWS: Top 10 Applications (Detailed)
18 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
ARMOR REPORT
19 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
Top Vulnerability Exploits in August and September
ACTION: • Keep a proactive stand on known vulnerability trends.
• Remediating vulnerabilities removes you from the threat actor’s target list.
20 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
Top Attacker Groups for the Last 30 Days NAME HITS
DD4BC 180
Anonymous 159
GhostSec 46
The Impact Team 22
Lizard Squad 15
Xumuxu 8
Cyber-Berkut 7
Islamic State Hacking Division 6
APT28 Pawn Storm - Tsar Team 5
LulzSec 4
ACTION: Focus threat intelligence on identifying top threat actors and their associated TTPs.
Some of the attack techniques employed
New threat actor identified
21 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
Top Malicious C2s Seen in the Last 30 Days NAME HITS
118[.]170[.]130[.]207 26
188[.]118[.]2[.]26 26
46[.]109[.]168[.]179 24
81[.]183[.]56[.]217 22
61[.]160[.]213[.]32 19
61[.]160[.]213[.]38 16
62[.]109[.]9[.]60 11
61[.]160[.]213[.]33 10
43[.]229[.]53[.]77 9
115[.]231[.]222[.]40 8
94[.]102[.]49[.]102 8
114[.]44[.]192[.]128 7
221[.]235[.]188[.]210 7
216[.]243[.]31[.]2 6
112[.]21[.]198[.]28 6
ACTION: Establish honey pots to help fingerprint malicious C2s and proactively block them from your environment.
22 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
Tor-Based Attacks on the Rise Research in the wild shows a steady increase in SQL injection and distributed denial-of-service attacks as well as vulnerability reconnaissance activity via the Tor-anonymizing service.
Tor, which gives users the ability to mask their identity and location via layers of anonymity, was the platform for some 150,000 attacks and malicious events throughout the US alone so far this year. Most attacks using Tor were waged against IT and communications technology companies, which were hit by more than 300,000 events so far this year, followed by the manufacturing sector, with nearly 250,000 malicious events. Financial services firms (around 160,000), the education sector (more than 100,000), and retail and healthcare providers (under 100,000) were also the victims of malicious Tor-based activity. Read more: http://www.darkreading.com/perimeter/ibm-advises-businesses-to-block-tor/d/d-id/1321910
ACTION: Establish and maintain alerts with threat intelligence providers/subscriptions to block Tor exit nodes. For an example of Tor exit nodes: https://www.dan.me.uk/torlist/
23 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
unpt Taidoor Related APT Incident: unpt Taidoor Related APT unpt Taidoor associated indicators:
MD5: ECA0EF705D148FF105DBAF40CE9D1D5E
This is most likely a maliciously implanted DLL, which current antiviruses cannot detect. This executable DLL contains the hex content, "31 32 37 2E 30 2E 30 2E 31 00 00 00 00 00 00 00 01 00 00 00 26 26 00 00 3C 00 00 00 2F 00 00 00 4D 6F 7A 69 6C 6C 61 2F 34 2E 30.“
This malware has exclusively been previously observed in Taidoor related malware MD5: AE80F056B8C38873AB1251C454ED1FE9, which was documented in Taiwan. Related targeting was found in CNFI CONTACTS Excel Exploit. Taidoor connects to the C2 domain unpt.defultname.com with the URL http://unpt.defultname.com:443/
This domain is hosted on a server in Brazil.
ACTION: Ensure network security sensors have the appropriate signatures to detect for Taidoor indicators.
ACTION: When creating NIDS signatures, have your threat intelligence team keep an eye for malware variants.
24 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
BRUTPOS POINT-OF-SALE MALWARE TARGETS MAJOR HEALTHCARE PROVIDER, AUTOMOBILE MANUFACTURER, AND POS VENDOR IN THE UNITED STATES
Incident: BrutPOS Point-of-Sale Malware
This incident details indicators associated with a Point-Of-Sale (POS) malware campaign targeting large POS vendors as well as healthcare, manufacturing, and hospitality sectors within the USA. BrutPOS exploits a vulnerability within the remote desktop protocol over port 3389 to gain access to the target system, and then utilizes brute force password-cracking techniques against the victim’s POS terminal in order to access and harvest customer information.
In some instances, the Ramnit worm has been observed as the initial infection vector which then downloads the BrutPOS executable.
Command and control addresses for the malware include the following which are not active currently, but may be useful for analysis of historical data or potential future activity:
62.109.16.195 62.113.208.37 92.63.99.157 82.146.34.22
Some malware samples were observed utilizing the same IP address for downloading executable files as well as uploading harvested information, but this is not always the case.
The following MD5 file hashes are associated with the malware:
60C16D8596063F6EE0EAE579F201AE04 95B13CD79621931288BD8A8614C8483F F36889F30B62A7524BAFC766ED78B329 4AED6A5897E9030F09F13F3C51668E92 FADDBF92AB35E7C3194AF4E7A689897C
For additional technical details, please view the report at https://dsimg.ubm-us.net/envelope/364363/391603/MATI%20DeepSight%20Intelligence%20Report%20-%20SYMC%20-%20300195.pdf
25 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
62.109.16.195
ACTION: Leverage relationship mapping tools to fingerprint threat actor’s footsteps.
26 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
Social Media Hacks
ACTION: Verify your professional network contacts.
27 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
THREATSTREAM REPORT
28 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
Pirpi Threat Actors
• Tools – PirpiLite -> Pirpi – CTT/CTX – Orthrus – Pirpi Xmailer – Pirpi Exploit
Framework -> Scanbox
– MANY custom tools
• TTPs – Phishes
• Monthly Pattern – Heavy use of 0-
days
• Summary – CVE-2014-1776 – CVE-2015-3113 – CVE-2015-5119 – a/k/a APT3,
Gothic Panda, TG-0110
29 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
Pirpi Infiltration of Tools
• GUI connection via Pirpi • Copy Base64 text into Notepad • Save .eml • Double Click – Opens Mail client • Save tools run via cmd.exe
30 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
Infiltration of Tools – l2t
31 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
Infiltration of Tools – l2t
UserAssist Notepad + Mail Client – semi-rare History for .eml file – extremely rare
32 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
Lateral Movement via CTT/CTX
• Normal Windows Lateral Movement: – Security event log – User Profile creation
• Using 3rd party access tools leave less evidence behind
33 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
CTT evidence
34 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
CTT evidence - PreFetch
CTT Prefetch New CMD prefetch
35 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
CTT evidence – AppCrash Errors
Lots of AppCrash errors
36 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
Beyond the Indicator – Lateral Movement: Beyond the Norm
https://hitrustctx.threatstream.com/tip/1245
37 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
HITRUST CSF CONTROLS
38 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
Common attack vectors related to HITRUST CSF Controls • CSF Control for Vulnerability Patching (Top Exploits)
– Control Reference: *10.m Control of technical vulnerabilities • Control Text: Timely information about technical vulnerabilities of systems being used
shall be obtained; the organization's exposure to such vulnerabilities evaluated; and appropriate measures taken to address the associated risk
• Implementation Requirement: Specific information needed to support technical vulnerability management includes the software vendor, version numbers, current state of deployment (e.g. what software is installed on what systems) and the person(s) within Appropriate, timely action shall be taken in response to the identification of potential technical vulnerabilities. Once a potential technical vulnerability has been identified, the organization shall identify the associated risks and the actions to be taken. Such action shall involve patching of vulnerable systems and/or applying other controls.
39 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
• CSF Control for network segmentation (Command and Control)
– Control Reference: 01.i Policy on the use of Network Services • Control Text: Users shall only be provided with access to internal and
external network services that they have been specifically authorized to use. Authentication and authorization mechanisms shall be applied for users and equipment.
• Implementation Requirement: The organization shall specify the networks and services to which users are authorized access. (default deny on firewall/acl)
Common attack vectors related to HITRUST CSF Controls
40 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
Common attack vectors related to HITRUST CSF Controls • CSF Control for Phishing (password/credential compromise)
– Control Reference: 01.f Password Use • Control Text: Users shall be made aware of their responsibilities for maintaining
effective access controls and shall be required to follow good security practices in the selection and use of passwords and security of equipment
• Implementation Requirement: Users are made aware of the organization’s password policies and requirements to keep passwords confidential, select quality passwords, use unique passwords, not provide their password to any one for any reason, and change passwords when there is suspected compromise.
41 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
Common attack vectors related to HITRUST CSF Controls (CERT/CISCP Slide) • CSF Control for Dropper tools dropping basic Backdoors / RATs
– Control Reference: 09.j Controls Against Malicious Code • Control Text: Detection, prevention, and recovery controls shall be
implemented to protect against malicious code, and appropriate user awareness procedures on malicious code shall be provided.
• Implementation Requirement: Protection against malicious code shall be based on malicious code detection and repair software, security awareness, and appropriate system access and change management controls.
42 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
Q&A SESSION
43 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
Visit www.HITRUSTAlliance.net for more information
To view our latest documents, visit the Content Spotlight