Threat Landscape

John Shier Sr. Security Advisor @john_shier

November 2016

Top detections: Benelux

3

Infected archiveJS downloader/trojanConfickerJS downloader/emailActiveX/IE vulnVBS downloaderLNK/AutoIT wormPhishingGenericVBS LNK/JenxcusLNK/BundpilCallhome

What are we facing?

4

Phishing

How not to phish

6

How not to phish

7

http://[IP ADDRESS]/fcid/6a6f686e2e736869657240736f70686f732e636f6d/

Modern phishing

8

Modern phishing

9

Modern phishing

10

Modern phishing

11

Modern phishing

12

Modern phishing

13

HD phishing

14

Locally targeted

15

Malvertising

RTB Ad network Third party

Malvertising threat chain

No site is immune

19

Exploit kits

20

A decade of misery

21

2006 2013 2016

Exploits as a Service

22

Initial Request

Victims

Exploit Kit Customers Redirection

Malicious Payloads

Stats

Landing Page

Exploits

Payloads

Get Current Domain

Get Stats

Update payloads

Management Panel Malware Distribution Servers

Gateway Servers

VPN

Exploit Kit Admin Spammer/Malvertiser Exploit merchant

Ransomware author

EK prominence – October 2016

23

RIG

Nuclear

Chinese EK

Da Gong/Gondad

Angler

Fiesta

Neutrino v2

Other

Mirai

What we know, by the numbers

•550,000 compromised devices

•9 different architectures

•Attacking tcp/23,2323

•80% are DVRs

•24% overlap w ith ‘ gafgyt’

•10% attacked Dyn

•10/1/2016 source code released

25

Mirai infrastructure

26

src: http://blog.level3.com/security/grinch-stole-iot/

scanner.c

27

attack.go, attack.h

28

Use the (brute) force

29

Who’s to blame?

src: https://krebsonsecurity.com/wp-content/uploads/2016/10/iotbadpass-pdf.png

30

31

src: http://www.geekculture.com/joyoftech/joyarchives/1947.html

Document malware

32

Why does document malware work?

33

•Out of the spotlight

•Familiarity and trust

•Email as file transfer protocol

•Patching failure

•Call to action

Curiosity infected the cat

34

Build Your Own

35

How to protect against document malware?

36

•Email filtering

•Sandbox

•Cloud services

•Document viewers

•Share files differently

Data stealing malware

37

Why does data stealing malware work?

38

•Multiple security failures

•Needs a human actor

•Poor network segregation

•Over privileged users

•Poor outbound filtering

•Unknown baseline

How does data stealing malware work?

39

Target(ed) exfiltration

40

How to protect against data stealing malware?

41

•Multiple security failures

•Needs a human actor

•Poor network segregation

•Over privileged users

•Poor outbound filtering

•Unknown baseline

Ransomware

42

Why does ransomware work?

43

•Complex threat chain

•Social Engineering

•No need for persistence

•Uses existing tools

•Geographically targeted, locally customized

•It ’s your data

Locky/Zepto/Odin

44

Locky/Zepto/Odin

45

CryptoWall 4.0

46

Zcrypt

47

Stampado/Philadelphia

48

49

Ransomware Bitcoin

50

•Convenient

•Anonymous

•Laundered

•Openly criminal

6 tips for preventing ransomware

51

1. Back up your files regularly and keep them offline

2. Don’t enable m acros in em ailed docs

3. Tell Windows to show file extensions

4. Don’t open script or shortcut files sent by em ail

5. Don’t give yourself m ore login power than necessary

6. Patch early, patch often

52

Users

53

It ’s n o t a ll b a d n e w s

54

•Social engineering works

•People like to help

•Stop worrying about the Nigerians

•OSINT

•Training isn’t the only answ er

•Create a security culture

•Use your remote sensors