CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day

© 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary@ThreatConnect

Lots of Squats:APTs Never Miss Leg DayMarch 17, 2017

© 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary

Agenda

• Spoofed domains

• Notable breaches

• Tools

• Strategic view of spoofed domain registrations

• Tactical view

• Conclusions


3

The First Look Vulnerability

Rescuing Leia

• Because everything has a Star Wars corollary

Spoofed domains

• Exploit the inherent and immediate trust that we place in the familiar

• Target the organization or another organization/technology pertinent to operation

Types

• Typosquats

• Look alikes

• Letter swaps

• Sticky keys


4

A) gooqle.comB) googIe.comC) qoogle.comD) gcogle.com

Pop Quiz Example


5

Pop Quiz Example

gooqle.com

gI

qoogle.com

Use a lowercase “Q” in place of a “g”

gooqle.com

qoogle.com


6

Pop Quiz Example

Use a “c” in place of an “o”

gcogle.com


7

Pop Quiz Example

Use an uppercase “i” instead of a lowercase “L”

googIe.com


8

Advanced Persistent Threats (APTs)

Everybody’s doing it• China

• Russia

Why• Relatively cheap

• Easy to do

• Effective

• Can obfuscate origin

Operations• Delivery

• Exploitation

• Command and control

Notable breaches• Anthem/BCBS entities

• OPM

• DNC/DCCC

Operation types• Credential harvesting

• Malware dissemination


9

Notable Breaches

China – DEEP PANDA

Anthem/BCBS

• we11point[.]com

• prennera[.]com

• Chinese registrant resellers

OPM

• opm-learning[.]org

• opmsecurity[.]org

• The Avengers registrants

Russia – FANCY BEAR

DNC/DCCC

• misdepatrment[.]com

• actblues[.]com

• Fake personas


10

So What?

Has become a TTP

• Specific actors employing spoofing against specific sectors• There is a trend to look for

Domain registration precedes operation

• Timeline varies

Operationalize domain registration information

• WHOIS as threat intelligence


11

We’re Not Playing Whack-a-Mole

Simply reacting on a one-off basis won’t suffice

• Active state• Predictive state

Leveraging domain registrations as threat intel

• Higher-level strategic intelligence• Informs organizational or sector awareness

• In-depth tactical intelligence• Provides situational awareness during incidents

Operationalize domain registration information

• Trends in spoofed domain registrations• Identifying and leveraging APT TTPs


12

Tools of the Trade

DNSTwist and URLCrazy

• Open source

• Identify spoofed domains for a given domain

DomainTools

• WHOIS

• Typo Finder

• Reverse NS Lookup

• IRIS


Domain Registrations as Strategic Intel


14

Trends in Registrations

Process• Identify all domains registered during a given

timeframe that spoof provided domains• Get WHOIS information for all domains

• Registrant, registrar, create date, registrant email address, country of origin

• Used Excel• Remove legitimate registrations as possible• Investigate WHOIS information to identify trends or

patterns• Correlate possible spikes in activity to current events

Hypothesis• Keeping track of all of the

spoofed domains targeting a given organization or sector can help identify potential activity against that organization or sector.


15

OrganizationalExample

Research

• Spoofed domains targeting Anthem BCBS legitimate domains

• 10 domains/organizations

Anthem BCBS Identified

• Over 1400 spoofed domains• Over 280 in 2015

• 59 of which came from China

© 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary16

Number of Spoofed Domain Registrations from China Targeting BCBS Entities, 2015






19

Sector Example

Research

• Spoofed domains targeting six major pharmaceutical companies

Pharmaceutical Industry Identified

• Over 2000 spoofed domains• 304 in 2015

• At least 70 from China


20

Findings

Novartis – March 2015• Three spoofed domains in March• FDA approves first biosimilar drug• Beijing lifts price controls on pharmaceuticals

Lilly – November 2015• Eight spoofed domains in Oct

• Twelve in Nov• Eli Lilly and China's Innovent expand partnership• FDA approves cancer drug

Sanofi – April 2016• Twelve spoofed domains in April

• Two rest of 2016• Bids for Medivation• Eczema drug clears trials


21

What Does This Mean for an Org/Sector?

Spikes in registration activity• Potentially portend malicious activity

• Necessitate heightened awareness

• May not be malicious• May be related to non-cyber events• Situational awareness for sectors

WHOIS• Registrants, email addresses for tracking

• Identify other domains that individuals targeting your organization register

Helps identify threats• Consistencies with previously identified APTs

• Capabilities, TTPs, and other infrastructure to be aware of


Domain Registrations as Tactical Intel


23

Pivoting from One Spoofed Domain to Others

Process• Identify spoofed domain that is particularly suspicious

or has been leveraged in malicious activity• Get WHOIS and/or SOA information for domain

• Registrant, registrar, create date, registrant email address, country of origin, name server, etc.

• Identify the most unique registration information• Pivot to other domains using the most unique

registration information

Hypothesis• WHOIS information for an

encountered spoofed domain can help us identify an actor’s other spoofed domains that may be leveraged against the same or other targets.


24

DNC and DCCC Attacks

DNC• CrowdStrike analysis from mid June

• Identified a FANCY BEAR IP address • ThreatConnect identified

misdepatrment[.]com• Spoofs MIS Department

DCCC• Reporting from mid July identified that same

actors compromised DCCC• Used spoofed domain targeting donation

website• Fidelis identified actblues[.]com vs

actblue[.]com• Registered day after DNC attack

publicized


25

WHOIS/SOA Information for FB Domains

misdepatrment[.]com actblues[.]com


26

What Can We Pivot from that is Unique?



27



httpconnectsys[.]comfastcontech[.]comintelsupportcenter[.]comintelsupportcenter[.]net


28





29





30





Domains4Bitcoins (1a7ea920.bitcoin-dns.hosting)

• Bitcoins• ~2500 domains• Previous associations to FB

•militaryobserver[.]net•sysprofsvc[.]com•euronews24[.]info•naoasch[.]com•storsvc[.]org

ITitch (ns1.ititch.com)• Bitcoins• ~2100 domains

31

Name Servers


32

Hundreds of Spoofed Domains on Name Servers• access-google[.]com• actblues[.]com• adobeflashdownload[.]de• adobeflashplayer[.]me• adobeflashplayer[.]space• adobeupdater[.]org• adobeupdatetechnology[.]com• adoble[.]net• akamaitechnologysupport[.]com• akamaitechupdate[.]com• appclientsupport[.]ca• appleappcache[.]com• appleauthservice[.]com• applerefund[.]com• archivenow[.]org• bbcupdatenews[.]com• bit-co[.]org• bitsdelivery[.]com• buy0day[.]com• cdn-google[.]com• cdncloudflare[.]com• cloudfiare[.]com• dynamicnewsfeeds[.]com• ebiqiuty[.]com

• egypressoffice[.]com• eigsecure[.]com• facebook-profiles[.]com• flashplayer2015[.]xyz• goaarmy[.]org• govsh[.]net• great-support[.]com• hackborders[.]net• helper-akamai[.]com• honeyvvell[.]co• intelintelligence[.]org• intelsupportcenter[.]com• intelsupportcenter[.]net• login-hosts[.]com• logmein-careservice[.]com• marshmallow-google[.]com• micoft[.]com• microsoft-updates[.]me• mofa-uae[.]com• ms-drivadptrwin[.]com• ms-sus6[.]com• ms-updates[.]com• nato-org[.]com• natoadviser[.]com• new-ru[.]org

• newflashplayer2015[.]xyz• passwordreset[.]co• pdf-online-viewer[.]com• sec-verified[.]com• securesystemwin[.]com• securityresearch[.]cc• services-gov[.]co[.]uk• social-microsoft[.]com• socialmedia-lab[.]com• symantecupdates[.]com• terms-google[.]com• theguardiannews[.]org• theguardianpress[.]com• thehufflngtonpost[.]com• vortex-sandbox-microsoft[.]com• vpssecurehost[.]com• win-wnigarden[.]com• wincodec[.]com• windowsnewupdated[.]com• winliveupdate[.]top• winninggroup-sg[.]com• wm-z[.]biz• wmepadtech[.]com• wsjworld[.]com• yourflashplayer[.]xyz


33

Subset for 1&1 Email Domains

Domains4Bitcoins (1a7ea920.bitcoin-dns.hosting)• akamaitechnologysupport[.]com• akamaitechupdate[.]com• micoft[.]com• ms-drivadptrwin[.]com• ms-sus6[.]com• securesystemwin[.]com• wmepadtech[.]com• natoadviser[.]com• theguardiannews[.]org• wsjworld[.]com

ITitch (ns1.ititch.com)• bitsdelivery[.]com• apptaskserver[.]com• aptupdates[.]org• contentupdate[.]org• defenceglobaladviser[.]com• dowssys[.]com• gmailservicegroup[.]com• i-aol-mail[.]com• msmodule[.]net• officeupdater[.]com• systemsv[.]org• updmanager[.]net


34

What Does This Mean for an Org/Sector?

Relevant threat intelligence• During incidents

• Actor pivoting• Historical registrations for reviewing previous activity

WHOIS• Identify other domains that individuals targeting your

organization register

Future tracking• Registrant email addresses• Name servers• Confluence of WHOIS information


Caveats

Findings merit additional research• Spoofed domains are not necessarily malicious• Tracking domains may help identify if/when they are operationalized

• Hosting information• Slice and dice the WHOIS

Legitimate domains• Some domains, like lilly.com, inherently have false positives

• Baseline activity to identify spikes• Also requires an understanding of your organization’s assets

Importance of sharing• Impossible to do this type of research for all of the

organizations/technologies that your organization may be involved with• Sharing intelligence derived from this type of research facilitates other

organizations’ defensive efforts


36

Conclusions

Leverage intelligence from spoofed domain registrations

Not cost prohibitive• Lower amount of resources• Some tools openly available

Strategic and tactical research• Focuses on a common TTP• Provides situational and tactical

awareness

Helps defend your organization and others• Sharing is caring• Cyber security karma


THANK YOU!

© 2016 ThreatConnect, Inc. All Rights Reserved

Blog: threatconnect.com/blogTwitter: @ThreatConnect

Sign up for a free account:www.threatconnect.com/free

CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day

Internet