Top Banner
Cyphort Labs Security Threat Analysis Report: Vandelay Industries Q2 2017
28

Cyphort Labs Security Threat Analysis Report: Vandelay ...go.cyphort.com/rs/181-NTN-682/images/Cyphort-POC-Q2-2017.pdf · toward the end of the POC period. Because we believe that

May 29, 2020

Download

Documents

dariahiddleston
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Cyphort Labs Security Threat Analysis Report: Vandelay ...go.cyphort.com/rs/181-NTN-682/images/Cyphort-POC-Q2-2017.pdf · toward the end of the POC period. Because we believe that

CyphortLabsSecurityThreatAnalysisReport:Vandelay Industries

Q22017

Page 2: Cyphort Labs Security Threat Analysis Report: Vandelay ...go.cyphort.com/rs/181-NTN-682/images/Cyphort-POC-Q2-2017.pdf · toward the end of the POC period. Because we believe that

Cyphortsecurityresearchteamcontinuouslymonitorsadvancedthreatsaroundtheworld,deliveringsecurityintelligencetohelpyouadjustyourpostureforongoingadvancedthreatdefense.CustomersinactivePOC(Proof-of-Concept)deploymentsreceiveathreatsummaryreportonthecustomer’sbehalftowardtheendofthePOCperiod.

Becausewebelievethatstrongvisibilityandawarenessgoesalongwayinhelpingwithastrongdefenseposture,weconsolidatedfindingsforbroaderdistributionandbenefitaspartoftheCyphortAnti-SIEM.

Thisreportisdesignedtoprovideamorecomprehensiveviewonsignificantthreatincidentsdiscoveredduringanextendedperiodoftime,typicallyseveralweekssothattrafficfluctuationassociatedwithtime-of-dayactivitypatternsisaccountedfor.Thesewillincludethewholespectrumofalertsincludingseriousthreats,suspiciousactivitiesandadware,andanyinstanceofnoisyalerts.

Visibilitystatsthatshedlightonwhattypes,atwhatvolumeandthroughwhichagents(e.g.humanbrowsingthewebvs.automatedprograms)filesarebeingmovedacrossthecustomernetwork.Advanceddetailsonselectedthreatsandmalwareobjectsbasedondeep-diveresearchconductedbytheCyphortthreatresearcherstorevealthingslikeattackpayloads,threatintent,andotherthreatindicators.

AboutthisReport

Page 3: Cyphort Labs Security Threat Analysis Report: Vandelay ...go.cyphort.com/rs/181-NTN-682/images/Cyphort-POC-Q2-2017.pdf · toward the end of the POC period. Because we believe that

3

KeyFindingsMalwareDetected

ThreatCategory

DetectionLocation

DetectionDate

Potential Business Implications

Cerber Ransomware EngineeringLA Office

4/3/17 Product source code exposed to encryption and extortion

Fareit InfoStealer SalesNY Office

4/16/17 Salesforce Credentialsexposedto Leakage

Page 4: Cyphort Labs Security Threat Analysis Report: Vandelay ...go.cyphort.com/rs/181-NTN-682/images/Cyphort-POC-Q2-2017.pdf · toward the end of the POC period. Because we believe that

WebTrafficMonitoring

MetricsPeakTrafficMonitored 1.2Gbps

ObjectsAnalyzed 6,383,872

HostsMonitored 5,387

ThreatsDetected 57

HighRiskHostsIdentified

12

Page 5: Cyphort Labs Security Threat Analysis Report: Vandelay ...go.cyphort.com/rs/181-NTN-682/images/Cyphort-POC-Q2-2017.pdf · toward the end of the POC period. Because we believe that

EmailMonitoring

Metrics

Emails Monitored 56,456

URLsAnalyzed 11,653

Attachment Analyzed 5,387

ThreatsDetected 145

HighRiskAccountsIdentified 34

Page 6: Cyphort Labs Security Threat Analysis Report: Vandelay ...go.cyphort.com/rs/181-NTN-682/images/Cyphort-POC-Q2-2017.pdf · toward the end of the POC period. Because we believe that

Anti-SIEM

CustomerValue

Page 7: Cyphort Labs Security Threat Analysis Report: Vandelay ...go.cyphort.com/rs/181-NTN-682/images/Cyphort-POC-Q2-2017.pdf · toward the end of the POC period. Because we believe that

ZeroDayDetectionofMalwareObfuscated Javascript:01eed9bab2d71724df2eb80dec61733e

RansomwareDownloader

• First Cyphortdetection:2017/01/03• Filestillnotavailable onVirusTotal

Page 8: Cyphort Labs Security Threat Analysis Report: Vandelay ...go.cyphort.com/rs/181-NTN-682/images/Cyphort-POC-Q2-2017.pdf · toward the end of the POC period. Because we believe that

CyphortDetectsThreatsEarlyMalwareMD5

MalwareName

AheadofVirusTotal by Business Implications

59bff0a38a04c372e4896a4fb2eea8fb

CryptXXXransomware

2.5hours FillIn!!!

85289e698f34e717ac964210623a704f

TrojanWin32-Skeeyah

26hours Fillin

2954e5222920daa142bf699186c0f0be

Adware 7.5hours FillIn

26b2b4089bd56a44c6fceda9083f04b0

TrojanSpySelltim

9hours FillIn

5e1e886b7d427865c01e43bd0f29ce17

TrojanVBKryjetor

24hours Fillin

Page 9: Cyphort Labs Security Threat Analysis Report: Vandelay ...go.cyphort.com/rs/181-NTN-682/images/Cyphort-POC-Q2-2017.pdf · toward the end of the POC period. Because we believe that

Proof-of-ConceptReport

TestingResults

Page 10: Cyphort Labs Security Threat Analysis Report: Vandelay ...go.cyphort.com/rs/181-NTN-682/images/Cyphort-POC-Q2-2017.pdf · toward the end of the POC period. Because we believe that

Proof-of-ConceptScope

PoC ScopeCoreDeployment NYdatacenter, virtual

Collector Deployment(Incl E-mailCollector)

LA&NYEgressSpan Ports

Integrations SyslogtoSplunk

Duration 3/1/17 - 4/30/17

WeeklyPeakTraffic 1.2 – 1.5Gbps

WeeklyPeakE-mails 42,000 – 49,000

Page 11: Cyphort Labs Security Threat Analysis Report: Vandelay ...go.cyphort.com/rs/181-NTN-682/images/Cyphort-POC-Q2-2017.pdf · toward the end of the POC period. Because we believe that

TrafficStatistics

0100020003000400050006000

2016

-11-

2120

16-1

2-05

2016

-12-

1920

17-0

1-02

2017

-01-

1620

17-0

1-30

2017

-02-

1320

17-0

2-20

DailyUniqueIPs

0

200

400

600

800

1000

1200

2016

-11-

14

2016

-11-

28

2016

-12-

12

2016

-12-

26

2017

-01-

09

2017

-01-

23

2017

-02-

06

2017

-02-

20

WeeklyPeakTraffic(Mbps)

Traffic Totals

PeakTraffic 977 Mbps

PeakUniqueIPs

5,364

Page 12: Cyphort Labs Security Threat Analysis Report: Vandelay ...go.cyphort.com/rs/181-NTN-682/images/Cyphort-POC-Q2-2017.pdf · toward the end of the POC period. Because we believe that

EmailStatistics

0100020003000400050006000

2016

-11-

21

2016

-12-

05

2016

-12-

19

2017

-01-

02

2017

-01-

16

2017

-01-

30

2017

-02-

13

2017

-02-

20

DailyUniqueRecipients

0

200

400

600

800

1000

1200

2016

-11-

14

2016

-11-

28

2016

-12-

12

2016

-12-

26

2017

-01-

09

2017

-01-

23

2017

-02-

06

2017

-02-

20

WeeklyEmailCount

Email Totals

Peak Emails/Week 977

Peak Unique Recipients 5,364

Page 13: Cyphort Labs Security Threat Analysis Report: Vandelay ...go.cyphort.com/rs/181-NTN-682/images/Cyphort-POC-Q2-2017.pdf · toward the end of the POC period. Because we believe that

MostSignificantThreatDetections

ThreatName Detection Locations&Count

BusinessImplications

CriticalSeverity

Cerber Ransomware Eng /LAOffice(1)SFOffice(1)

Productsource codeexposedtoencryptionandextortion

Fareit InfoStealer Sales /NYOffice(3)

Salesforce Credentialsexposedto Leakage

MediumSeverity

Webtoolbar Adware MultipleOrgsNY&LA&SF

BadHygiene mayleadtomoreseriousinfections

Page 14: Cyphort Labs Security Threat Analysis Report: Vandelay ...go.cyphort.com/rs/181-NTN-682/images/Cyphort-POC-Q2-2017.pdf · toward the end of the POC period. Because we believe that

ThreatTypes- Web

MalwareTypes

AdwareRansomwareTrojan downloaderInfo Stealer

MalwareFileTypes

Executable Zip files

Page 15: Cyphort Labs Security Threat Analysis Report: Vandelay ...go.cyphort.com/rs/181-NTN-682/images/Cyphort-POC-Q2-2017.pdf · toward the end of the POC period. Because we believe that

ThreatTypes- Email

Threat Types

AdwareRansomwareTrojan downloaderInfo stealer

ThreatFileTypes

Executable Zip files

Page 16: Cyphort Labs Security Threat Analysis Report: Vandelay ...go.cyphort.com/rs/181-NTN-682/images/Cyphort-POC-Q2-2017.pdf · toward the end of the POC period. Because we believe that

ThreatOrigins

TopCountries DL orIN

China 34

Russia 23

Page 17: Cyphort Labs Security Threat Analysis Report: Vandelay ...go.cyphort.com/rs/181-NTN-682/images/Cyphort-POC-Q2-2017.pdf · toward the end of the POC period. Because we believe that

FileStatisticsbyOperatingSystems

ObjectsAnalyzed

MacOS AppleIOS Windows UndeterminedChromeOS Linux Android Debian

Page 18: Cyphort Labs Security Threat Analysis Report: Vandelay ...go.cyphort.com/rs/181-NTN-682/images/Cyphort-POC-Q2-2017.pdf · toward the end of the POC period. Because we believe that

ThreatAnalysisName:CerberCategory:Ransomware

• Cerber isdistributedthroughExploitkitandphishingmails.

• TheThreatencryptsdocuments,imagesandasksforransommoney.

• CurrentlyCerber ismostprevalentransomware.

Threatinsight:

https://www.cyphort.com/threat-insights/cerber-ransomware/

Page 19: Cyphort Labs Security Threat Analysis Report: Vandelay ...go.cyphort.com/rs/181-NTN-682/images/Cyphort-POC-Q2-2017.pdf · toward the end of the POC period. Because we believe that

MalwareAnalysisName:FareitCategory: InfoStealerFareit isapasswordstealingTrojanthattargetslogincredentialsforwebsites&FTPsstoredinwebbrowsersandFTPclientsoftwareontheinfectedcomputers.Payloadanalysis:

• Onexecutionitcreatesthefollowingregistrykey:

Key:HKU\Software\WinRAR

HWID:{B60FBD1C-5BDF-41BE-A27E-6FB5584B9D1B}

• Ittriestoretrievethestoredwebsitepasswords(incookies)frommostpopularbrowsers:Firefox,InternetExplorer,Opera,Chrome.

• Fareit alsotriestostealservernames(IPaddress)andlogincredentialsfromthefollowingFTPclientsoftware:FTPCommander,CuteFTP,FTP++,FTPExplorer,FileZilla,WinSCP,TotalCommander,WindowsCommander,WebDrive

• Itthensendsallthecollectedinformationtoaremoteserverfnijatodn.cz.cc

Page 20: Cyphort Labs Security Threat Analysis Report: Vandelay ...go.cyphort.com/rs/181-NTN-682/images/Cyphort-POC-Q2-2017.pdf · toward the end of the POC period. Because we believe that

MalwareAnalysisName:JSMalwareDropperofransomwareCategory:DownloaderThisJSmalwaredownloaderleadsvictim’sbrowsertodownloadandexecutemalware.Generallythesourcecodeofthedownloaderisheavilyobfuscatedtoavoidstaticdetection.JSmalwaredroppersource:

Page 21: Cyphort Labs Security Threat Analysis Report: Vandelay ...go.cyphort.com/rs/181-NTN-682/images/Cyphort-POC-Q2-2017.pdf · toward the end of the POC period. Because we believe that

MalwareAnalysisName:JSMalwareDropperofransomware(Cont’d)

Page 22: Cyphort Labs Security Threat Analysis Report: Vandelay ...go.cyphort.com/rs/181-NTN-682/images/Cyphort-POC-Q2-2017.pdf · toward the end of the POC period. Because we believe that

MalwareAnalysisName:MyWebSearchCategory:AdwareToolbar

MyWebSearch isanadwaredevelopedbyMindspark Interactive.Mindsparkasacompanycollectsdataaboutbrowsingbehaviourandwebsearchmetadatafromuser’smachines,whentheseusersareusingMindsparkproducts.Theseproductsincludenumeroustoolbarsandbrowserplugins.

Payload:DropsadynamiclinklibraryfileandinstallsitasabrowserhelperobjectforInternetExplorer.

Page 23: Cyphort Labs Security Threat Analysis Report: Vandelay ...go.cyphort.com/rs/181-NTN-682/images/Cyphort-POC-Q2-2017.pdf · toward the end of the POC period. Because we believe that

TopInfectionsMalwareName #Infectedhosts

DEALPLYB2.CY 114

TROJAN_ONLINEGAMES.CY 6

TROJAN_LLAC.CY 5

TROJAN_GENERICKDZ.CY 4

HTTPBROWSER.CY 3

SUSP_MASSFAV.CY 2

TROJAN_Suspicious.CY 2

TROJAN_FakeAv.CY 1

TROJAN_Generic.CY 1

Page 24: Cyphort Labs Security Threat Analysis Report: Vandelay ...go.cyphort.com/rs/181-NTN-682/images/Cyphort-POC-Q2-2017.pdf · toward the end of the POC period. Because we believe that

AboutCyphortCyphortdeliverstheAnti-SIEM,aninnovativesecurityanalyticsandadvancedthreatdefenseplatformthataddressestime,cost,andcomplexitychallengesassociatedwithtraditionalSIEMs.Thesoftwareusesmachinelearningandbehavioralanalysistechnologiestodetectadvancedthreatsinweb,email,andlateralspreadtraffic.Threatdataiscorrelatedwitheventandlogdatacollectedfromothersecuritydevicesinthenetwork. Resultsareconsolidatedandpresentedasatimelineviewofeachsecurityincident.One-touchmitigationcancontainbreachesandstrengthenexistingtools. TheAnti-SIEMworkswithorwithoutanexistingSIEMtoreducenoise,improveproductivity,andaccelerateresponse.

Page 25: Cyphort Labs Security Threat Analysis Report: Vandelay ...go.cyphort.com/rs/181-NTN-682/images/Cyphort-POC-Q2-2017.pdf · toward the end of the POC period. Because we believe that

AboutCyphortLabsCyphortLabsSecurityResearchTeamcontinuouslymonitorsadvancedthreatsaroundtheworld,deliveringsecurityintelligencetohelpyouadjustyourpostureforongoingadvancedthreatdefense. CustomersinactivePOC(Proof-of-Concept)deploymentsreceiveathreatsummaryreportonthecustomer’sbehalftowardtheendofthePOCperiod.Becausewebelievethatgoodvisibilityandawarenessgoesalongwayinhelpingwithastrongdefenseposture,weconsolidatedfindingsforbroaderdistributionandbenefitaspartoftheCyphortThreatIntelligenceNetwork.

Page 26: Cyphort Labs Security Threat Analysis Report: Vandelay ...go.cyphort.com/rs/181-NTN-682/images/Cyphort-POC-Q2-2017.pdf · toward the end of the POC period. Because we believe that

CyphortLabsTeam

GlobalSecurityService

ThreatMonitoring&Research

24X7monitoringforThreatevents

AssistcustomerswiththeirForensicsandIncidentResponse

Discover. Dissect. Destroy.

Weenhancethreatdetectionaccuracy

Falsepositives/negatives

Deep-diveresearch

Security Ecosystem

Collaboration

Weworkwiththesecurityecosystem

ContributetoandlearnfrommalwareKB

Bestof3rdPartymalwaredata

Page 27: Cyphort Labs Security Threat Analysis Report: Vandelay ...go.cyphort.com/rs/181-NTN-682/images/Cyphort-POC-Q2-2017.pdf · toward the end of the POC period. Because we believe that

CyphortLabsResearch

ThreatResearchCyphortLabsdiscoveredmalware

NightHunter.NationstatemalwareBabar,EvilBunnyand

Caspar

Uncoveredbroadscalemalvertisingcampaignstargeting

popular&strategicsites

DetailedanalysisandreportingofPoSmalwarefamilies,widely

circulated

InformationSharingMonthlyMalware’sMostWanted

webinarseries

Malwareresearchblogsfollowedbypractitionersandresearchers

FreeAPTscannerservice

PressCoverage

CyphortLabsBlog