OFFENSIVE OPS: THE ATTACKER’S VIEW OF YOUR NETWORK
O F F E N S I V E O P S : T H E AT TA C K E R ’ S V I E W O F Y O U R N E T W O R K
I N T R O D U C T I O N
Global Security Lead for SolarWinds MSP
Malware connoisseur and aficionado.
First Home in Edinburgh, Scotland.
Second Home in Terminal 5, Heathrow.
Third Home in Winnipeg, Manitoba.
IAN TRUMP@phat_hobbit
E X T E R N A L T H R E AT S
4
By Victim Top 4
1. Non-Payment/Non-Delivery
2. 419/Overpayment
3. Identity Theft
4. Auction
By Loss Top 4
1. Business Email Compromise
2. Confidence Fraud/Romance
3. Non-Payment/Non-Delivery
4. Investment
F U D B O M B
Cybersecurity Ventures predicts cybercrime will cost the world in excess of $6 trillion
annually by 2021. - Herjavec Group, Hackerpocalypse 2016
2012 report from Boston Consulting Group on the G-20 Online economy “By 2016, there
will be 3 billion Internet users globally—almost half the world’s population.
“The Internet economy will reach $4.2 trillion in the G-20 economies (by 2016)”
Using this number and extrapolating the suggested (and conservative) 8% CAGR rate of
the online economy we land at a figure (among the G-20 nations) of an online economy of
worth approximately 13.754 trillion by 2020.
What this data says: is unless technologic disruption occurs just under 1/2 of the entire G-
20 online economy will be lost to cyber criminals!?
PA S S W O R D B A L L D R O P
8
Password Management is critical to security
10 Character Unique Passwords minimum
<fav pwd>-<service>-<fav pwd>
2FA for cloud services
Do not save passwords in your browser
Do not use the same passwords across all devices…
E x p l o i t s & P a y l o a d s
9
800 sites dedicated to distributing stolen movies and television shows, 33% content theft sites
contained malware.
Consumers are 28 times more likely to get malware from a content theft site than on similarly
visited mainstream websites or licensed content providers.
45 percent of the malware was delivered through so- called “drive-by downloads” that invisibly
download to the user’s computer—without requiring them to click on a link.
E m a i l T h r e a t s
789%increase in phishing email campaigns from the first three months of 2016 due primarily
to a ransomware upsurge against the last quarter of 2015.
2016, unprecedented rise in encryption ransomware attacks, and no signs of this trend
abating.
Individuals, small- and medium-sized businesses, hospitals, and global enterprises are all
faced with the reality that this is now one of the most favored cyber criminal enterprises.
In Q1 2016 93% of Phishing Emails Contain a Ransomware Payload
Payload
11
Bypassed Mail Protection
Bypassed Office 365 Mail Security
Bypassed Bit Defender MAV
Web Protection Not Effective
Fully Patched and Updated Machine
Admin Rights removal would prevent
(maybe – priv escalation)
Bypassed Sophos Firewall
Malware is not Magic
12
Malware needs to:
1. Exploit a system vulnerability or user vulnerability for access
2. Install some code in system memory
3. Modify the registry or WMI for persistence
4. Generate network traffic to a C & C node
5. Possibly drop file(s) onto the system
6. Run an encryption process against your files
If it is not doing the above it is not Malware
Kil l Chain Analysis
13
E X P L O I T S
Build Zero Day
15
16
17
Reverse a Patch
Patch comes out, see what it fixes.
Reverse engineer patch to break what it fixes
(exploit).
Build and test remote code exploit package.
Sell to cybercrime botnet herders in the underground.
Botnet spear-phishes, spam/phishes or conducts
automated attacks.
Profit.
18
Exploit Kit 4 Sale Cheap
In June, The Neutrino Exploit Kit is pushing an Exploit for CVE-2016-0189, a vulnerability that was
reportedly used in targeted attacks on South Korean organizations earlier this year.
Microsoft fixed the vulnerability, which affects Internet Explorer’s scripting engines, in May.
Malvertising and ransomware campaigns have pivoted towards kits like RIG and Neutrino.
Angler and Nuclear are dead.
Neutrino dropping CryptXXX accounted for 75 percent of its observed exploit kit traffic while
another 10 percent combined of Neutrino and Magnitude was dropping Cerber.
19
Exploit Mit igat ion
Reduce Attack Surface
Remove Administrative Rights
GPO’s, Free Software & User Awareness Training
http://www.thirdtier.net/ransomware-prevention-kit/
The Enhanced Mitigation Experience Toolkit (EMET) is a utility that helps prevent
vulnerabilities in software from being successfully exploited.
Bitdefender anti-malware researchers have released a new vaccine tool which can protect
against known and possible future versions of the CTB-Locker, Locky and TeslaCrypt
crypto ransomware families
http://download.bitdefender.com/am/cw/BDAntiRansomwareSetup.exe
Mitigat ion
Matr ix
20
WAN to LAN End Point End Point LAN to WAN End Point
PAY L O A D S
22
Example Payload
CryptXXX 3.100 can still cause significant downtime by
encrypting files on network shares.
Infected machines scan the /24 subnet of their local
area network (LAN) in search of MS Windows shared
drives.
CryptXXX downloads a DLL which acts as a credential
stealing module.
StillerX appears to be fully-featured and targets the
credentials of a wide range of applications from poker software to Cisco VPN credentials.
The following is a partial list of targeted
data:
Browser data (history, cookies, stored
credentials)
Dialer credentials
Download managers credentials
Email credentials
FTP credentials
IM credentials
Poker software credentials
Proxy credentials
Remote administration software credentials
VPN credentials
WNetEnum Cached Passwords
Microsoft Credential Manager data
23
SMB & MSP Global Threat
24
Case Study: MSP Ransomware Payload
igfxpers.exe
7 / 54 2016-01-24 15:28:26 UTC
Confidential
25
Case Study: MSP Ransomware Payload
igfxpers.exe
37 / 56 2016-05-31 15:28:26 UTC
Case Study: MSP Ransomware Payload
26
notigfxpers.exe
22 / 53 2016-07-26 09:54:45 UTC
Case Study: MSP Ransomware Payload
Confidential
27
Case Study: MSP Ransomware Payload
Confidential
28
Case Study: Ransomware Payload Analysis
Confidential
3X.4X.1XX.8X – used as attack Proxy <- hosting provider in European country
Malware Analysis revealed a Trojan which dates to 2012 and is not crypto-
locker. The Trojan is programmed to deliver a cryptolocker in the form of an
executable payload from a purpose built web server.
3X.4X.9X.1XX – used as the delivery server for cryptolocker payload
^ Hosting provider in different European country.
Encryption key appears to be a “one time” key generated at time of infection
29
Case Study: Ransomware Payload Analysis
Confidential
8 20.538692 192.168.1.56 3X.4X.9X.1XX HTTP 291
GET/googde.php?ccc=R16M01D0_a7bac6_Koc8dhzAUpSN8BygjzdpL51CzOhpXOUdYAj1O8BT8BErzI8hZ3tGH
XfHbJZ9i7BDcivYJOJs5zAhVxVIsgKyexrRpyRx4R7HJOMiA8uk3debBD3aLxB6LGzO5xIu3vYOD0lOm9J6r6cdEC
7oUzUE8OPOn0E_1186__<br>
Logs from infrastructure and service providers revealed the following:
IP Addresses used in the attack are from Germany, Netherlands, Hong Kong (VPN Provider?),
Singapore (VPN Provider?), UK, Spain & Russia.
The Russian IP address was the origin of a great deal of spam from a ransomware campaign.
Investigation and evidence gathering continues. Some countries cooperative others, not so much.
PAY L O A D A N A LY S I S
Virtual Machine (Vmware Player, Oracle Box)
Windows XP SP3 or Windows 7 (requires some config work)
Apps: Adobe Flash, Java, Silver Light, Adobe Reader (6 to 9 months out of date)
– unpatched MS Office viewers, with File Converters (docx, pptx, xlsx, etc.)
No AV installed (occasionally even Windows Defender may prevent shit)
Wireshark and Regshot installed
Virus Total Access
Platform:
Payload Analysis
https://virustotal.com/en/ip-address/69.89.31.222/information/
Demo (Video)
Advanced Malware Analysis Platform
Cuckoo Sandbox - Throw any suspicious file at it and in a matter of seconds Cuckoo will provide
you back some detailed results outlining what such file did when executed inside an isolated
environment.
Thug – is a handy tool for studying exploit kits, as it emulates a real browser complete of a set of
plugins like Adobe Reader, Flash and Java.
Bro – is a powerful network analysis framework that is much different from the typical IDS you
may know.
Volatility - is a tool for memory forensics. It's free and written in Python, so it runs well on both
Windows and Linux.
IDA Pro - is a Windows, Linux or Mac OS X hosted multi-processor disassembler and debugger
MethodologyPre Phase
A. Upload Suspect File to Virus Total
Phase 1 file to virus total
A. VM Snap Shot
B. Regshot 1
C. WireShark On
Phase 2
A. Infection
Phase 3
A.Regshot 2 & Compare
B. Observe WireShark Traffic
C. Trace IP to Host Country\
Post Phase
Restore VM From Snap Shot
C O N C L U S I O N S
I T S E C U R I T Y F U D
When reporting and discussing the scale and impact of malware and cyber crime in general:
Move away from sensationalism.
Move away from the consequence of breach.
Who is not as important as how.
Compromise indicators are more important than financial costs.
Data derived from large enterprise is not relevant to SMB/SME.
We need a standards based score card free from disclosure litigation.
Move to a Anti–Cyber Crime Architecture
Servers
192.168.2.X
SAN/NAS File Sharing
Over Https
Event Logging
HIDS/HIPS
Admins
192.168.3.X
No admin email
Event Logging
HIDS/HIPS
Users
192.168.4.X
GPO: No Coms
192.168.4.X
Local Admin for
MAX & Mgt
Printers
192.168.5.X
Firewall
192.168.1.X
Communication
Rules, Detective Rules
WAP in DMZ
Egress Firewal l Rules to Stop Cyber Crime
Deny rules for Workstation Subnet: No external DNS, IRC, NTP, FTP, ICMP, SMTP,
SNMP, RDP
Deny rules for Admins (open as required) No external DNS, IRC, NTP, FTP, ICMP,
SMTP, SNMP, RDP
Deny rules for Printer Subnet: Everything. No printers on the Internet!
Servers: Deny Everything. Only DNS, NTP to Specific IPs, HTTPS.
Network Segmentation, Event Logs are key to prevent and detect hostile movement
in the network and C&C activity.
Hosted Cloud Based Backup (BaaS)
User Awareness Training Program
Vulnerability Scanning
Patch & Update Systems & IoT Devices (PMaaS)
Harden Systems - Remove Admin/Restrict User Activates
Harden Systems - Reduce Attack Surface (Remove Flash)
Deploy Anti-Virus & Web Protection (Keep it up to date)
Deploy Mail Protection (MPaaS)
Be Prepared!
Layered Security Offering
https://www.logicnow.com/ctg-ian
T H A N K Y O U
The grim reality is cyber-crime only works if money can be made and the
money can be moved out of the electronic system and into physical currency,
or in the parlance of investigators suitably “laundered”. There is evidence
and a bold argument that suggests we don’t actually have a cyber-crime
problem, what we have is a money laundering problem.– Ian Trump, 2015