Threats in Connected World Day 2, Track 2, 09:45
Transcription
Threats in Connected World Day 2, Track 2, 09:45
Threats in Connected World Bhavin Gandhi Sr. Technical Consultant – Trend Micro India What was War - Earlier Country A against Country B ¾ India - Pakistan ¾ US - Iraq ¾ Nato - Germany ¾ World War 1, 2… etc That’s What War….. Was Dirty & Bloody with lots of noise, mayhem and blackouts 3 But Now…. Time has changed and the definition as well ¾ No visible damage to Life & Property ¾ No Fires and Noise ¾ No supply chain management ¾ No Troops and Ammunitions ¾ Definition of heroes has changed since 9/11 4 It’s all about Little Ones and Zeroes 5 Advanced Persistent Threat (APT) Copyright 2014 Trend Micro Inc. 6 Sophistication Evolving Threat Landscape Employee Data Leaks Traditional Malware Vulnerability Exploits Time 7 Advanced Malware Targeted Attacks Hackers Stole $81M from Bangladesh Bank Social Media Accounts Copyright 2014 Trend Micro Inc. Panama Papers Leak 10 Confidential © 2014 Trend Micro Inc. We see the TIP of the APT ICEBERG Attacks in the News Most go unreported. 90% of companies found previously unknown Malware* APTs Cyber Espionage Targeted Attacks Cyber Threats * Trend Micro Study Networks are becoming Cyber Swiss Cheese Employees are often exploited 91% of targeted attacks begin with a spear-phishing email Poison Ivy Monitoring a few ports is insufficient 12 EvilGrab Monitoring a few apps & protocols is insufficient IXESHE Attacks are dynamic not static in nature ADVERSARY Resources & expertise for hire Target rget rich guerilla offen offense Ease of execution Focused objectives ENTERPRISE Resource ource & expertise constraints constra Broad static defense Detection complexity Low signal to noise ratio 75% of attacks require little skill to execute1……yet require advanced skills to detect and remediate 63% of security professionals believe it is only a matter of time until their enterprise is targeted2 13 $5.9M is average cost of targeted attack3 Copyright 2015 Trend Micro Inc. Hackers Have an Unfair Advantage! All that’s needed is a credit card and a mouse! 14 Code for Sale LIST OF SOFTWARE INCLUDED IN THIS PACKAGE: Cracking Tools Crypters DoSers, DDoSers, Flooders 1.VNC Crack 1. Carb0n Crypter and Nukers 2.Access Driver v1.8 1. rDoS 3.Attack Toolkit v4.1 & source code 2. Fly Crypter v2.2 2. zDoS included 3. JCrypter 3. Site Hog v1 4.Ares 4. Triloko Crypter Remote5.Brutus Administration 4. Panther Mode 2 Host Booters Tools/Trojans 5. Final Fortune 2.4 Delphi 2.8 5. Halloween 1. MeTuS Analysis : 1. Cerberus 1.03.4 BETA Scanners 2. XR Host Booter 2.1Crypter Packers · OllyDbg 1.10 &: Plugins - Modified Deh Crypter 2. Turkojan 4 ·GOLD 1. DD7 Port3. Metus 2.0 GB HEX6.Editor : FSG 2.0 by SLV *NEW* 7. Hatrex Crypter 3. Beast 2.07 Scanner · Biew v5.6.2 Edition · MEW8.93 11 1.2 SE · W32Dasm - Patched *NEW* 8. Octrix Crypter v3.0.0 2. SuperScan 4. 4.0 BioZombie v1.5· Hiew v7.10 *NEW*4. Shark· PEiD · UPX + 1.25 & GUI *NEW* 0.93 Plugins *NEW* 9. NewHacks 5. Archelaus Beta 3. Trojan Hunter · WinHex v12.5 *NEW* 5. Host Booter and · SLVc0deProtector 0.61Beta · RDG Packer Detector v0.5.6 Crypter v1.5 Decompilers : Spammer English*NEW* *NEW* 10. Refruncy Crypter Binders: 4. ProPort v2.2 · DeDe 3.50.04 Fake Programs Stealers · ARM: Protector v0.3 Rebuilding Ultra Hackers Tools for sale 1. Albertino Binder 5. Bitching · VB ?Decompiler? Lite 1. PayPal Money 1. Dark Screen Price *NEW* ·=ImpRec 1.6 - Fixed by MaRKuS_THVirus Builders is 0.0797 BTC (bitcoin) $25 2. BlackHole Binder Threads v3.1Stealer V2 v0.4 *NEW* Hack · WinUpack v0.31 Beta DJM/SnD *NEW* 1. Nathan's Image 3. F.B.I. Binder · Flasm 2. Windows 2. 7 Serial Dark IP Stealer *NEW* · Revirgin 1.5 - Fixed *NEW* Worm 4. Predator 1.6 Unpackers : Generator 3. Lab Stealer Patchers : B *NEW* · LordPE De Luxe 2. Dr. VBS Virus Confidential | Copyright 2015 Trend Micro Inc. 5. PureBiND3R by d3will 100’s of Items A Targeted Attack in Action: Social, Stealthy Extracts data of interest – can go undetected for months! Gathers intelligence about organization and individuals Attackers Targets individuals using social engineering $$$$ Establishes link to Command & Control server Moves laterally across network seeking valuable data Employees Copyright 2013 Trend Micro Inc. Large Spear-phishing Incidents Most costly data breach incidents, all caused by spear-phishing: Source: Trend Labs 18 Email: The dominant attack vector • 91% of targeted attacks begin with a spear phishing attack • The median time for the first user of to open a malicious spear phishing email is 1 minute, 40 seconds. Source • It takes under a minute for an endpoint to be entirely encrypted by ransomwareSource 20 Copyright 2016 Trend Micro Inc. Unexpected Costs Unexpected Strategic Impacts Unexpected Risks Unexpected Career Impacts Standard Defenses are Insufficient Next-gen Next t-gen Firewall Advanced reconnaissance Spear-phishing emails Embedded payloads Unknown malware & exploits oiits Dynamic command and control oll (C&C) servers BYOD and remote employees create a broad attack surface Intrusion DS) Detection (IDS) In Intrusion ntrusion Pre evention on n (IPS) ( Prevention Traditional AV Email /Web Gateways Advanced methods can evade traditional defenses 29 Simple & Efficient Infection & payload Lateral movement C&C callback Dynamic blacklist Web proxy SMTP relay Storage ! Mail Server ! App Server ! Endpoint ! 30 af12e45b49cd23... 48.67.234.25:443 68.57.149.56:80 d4.mydns.cc b1.mydns.cc ... Data Center Security Copyright 2014 Trend Micro Inc. 31 Virtualization and Cloud Increased efficiency and agility IT Operations Is security slowing me down? LEGACY APPLICATIONS THAT DON’T GET PATCHED? Security patches no longer issued for: 8 3 March October February April 2009 2010 2013 2014 January July 2009 2010 10.1 33 6 Copyright 2016 Trend Micro Inc. July 2015 Windows 2000 & XP vulnerabilities still being announced after EOL - The cost of a custom support contract for Windows 2000 is $200K annually PATCHING IS A NIGHTMARE HOW FAST DOES IT HAPPEN FOR YOU? Vulnerability Disclosed or Exploit Available EXPOSURE PATCHED SOAK Patch Available 34 Copyright 2016 Trend Micro Inc. Test Begin Complete Deployment Deployment Responsibility for Security is Shared in the Cloud Cloud Service Provider Customer Facilities Operating System Physical security Applications Physical infrastructure Data Network infrastructure Account / Security Groups Virtualization infrastructure Network Configuration 35 Traditional on-premise security Applied at the perimeter On-premises Firewall 2016 Trend MicroMicro Inc. Inc. 36Copyright Copyright 2016 Trend IPS Load Balancer Web Tier App Tier DB Tier Build a workload-centric security strategy Network & Security Groups 2016 Trend MicroMicro Inc. Inc. 37Copyright Copyright 2016 Trend Elastic Load Balanc er Web Tier in the cloud App Tier in the cloud DB Services Ransomware Copyright 2014 Trend Micro Inc. 38 Copyright 2014 Trend Micro Inc. 39 40 Copyright 2016 Trend Micro Inc. Ransomware by the Numbers $200-$10k Typical Ransom Paid -FBI, April 2016 >50% % of US Hospitals hit by Ransomware in 2015 -HIMSS Analytics, 2016 90,000 #of systems per day infected by Locky Ransomware -Forbes, February 2016 42 Copyright 2016 Trend Micro Inc. Jan 2016 - Ransomwares SPN DETECTION HITS LECTOOL EMPER CRYPRADAM MEMEKAP CRYPNISCA CRYPJOKER CRYPRITU CRYPNISCA CRYPJOKER CRYPRITU SPAM DISGUISED AS PDF ATTACHMENT MEMEKAP LECTOOL EMPER CRYPRADAM INFECTION VECTOR SPAM SPAM SPAM SPAM SPAM MODE OF PAYMENT NO RANSOM NOTE 2 BTC 13 BTC 0.5 BTC need to email malware author to get payment instructions 1 BTC 0.1 BTC ENCRYPTED DATA PERSONAL FILES PERSONAL FILES + DB FILES WEB PAGES DB FILES NO ADDITION TO PERSONAL FILES DB FILES DB FILES DB FILES ENCRYPTION KEYS ARE GENERATED LOCALLY PRIVATE KEY IN THE SERVER KEYS ARE GENERATED LOCALLY ENCRYPTION KEY IN THE SERVER KEYS ARE GENERATED LOCALLY KEYS ARE GENERATED LOCALLY AND DELETED PUBLIC KEY FROM C&C SELF-DESTRUCT NO 43 NO Copyright 2016 Trend Micro Inc. NO NO NO NO NO Feb 2016 - Ransomwares SPN DETECTION HITS CRYPGPCODE CRYPHYDRA CRYPDAP CRYPZUQUIT CRYPGPCODE CRYPHYDRA CRYPDAP CRYPZUQUIT MADLOCKER LOCKY MADLOCKER LOCKY INFECTION VECTOR INVOICE SPAM EXPLOIT KIT DISGUISED AS PDF ATTACHMENT SPAM SPAM 1.505 BTC 2 BTC 536 GBP MACRO OR JS ATTACHMENT MODE OF PAYMENT 400 DOLLARS with instruction from author how to pay 0.8 BTC $350 1 BTC 0.5 - 1 BTC ENCRYPTED DATA PERSONAL FILES PERSONAL FILES + NO ADDITION TO PERSONAL FILES DB FILES SYNC MANGER LOGGER NO ADDITION TO PERSONAL FILES WEB PAGES WALLET DB FILES CODES ENCRYPTION KEYS ARE GENERATED LOCALLY KEYS ARE GENERATED LOCALLY PUBLIC KEY FROM C&C PUBLIC KEY FROM C&C KEYS ARE GENERATED LOCALLY SELF-DESTRUCT NO 44 NO Copyright 2016 Trend Micro Inc. NO NO NO ENCRYPTION KEY FROM C&C March 2016 - Ransomwares Power shell script SPN DETECTION HITS It speaks!! CERBER CRYPAURA CERBER CRYPAURA KeRanger KERANGER TESLA 4.0 SURPRISE MAKTUB MAKTUB TESLA PETYA SURPRISE unique INFECTION VECTOR Powerware POWERWARE PETYA CRIPTOSO COVERTON CRYPTOSO COVERTON + EXPLOIT KIT SPAM APPSTORE MACRO OR JS ATTACHMENT EXPLOIT KIT TERMS-OF_SERVICE (TOS) SPAM TEAM VIEWER JOB APPLICATION WITH MACRO DOWNLOADER DROPBOX LINK ATTACHMENT MODE OF PAYMENT 1.24-2.48 BTC <TO BE UPDATED> 1 BTC 1.3 BTC 1.4 – 3.9 BTC $588 - $1638 0.5 to 25 BTC 0.99 – 1.98 BTC $431 - $862 ENCRYPTED DATA 1.18 – 2.37 BTC $500 - $1000 1 BTC then increases by 1 BTC daily 1 BTC unique PERSONAL FILES PERSONAL FILES DB FILES MACOS FILES DB FILES GAMES GAMES WALLET ACCOUNTING/ FINANCE FILES CODES OVERWRITES MBR & BSOD US TAX RETURN FILES DB FILES ENCRYPTION PRIVATE KEY IS OBTAINED AFTER PAYMENT PUBLIC KEY FROM C&C PUBLIC KEY FROM C&C AES KEY GENERATED 5 KEY PAIRS PRIVATE KEY IS OBTAINED PRIVATE KEY IS OBTAINED LOCALLY GENERATED LOCALLY PRIVATE KEY IS OBTAINED AFTER PAYMENT AFTER PAYMENT 1 KEY REQUIRES RSA KEY AFTER PAYMENT PRIVATE KEY IS OBTAINED AFTER PAYMENT SELF-DESTRUCT NO 45 NO Copyright 2016 Trend Micro Inc. NO NO NO NO NO NO Protecting Against Ransomware 46 Back-up and Restore Automated: 3 copies, 2 formats, 1 air-gapped from network Access Control Limit access to business critical data Keep Current with Patching Minimize exploits of vulnerabilities Don’t Pay the Ransom Pay-off encourages further attacks, no guarantee of data recovery Employee Education on Phishing Awareness, best practices, simulation testing Improve Security Posture Follow best practices for current solution, additional technology Copyright 2016 Trend Micro Inc. Network Traffic Scanning Vulnerability Shielding Server Lateral Movement Prevention 47 Copyright 2016 Trend Micro Inc. Malware Sandbox Network Lateral Movement Prevention Ransomware Behavior Monitoring Application Control Endpoint Vulnerability Shielding Email Gateway Spear phishing Protection Malware Sandbox Web Gateway IP/Web Reputation Throughout history adversaries have developed countermeasures to security Proliferation of connected assets & devices Omnipresent network access On and off premise applications 50 Copyright 2015 Trend Micro Inc. 51 Source : www.darkreading.com Thank you Confidential © 2013 Trend Micro Inc. 53 Reach us on: Srinivasan N. Srinivasan_n@trendmicro.com Bhavin Gandhi Bhavin_g@trendmicro.com www.trendmicro.com Confidential © 2013 Trend Micro Inc. 54
Similar documents
Albert Kramer Technical Director Trend Micro
DoSers, DDoSers, Flooders and Nukers 2.Access Driver 1. rDoS 3.Attack Toolkit v4.1 & source code included 2. zDoS 4.Ares 3. Site Hog v1 5.Brutus 4. Panther Mode 2 Analysis : 5. Final Fortune 2.4 · ...
More information