Advanced unknown malware in the heart of Europe - VLADIMÍR SEDLÁČEK [GREYCORTEX]

Transcript

1. ADVANCED, UNKNOWN MALWARE IN THE HEART OF EUROPE

2. AGENDA Network Traffic Analysis: What, Why, Results Malware in the

   Heart of Europe Bonus Round 2

3. WHAT: NETWORK TRAFFIC ANALYSIS = Statistical analysis, machine learning, artificial

   intelligence, metadata, and content inspection to detect suspicious activities in the network = Mirrored network traffic via TAP/SPAN ≠ NetFlow analysis, full-packet capture 3

4. WHY NTA 4 Rapid Detection & Response Effective Because Threats

   Create Detectable Traffic Unknown malware Insider threats Forensic investigation Network visibility IoT and BYOD devices

5. NTA RESULTS 5 You don’t know until… Your network is

   compromised Detect Threats Visualize the Full Network

6. 6 ARTIFICAL INTELLIGENCE MACHINE LEARNING BIG DATA ANALYSIS GOVERNMENTS +

   CRITICAL INFRASTRUCTURE+ ENTERPRISE MAKE IT OPERATIONS SECURE AND RELIABLE Uses To Help

7. Malware in the Heart of Europe Customer and PoC Network

   Examples 7

8. CASE 1 – LETHIC SPAMBOT A Device in the Observed

   Network: Queried external DNS servers (Google) for known-infected server names Communicated via port 1123 to servers in Norway Silenced traffic when the device was running anti-virus scanner and remained silent for the next two hours, later resuming communication on port 1123 Communicated periodically to MS Hotmail service on port 25/tcp 8

9. CASE 1 – LETHIC SPAMBOT 9 Unsupervised Learning Machine Behavior

   Flow-based Detection Discovery Analysis Other Outlier: high number of communication peers & flows SMTP Permanent Communication Anomaly: Communicated periodically to MS Hotmail service on port 25/tcp A new service on a host discovered IDS rule matched (Lethic SpamBOT) External DNS server, poor reputation Ips High external DNS traffic (1-2 queries reached170)

10. CASE 1 – SCREENS 10

11. CASE 2 – ETERNAL BLUE A Device on the Observed

    Network: Suddenly used a DNS tunnel and TOR network together, exchanging one message After 4 hours of waiting, it started opening port 445/tcp connections on multiple external hosts Tried to use CVE-2017-0143 (exploit MS17-010) on the connected host 11

12. CASE 2 – ETERNAL BLUE 12 Unsupervised Learning Machine Behavior

    Flow-based Detection Discovery Analysis Other Outlier: high number of communication peers & flows Network scan 445/tcp to internet Correlation rule matched: malware spreading to internet IDS rules matched: DNS tunnel, TOR A day after updated IDS rule matched: Eternal Blue (based on CVE-2017-0143, exploit MS17-010)

13. CASE 2 - DEMO 13

14. CASE 3 – WANNACRY A Device on the Observed Network:

    Started opening port 445/tcp connections on multiple hosts, external and internal Successfully used CVE-2017-0143 (exploit MS17-010) on another internal host immediately The second device started exhibiting the same behavior 14

15. CASE 3 – WANNACRY 15 Unsupervised Learning Machine Behavior Flow-based

    Detection Discovery Analysis Other Outlier: high number of communication peers & flows Network scan 445/tcp to internal network and internet Correlation rule matched: malware spreading to internal network A day after updated IDS rule matched: WannaCry variant (CVE-2017-0143, exploit MS17-010)

16. CASE 3 – DEMO 16

17. CASE 4 – SSH ATTACK Identified at a Perimeter Router:

    Consecutive IP addresses in the public range were tried in an effort to open a session on port 22/tcp; by a host in Canada Subsequently, a high number of connections via port 22/tcp to some hosts in the range were detected 17

18. CASE 4 – SSH ATTACK 18 Unsupervised Learning Machine Behavior

    Flow-based Detection Discovery Analysis Other SSH port sweep (22/tcp) Brute force SSH attack (22/tcp)

19. CASE 4 – DEMO 19

20. CASE 5 – UNKNOWN (YET) BOTNET A Device on an

    Internal Network: Periodically attempts to communicate with blacklisted IP addresses at port 30303 20

21. CASE 5 – UNKNOWN (YET) BOTNET 21 Unsupervised Learning Machine

    Behavior Flow-based Detection Discovery Analysis Other Periodic repetitive communication at port 30303 Communication with blacklisted IP

22. CASE 5 – DEMO 22

23. CASE 6 – DOCUMENT LEAKAGE A Device on an Internal

    Network: Exhibited an unusually high data transfer volume to an external network 23

24. CASE 6 – DOCUMENT LEAKAGE 24 Unsupervised Learning Machine Behavior

    Flow-based Detection Discovery Analysis Other Outlier: high volume of data transfer detected (Severity 7) Outlier: high volume of data transfer detected (Severity 5) L7 content analysis: file named _Financial_Summary _Q1.pdf_ uploaded to www21.filehosting.or g; a domain of Hetzner Online GmbH

25. CASE 6 25

26. CASE 7 – ALL TOGETHER Cases 1-6 Combined 26

27. CASE 7 – ALL TOGETHER 27 Unsupervised Learning Machine Behavior

    Flow-based Rules Discovery Analysis Other Outliers: data, flows, packets, peers, hosts, ports, performance Bayesian Expectation Maximization Gaussian Mixture Models Repetitive periodic connections or checks Port scan Port sweep Brute-force Dictionary attacks Data enumeration DoS, DDoS Detection of new or lost/unreachable: services, devices (IP, MAC, hostname), gateways, VLANs, subnets Detection of changed/duplicated hostname/IP/MAC, changed VLAN, … Event correlation L7 content analysis (DPI) Tunneled and encrypted data inspection IDS in the internal network, all rules active (45k+)

28. CASE 7 – DEMO 28

29. “BONUS” – CAUTIONARY TALES Ministry “Outer System“ E-mail Server Provided

    Mailbox Access: • To IP addresses of Tor endpoints and to server hosting PhpBB forum “СуперМамочки Нижнекамска” (static.7.236.46.78.clients.your-server.de, Hetzner Online GmbH) • 170 accounts/users compromised, unnoticed almost a year • More than 7100 documents stolen. • The attacker “basically maintained undisturbed access to any of the email accounts” • “Strategic advantage” gained? 29 Vulnerable Network at Political Organization: • Multiple intrusions by different organizations (2015, 2016) • Unnoticed almost a year • Internal strategy documents, emails, and possible donor lists stolen Spear-Phishing Attack on Campaign Manager: • Fake security alert/log-in page • Identified as “legitimate” by security team (or not) • Secret to creamy risotto

30. “BONUS” CASE – FINDINGS, VERDICT Findings • Weak or leaked

    account password (“admin5”) using single factor authentication for strong accounts. • Using private accounts for work, prone to social engineering, etc. • No proper evaluation of operations data in place, no insight Verdict • Always watch what happens in your network, use the right tools! • Do not trust administrators, they have too much power! • And … 30 GOTTA CATCH ‘EM ALL.

31. 31

32. 32 PALDIES PAR JŪSU UZMANĪBU! GreyCortex s.r.o. Purkyňova 127 612

    00 Brno Vladimír Sedláček [email protected] +420 511 205 388 www.greycortex.com twitter.com/greycortex linkedin.com/company/greycortex