Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Advanced unknown malware in the heart of Europe...

Advanced unknown malware in the heart of Europe - VLADIMÍR SEDLÁČEK [GREYCORTEX]

Analysis and examples of unknown and targeted attacks on government and enterprise clients in the CEE region. Advanced persistent threats are becoming more and more common "in the wild" - and they are often undetected by the most commonly deployed network. #securitysession2018

SecuritySession

April 07, 2018
Tweet

More Decks by SecuritySession

Other Decks in Technology

Transcript

  1. WHAT: NETWORK TRAFFIC ANALYSIS = Statistical analysis, machine learning, artificial

    intelligence, metadata, and content inspection to detect suspicious activities in the network = Mirrored network traffic via TAP/SPAN ≠ NetFlow analysis, full-packet capture 3
  2. WHY NTA 4 Rapid Detection & Response Effective Because Threats

    Create Detectable Traffic Unknown malware Insider threats Forensic investigation Network visibility IoT and BYOD devices
  3. NTA RESULTS 5 You don’t know until… Your network is

    compromised Detect Threats Visualize the Full Network
  4. 6 ARTIFICAL INTELLIGENCE MACHINE LEARNING BIG DATA ANALYSIS GOVERNMENTS +

    CRITICAL INFRASTRUCTURE+ ENTERPRISE MAKE IT OPERATIONS SECURE AND RELIABLE Uses To Help
  5. CASE 1 – LETHIC SPAMBOT A Device in the Observed

    Network: Queried external DNS servers (Google) for known-infected server names Communicated via port 1123 to servers in Norway Silenced traffic when the device was running anti-virus scanner and remained silent for the next two hours, later resuming communication on port 1123 Communicated periodically to MS Hotmail service on port 25/tcp 8
  6. CASE 1 – LETHIC SPAMBOT 9 Unsupervised Learning Machine Behavior

    Flow-based Detection Discovery Analysis Other Outlier: high number of communication peers & flows SMTP Permanent Communication Anomaly: Communicated periodically to MS Hotmail service on port 25/tcp A new service on a host discovered IDS rule matched (Lethic SpamBOT) External DNS server, poor reputation Ips High external DNS traffic (1-2 queries reached170)
  7. CASE 2 – ETERNAL BLUE A Device on the Observed

    Network: Suddenly used a DNS tunnel and TOR network together, exchanging one message After 4 hours of waiting, it started opening port 445/tcp connections on multiple external hosts Tried to use CVE-2017-0143 (exploit MS17-010) on the connected host 11
  8. CASE 2 – ETERNAL BLUE 12 Unsupervised Learning Machine Behavior

    Flow-based Detection Discovery Analysis Other Outlier: high number of communication peers & flows Network scan 445/tcp to internet Correlation rule matched: malware spreading to internet IDS rules matched: DNS tunnel, TOR A day after updated IDS rule matched: Eternal Blue (based on CVE-2017-0143, exploit MS17-010)
  9. CASE 3 – WANNACRY A Device on the Observed Network:

    Started opening port 445/tcp connections on multiple hosts, external and internal Successfully used CVE-2017-0143 (exploit MS17-010) on another internal host immediately The second device started exhibiting the same behavior 14
  10. CASE 3 – WANNACRY 15 Unsupervised Learning Machine Behavior Flow-based

    Detection Discovery Analysis Other Outlier: high number of communication peers & flows Network scan 445/tcp to internal network and internet Correlation rule matched: malware spreading to internal network A day after updated IDS rule matched: WannaCry variant (CVE-2017-0143, exploit MS17-010)
  11. CASE 4 – SSH ATTACK Identified at a Perimeter Router:

    Consecutive IP addresses in the public range were tried in an effort to open a session on port 22/tcp; by a host in Canada Subsequently, a high number of connections via port 22/tcp to some hosts in the range were detected 17
  12. CASE 4 – SSH ATTACK 18 Unsupervised Learning Machine Behavior

    Flow-based Detection Discovery Analysis Other SSH port sweep (22/tcp) Brute force SSH attack (22/tcp)
  13. CASE 5 – UNKNOWN (YET) BOTNET A Device on an

    Internal Network: Periodically attempts to communicate with blacklisted IP addresses at port 30303 20
  14. CASE 5 – UNKNOWN (YET) BOTNET 21 Unsupervised Learning Machine

    Behavior Flow-based Detection Discovery Analysis Other Periodic repetitive communication at port 30303 Communication with blacklisted IP
  15. CASE 6 – DOCUMENT LEAKAGE A Device on an Internal

    Network: Exhibited an unusually high data transfer volume to an external network 23
  16. CASE 6 – DOCUMENT LEAKAGE 24 Unsupervised Learning Machine Behavior

    Flow-based Detection Discovery Analysis Other Outlier: high volume of data transfer detected (Severity 7) Outlier: high volume of data transfer detected (Severity 5) L7 content analysis: file named _Financial_Summary _Q1.pdf_ uploaded to www21.filehosting.or g; a domain of Hetzner Online GmbH
  17. CASE 7 – ALL TOGETHER 27 Unsupervised Learning Machine Behavior

    Flow-based Rules Discovery Analysis Other Outliers: data, flows, packets, peers, hosts, ports, performance Bayesian Expectation Maximization Gaussian Mixture Models Repetitive periodic connections or checks Port scan Port sweep Brute-force Dictionary attacks Data enumeration DoS, DDoS Detection of new or lost/unreachable: services, devices (IP, MAC, hostname), gateways, VLANs, subnets Detection of changed/duplicated hostname/IP/MAC, changed VLAN, … Event correlation L7 content analysis (DPI) Tunneled and encrypted data inspection IDS in the internal network, all rules active (45k+)
  18. “BONUS” – CAUTIONARY TALES Ministry “Outer System“ E-mail Server Provided

    Mailbox Access: • To IP addresses of Tor endpoints and to server hosting PhpBB forum “СуперМамочки Нижнекамска” (static.7.236.46.78.clients.your-server.de, Hetzner Online GmbH) • 170 accounts/users compromised, unnoticed almost a year • More than 7100 documents stolen. • The attacker “basically maintained undisturbed access to any of the email accounts” • “Strategic advantage” gained? 29 Vulnerable Network at Political Organization: • Multiple intrusions by different organizations (2015, 2016) • Unnoticed almost a year • Internal strategy documents, emails, and possible donor lists stolen Spear-Phishing Attack on Campaign Manager: • Fake security alert/log-in page • Identified as “legitimate” by security team (or not) • Secret to creamy risotto
  19. “BONUS” CASE – FINDINGS, VERDICT Findings • Weak or leaked

    account password (“admin5”) using single factor authentication for strong accounts. • Using private accounts for work, prone to social engineering, etc. • No proper evaluation of operations data in place, no insight Verdict • Always watch what happens in your network, use the right tools! • Do not trust administrators, they have too much power! • And … 30 GOTTA CATCH ‘EM ALL.
  20. 31

  21. 32 PALDIES PAR JŪSU UZMANĪBU! GreyCortex s.r.o. Purkyňova 127 612

    00 Brno Vladimír Sedláček [email protected] +420 511 205 388 www.greycortex.com twitter.com/greycortex linkedin.com/company/greycortex