A Talos Look into the Evolving Threat Landscape

E a r l C a r t e rS e n i o r T h r e a t R e s e a r c h e r

Today ’s P lan

• Threat Landscape• Attack Techniques

• An Unexpected Attack Vector• Self-Propagation (Worms)• Attacking Trust

• Talos Threat Intelligence

THREAT LANDSCAPE - VULNERABIL IT IES

25%• Network Accessible• Low Complexity• No Authorization• High Severity

Low Hanging Fruit on Decline60%

50%

40%

30%

20%

10%

0

2005 2007 2009 2011 2013 2015 2017

60% Reduction

Common Attack Vectors

U s e r sU n p a t c h e d V u l n e r a b i l i t i e s

I o T

Data i s the New Target

An Attack Vector In Plain Site

Covert Channels and Poor Decisions:The Tale of DNSMessenger

Mult i S tage

Powershell to Gain Persistence

Powershell to Launch C&C

Stage 1 Stage 2 Stage 3

Stage 4

Message Query

Stage 4 – DNS Messages

SYN Query

Spoofed SEC Emails Distribute Evolved DNSMessenger

Spoofed SEC Emai l s

• Targeted spear phishing campaign.

• Spoofed from SEC EDGAR system and contained malicious attachment.

DNSMessenger – Stage 4

• Functions as a Remote Access Trojan (RAT) that is implemented using PowerShell.

• Uses DNS for command retrieval from C2.– Sample domain: EFA29DD310.stage.0.ns0.pw

• POSTs data to attackers server via HTTP.

• Can be used to execute a variety of commands on infected systems.

2017 – Attack of the Worms

Remember

1988 Morris Worm(Sendmail, finger, rsh)

2008 Conficker Worm (RPC, NetBIOS)

2001 Code Red Worm (IIS)

2003 Blaster Worm (RPC)

And Then (May 2017)- WannaCry (SMB)

WannaCry Propagat ion

Next Evolut ion ( June 2017) - Nyetya

Nyetya Propagat ion

ETERNALBLUE

Scans IP subnet139 TCP

Perfc.datPSEXEC

WMI

ETERNALROMANCE

October 2017 – Bad Rabbi t

Propagat ion

NTLMSSP brute forcing

Scans IP subnet139 TCP

infpub.dat SMB/SMB2/SVCCTL

WMI

ETERNALROMANCE

February 2018 – Olympic Destroyer

Olympic Destroy Propagat ion

Eternal Romance Artifacts – No execution

Olympic Destroy Workf low

Supply Chain AttacksExploiting Trust Relationships

Supply Chain Backdoor

DistributedIntegrated Communicates Installs

Victim

SourceCode

Hidden Backdoor

Final PayloadCnC

</>

Installed orupdated

Nyetya “Ransomware” Attack

M.e.Doc Connect ion

Restor ing Connect ions

The Backdoor

Contacts upd.me-doc.com.ua every 2 mins

If finds a proxy:

Retrieve email data from local me-doc

Wait for & execute commands

These commands almost certainly used to distribute Nyetya.

CCleanup: A Vast Number of Machines at Risk

CCleaner Command and Control Causes Concern

Digital Signature of CCleaner 5.33• presence of a valid digital may be indicative of

a larger issue that resulted in portions of the development or signing process being compromised

• this certificate should be revoked and untrusted moving forward

Compilation Artifact• likely an attacker compromised a portion of

development or build environment • Leveraged access to insert malware into the

CCleaner build that was released and hosted by the organization

Data Collected on Infected SystemsInstalled Programs Process List

Targeted to Tech Companies2nd Stage only delivered to 23 specific domains

Database Tracked 2nd Stage Delivery

No Cisco Devices Delivered 2nd Stage

250+Full Time Threat Intel Researchers

MILLIONSOf Telemetry Agents

4Global Data Centers

1100+Threat Traps

100+Threat Intelligence Partners

THREAT INTEL

1.5 MILLIONDaily Malware Samples

600 BILLIONDaily Email Messages

16 BILLIONDaily Web Requests

Honeypots

Open Source Communities

Vulnerability Discovery (Internal)

Product Telemetry

Internet-Wide Scanning

20 BILLIONThreats Blocked

INTEL SHARING

TALOS INTEL BREAKDOWN

Customer Data Sharing Programs

Service Provider Coordination Program

Open Source Intel Sharing

3rd Party Programs (MAPP)

Industry Sharing Partnerships (ISACs)

500+Participants

MULTI-TIERED DEFENSE

Cloud to Core Coverage• WEB: Reputation, URL Filtering, AVC• END POINT: Software – ClamAV, Razorback, Moflow• CLOUD: FireAMP & ClamAV detection content• EMAIL: Reputation, AntiSpam, Outbreak Filters• NETWORK: Snort Subscription Rule Set, VDB –

FireSIGHT Updates & Content, SEU/SRU Product Detection & Prevention Content

• Global Threat Intelligence Updates

talosintelligence.com@talossecurity

@kungchiu