The document discusses emerging cybersecurity threats and the Cisco Talos threat intelligence team. It provides examples of recent threats like Angler exploit kit campaigns, CryptoWall ransomware versions, and the SamSam ransomware targeting hospitals. Talos uses a multi-tiered approach with over 250 researchers and global data from over a billion daily events to provide threat intelligence that protects Cisco security products.

1. Cisco Confiden+al © 2015 Cisco and/or its affiliates. All rights reserved. 1
Emerging Threats –
The State of Cyber Security
Senior Threat Researcher
May 2016
Earl Carter / @kungchiu

2. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
House Keeping Notes
Thank you for attending Cisco Connect Toronto 2016, here are a few housekeeping
notes to ensure we all enjoy the session today.
Please ensure your
cellphones / laptops
are set on silent to
ensure no one is
disturbed during the
session
A power bar is
available at the back of
the room

3. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
Earl Carter (@kungchiu)
Senior Threat Researcher / Security Outreach

4. Insights on Emerging Threats

5. THREAT LANDSCAPE
The number of
CVE Entries in
2016 so far is
2128
6453
7903
18% Decrease in
CVE Entries from
2014 to 2015
2011 2012 2013 2014 2015

6. THREAT LANDSCAPE
1.5 Million

7. THREAT LANDSCAPE

8. THREAT LANDSCAPE
19.7 Billion
7.2Trillion
TOTAL THREAT BLOCKS
181 Million Spyware Blocks
82 Thousand Virus Blocks
818 Million Web Blocks
DAILY WEB BREAKDOWN

9. THREAT LANDSCAPE
19.7 Billion

10. THREATS DON’T GO AWAY,
HOW DO WE ADDRESS IT?

11. Cloud to Core
Visibility web requests a day
16 BILLION
email messages a day
600 BILLIONEndpoint malware
queries a day
18.5 BILLION

12. TALOS PRODUCTS & INTELLIGENCE
Talos is the backbone for all Cisco Security Products and Services.
P R O D U C T S
D E T E C T I O N S E R V I C E S
Email
ESA | ClamAV
SpamCop
SenderBase
Email Reputation
Malware
Protection
URL, Domain, IP
Reputation
Phishing
Protection
Spoof & Spam
Detection
Open Source
Snort Rules
ClamAV Sigs
ClamAV
Vulnerability
Protection
Malware
Protection
Policy & Control
End Point
AMP
ClamAV
Cloud & End
Point IOCs
Malware
Protection
IP Reputation
Cloud
CWS
CES
OpenDNS
URL, Domain, IP
Reputation
Malware
Protection
AVC
Web
WSA
CWS
URL, Domain, IP
Reputation
Malware
Protection
AVC
Network
FirePower/ASA
ISR
Meraki
Policy & Control
Malware
Protection
URL, Domain, IP
Reputation
Vulnerability
Protection
Services
ATA
IR
Cloud & End
Point IOCs
Malware
Protection
URL, Domain, IP
Reputation
Vulnerability
Protection
Custom
Protection
Intelligence
ThreatGrid
Cloud & End
Point IOCs
Malware
Protection
URL, Domain, IP
Reputation
Network
Protection

13. MULTI-TIERED DEFENSE
Talos is divided into 5 departments

14. Open Source
Public Facing Tools
• Threat detection and
prevention: Snort, ClamAV,
Razorback, & Daemonlogger
• Vulnerability detection and
mitigation: Moflow, FreeSentry

15. Open Intelligence

16. TALOS IN THE NEWS

18. LEADING THREAT INTELLIGENCE
• Talos discovered email campaign
• Began shortly after Windows 10
release
Windows 10 Spam

19. Payload: CTB-Locker Ransomware

20. LEADING THREAT INTELLIGENCE
Windows 10 Spam
• Talos is a key differentiator
• Unparalleled visibility
• Quick and effective detection &
response

21. Simple But Effective
Resume Spam Campaign
• Pretends to be employee resume
• Short-lived and Effective
• Includes Zip file attachment

22. The Infection Chain

23. Tax Scams Gone International

24. Overview
• 9 Different Countries
• English & 3 Other Languages
• Occurring year round
• ARacks
• HTML Forms & Malicious ARachments
• Links to Malicious Sites
Tax Scams Gone International

25. One Campaign Spanning 3 Countries
US, UK & Canada

26. Common Subjects
Claim your tax refund
You are eligible to receive a tax refund
Tax Refund No+fica+on Australian Taxa+on Office tax refund confirma+on!
Tax Refund New Message Alert!
Tax Refund (Ref # 782167) - $687.00 CDN
Tax Refund (Ref # 782167) 687.00 GBP
Tax Refund (Ref# 782167) $687.00 USD
Tilbagebetaling af skat - DKK 7122,00
SkaReåterbäring: 6120.20 SEK
Rimborso fiscale per 2014-2015

27. Interesting IRS Twists
IRS Forgiving Debt?
Your Iden+ty was Stolen

28. Impersonating Tax Seminars
IRS: Tax and Payroll Updates for 2016
Reminder: Annual Tax Update
Handling Federal and State Tax Levies With Ease. Register Now!
Sample Subjects

29. LEADING THREAT INTELLIGENCE
SSHPsychos
• Brute Force SSH Attacks until
password guess
• 300K Unique Passwords
• Login from different address
space
• Drop DDoS Rootkit on server
• Accounted for 1/3 of all SSH
Traffic ON THE INTERNET
SSH Brute Force Attempts

30. LEADING THREAT INTELLIGENCE
SSHPsychos
ACTION TAKEN:
• Engaged Level 3…
and other providers
• Sudden Pivot
• Null Routed
• Call to Action
• Effectively Limited

31. VICTORY
Aper Ac+on
• Multiple Pivots
• Continuous Blocks
• Group Effort
• Eventually They
Stopped

32. Drive-by Download Attacks
• The act of downloading something unintentionally,
usually malicious
• No need to click to download
• Malvertising is a common vector

33. Malvertising
• Content varies by system
• Content varies by user
• Content varies by visit

34. Lots of Noise
CNN
26 Domains
39 Hosts
171 Objects
557 Connec+ons

35. Spin to Win…Malware

36. Spin to Win…Malware

37. Hidden in the code

38. Use Case

39. 404 OK Malware

40. Summary
• Malver+sing is literally everywhere
• Big aRack vector for Exploit Kits
• Ensures lots of vic+ms from largely random sites
• Sites are star+ng to require Ad Block be Turned off
• Malver+sing as a Service (MaaS) is likely to be
growing in the rest of 2016 and beyond

41. Angler Evolution

42. Attacker Innovation
• Angler is the most successful exploit kit
• Demonstrates continued innovation
• New Functionality Quickly Spreads
– Exploit kits competing for business
• Exploits kits get overlooked as a sophisticated threat

43. Importance of Patching
Angler Exploit
Vulnerability
User Activity
Update Published
Version
15.0.0.246
16.0.0.235
16.0.0.257
16.0.0.287
16.0.0.296
16.0.0.305
17.0.0.134
17.0.0.169
17.0.0.188
CVE-2015-0310
CVE-2015-0313
CVE-2015-0336
CVE-2015-0359
CVE-2015-0390
1 FEB 1 MAR 1 APR 1 MAY 1 JUN

44. What is an exploit kit?
• A software package designed to exploit vulnerable
browsers and plugins
• Blackhole was the first major exploit kit

45. Monetization of Hacking
There are three main payload types:
• Ransomware
• Cryptowall, Teslacrypt
• Click-fraud agents
• Bedep
• Miscellaneous
• trojans, keyloggers, spyware

46. Detection Challenges
• Hashes
• Found 3,000+ Unique Hashes
• 6% in VT
• Most detec+on <10
• Encrypted Payloads
• Using Diffie Helman Encryp+on for IE Exploit
• Unique to each user
• Domain Behavior
• DDNS
• Domain Shadowing
• Adversary Owned Domains
• Hard Coded IP

47. Unique Referers
Unique Referers By Day July 2015

48. Unique IP Addresses Per Day

49. IP Address / ASN Relationship
Angler HTTP Requests by Provider July 2015

50. Shutting Down Angler
• Partnered with Limestone Networks
• Examine Angler traffic
• Level-3
• Con+nued collabora+on aper SSHPsychos
• Proxy Server Configura+on
• Health Monitoring

51. The Backend Infrastructure

52. Angler Victims

53. Potential Revenue
To play with the numbers, please visit:
hRp://talosintel.com/angler-exposed/

54. Angler Exploit Kit Evolves Again
• Parameter Changes:
• New Gate
• Registered Domains
Jan 2016

55. URL Changes
Jan 2016
Old Format
New Format

56. New Gate

57. New Gate

58. Utilizing Free Domains

59. New Actor

60. Angler Catches Victims Using Spam
• Impersona+ng 900+ Companies
• Order Confirma+on Emails
May 2016

61. Recent Development - Angler Spam

62. The Redirection

63. Summary
• Angler Continues to Evolve
• Other Exploit Kits Quickly Follow Suit
• Detection must Evolve to Keep Pace
• Collaboration Provides Greater Visibility
• Exploit Kits Industrialized – Big Money

64. Nuclear Exploit Kit- Hitting 150+ Countries

65. Nuclear Details

66. A Gate Like Any Other

67. From the Gate to the Kit

68. Tor All the Things
New Payload to Avoid C&C Detec+on

69. Summary
• Started looking and found majority of ac+vity at one provider
• Worked with Digital Ocean to Expose Ac+vity
• Found majority of traffic outside of US
• Lots of Adult/Pornographic sites involved in campaign
• 150+ Countries involved
• Health Monitoring Found
• Virtually no logging on proxy server
• Coverage Developed for back-end communica+on
• Tor as a payload is new and could become more common as visibility
con+nues to increase around these types of threats
• Gates and 302 Cushioning are being used heavily

70. CryptoWall Version 4
The Evolution Continues

71. Overview
• Notorious ransomware
• Version 1 first seen in 2014
• Distributed via Exploitkits and Phishing Emails
• Fast Evolu+on
CRYPTOWALL 4.0

72. File Encryption
Temp.
AES256
key 15/10/07 12:39 <DIR> .
15/10/07 12:39 <DIR> ..
15/10/07 12:36 78,971 1.jpg
15/10/07 12:39 154,330 2.jpg
15/10/07 12:36 123,240 3.jpg
…
1.jpg
RSA public
key
random.xyz
Encrypted
AES256 key
Other data
Encrypted
1.jpg
Temporary AES key can only be decrypted with the private RSA key

73. Network Communication
Ini+al announcement to C2
C2 Server ACK
Send PubKey, TOR domains, PNG wallpaper
Request PubKey, TOR domains, PNG wallpaper
Opera+on successful. Files encrypted. Done.
Verify PubKey and start encryp+ng files ….
CryptoWall Malware
Command and Control Server
C2 Server ACK

74. Excluded Local Regions
• CryptoWall 4 checks local region seyngs with an
undocumented API Call
• Following regions are excluded from infec+ons:
• Russian
• Kazakh
• Ukrainian
• Uzbek
• Belarusian
• Azeri
• Armenian
• … other Eastern Europe countries

75. Excluded Dir/Files/Ext
Extensions:
exe, dll, pif, scr, sys, msi, msp, com, hta, cpl, msc, bat, cmd, scf
Directories:
windows, temp, cache, sample pictures, default pictures, Sample Music,
program files, program files (x86), games, sample videos,
user account pictures, packages
Files:
help_your_files.txt, help_your_files.html, help_your_files.png,
thumbs.db

76. Victims View – Full Localization

77. Detailed Instructions

78. SamSam: The Doctor Will See You,
After He Pays The Ransom

79. Sam Sam Targets Healthcare
• Exploits Jboss Vulnerability
• Moves Laterally
• Targeted Across Organiza+on
• Used recently against mul+ple hospitals

80. Communicating with Threat Actors

81. Payment Process

82. Payment Evolution

83. Summary
• Exploi+ng Network Vulnerabili+es
• JBoss
• Laterally targets mul+ple systems
• Payment is in Bitcoin
• Obtain Private Key via Blog Comment

84. Threat: JBoss Server Backdoors

85. Changes in the Threat Landscape
• Vulnerable JBoss servers are being used as an attack
vector

86. Web Shells!
• Web shells are a major
security concern and are
an indicator of
compromise!
• If a web shell has been
installed on a server, take
immediate steps to
remediate the issue

87. Follett Destiny

88. Summary
• Patch your systems
• If you find you’ve been compromised, take steps to
remediate and remove any backdoors

89. 250+
Full Time Threat
Intel Researchers
MILLIONS
Of Telemetry
Agents
4
Global Data
Centers
1100
Threat Traps
Over 100
Threat Intelligence
Partners
THREAT INTEL
1.5 MILLION
Daily Malware
Samples
600 BILLION
Daily Email
Messages
16 BILLION
Daily Web
Requests
Honeypots
Open Source
Communities
Vulnerability
Discovery (Internal)
Telemetry
Internet-Wide
Scanning
INTEL SHARING
Aspis
Crete
AEGIS
3rd Party Programs
(MAPP)
ISACs
TALOS INTEL BREAKDOWN

90. talosintelligence.com
@talossecurity
@kungchiu