Recommended
Recommended
More Related Content
What's hot
What's hot (18)
Similar to Understanding Malware Lateral Spread Used in High Value Attacks
Similar to Understanding Malware Lateral Spread Used in High Value Attacks (20)
More from Cyphort
More from Cyphort (12)
Recently uploaded
Recently uploaded (20)
Understanding Malware Lateral Spread Used in High Value Attacks
- 2. Understanding Malware Lateral Spread Used in High Value Attacks NICK BILOGORSKIY @belogor
- 3. Agenda o What is Lateral Spread o Examples of Lateral malware o Countermeasures o Wrap-up and Q&A CyphortLabsT-shirt
- 4. House Keeping • You are on mute • Enter questions • Resource list • Can order t-shirt • Suggestions for MMW
- 5. Your Speaker Today Nick Bilogorskiy @belogor Director of Security Research
- 6. Threat Monitoring & Research team ________ 24X7 monitoring for malware events ________ Assist customers with their Forensics and Incident Response We enhance malware detection accuracy ________ False positives/negatives ________ Deep-dive research We work with the security ecosystem ________ Contribute to and learn from malware KB ________ Best of 3rd Party threat data
- 7. What is Lateral Spread Lateral Spread is the movement of malware within the same network. It is also called east-west movement as opposed to north-south movement.
- 8. Malware Kill Chain Kill Chain Progression Exploit InstallDownload C&C Lateral Activity Data Exfiltration
- 9. Stages Stage 1 Reconnaissance • Network hierarchy • Services used in servers • Operating systems • Check host naming conventions • Use netstat tool, port scanning Stage 2 Stealing Credentials • Use keyloggers • pwdump tool, mapiget, lslsass, WCE tools • Brute force attacks - guessing passwords • Look for credentials for systems, servers, switches Stage 3 Infiltrating Other Computers • Remotely access desktops and blend in with regular IT support staff • PsExec and WMI tools
- 10. Lateral malware Lateral Malware Case Studies Diagram source: trendmicro.com
- 11. Why is it important? Breaches go undetected for six to eight months Diagram source: cisco.com
- 13. Shamoon Shamoon - August 2012 o Shamoon rendered up to 30,000 computers inoperable at Saudi Aramco, the national oil company of Saudi Arabia. o Credit claimed by Cutting Sword of Justice
- 14. Shamoon o Installs itself as a service o Connects home every 5 mins to send stolen data o Spreads to other Windows hosts via SMB o Uses dictionary of passwords to drop a copy of itself to ADMIN$ network share.
- 15. Remember the Sony Breach? Case Studies
- 16. What was stolen and leaked? In a word, everything! Personal data on employees Movies and Scripts Performance reports and salary information Source code, Private keys, passwords, certificates Production schedules, Box office projections Executives email correspondence Brad Pitt phone number! and more..
- 17. Destover Workflow Diagram 17 ATTACKER Spreads via SMB port 445Destover Command and Control Servers Drops WIPER DROPPER -w Webserver -d Disk Driver Drops Disk Wiper
- 18. Wiper Switches The module can be executed with many parameters: switch description -i Install itself as a service -k Remove the service -d Start file wipe module -s Mount remote shares with hardcoded passwords and delete files from them -m Drop Eldos Software RawDisk kernel driver to wipe MBR -a Start anti-AV module -w Drop and execute webserver to show the ransom message
- 19. -w Warning o Drops a decrypted from resource section webserver o Runs on the infected machine with the only purpose of showing the user this ransom message
- 20. -d Delete o Sends string of “AAAAA”s in a loop to the Eldos driver requesting it to write directly to the hard disk. o Deletes all files in the system except the files with extension exe and dll o Known to wipe out network drives
- 21. Dridex Aka Cridex, Bugat Financial Trojan
- 22. Dridex Trojan o First seen: Nov 2014 o Target: North American and European Banks o Distribution: Spam mails with Word Documents, o Infected Users: about 29,000 (Symantec)
- 23. Conficker o Devastating worm that infected over 15 million computers through MS08-067, file shares and removal media o Microsoft disabled autorun in response to this worm 15 million computers infected through MS08-067, file shares and removal media
- 24. Stuxnet o Spread using 0-day exploits and network file shares o Disabled 1000 Iran's nuclear centrifuges in 2009
- 25. Remember the Target Breach? Case Studies
- 26. Target Breach Malware - BlackPOS BlackPOS o November 2013 o 110 million cards stolen o $500 Million total exposure to Target (Gartner) o Cards resold on Rescator forum
- 27. How did the breach happen? o Utility contractor’s Target credentials compromised o Hackers accessed the Target network o Uploaded malware to a few POS systems o Tested malware efficacy and uploaded to the majority of POS systems o Data drop locations across the world 27 Login from the HVAC contractor Target’s POS updater server Target’s internal server with fileshare Credit card info transfer to internal fileshare Card info infiltration using FTP to external drop location Point of sale network Compromised drop locations
- 28. What is BlackPOS/Potato? o Malware is a modified version of BlackPos or Kaptoxa (Russian for Potato). o Runs on point of sale terminals and scans memory for credit card data. o First samples of this malware date back to Jan 2013 and were coded by Rinat Shibaev aka “ree4”, aka “AntiKiller” from Russia. o Malware was sold by Antikiller on hacker forum. However Antikiller is not directly involved in the Target breach. 28 Malware on sale ree4
- 29. Who wrote BlackPOS/Potato? o The suspect in the breach is a person called “Rescator” aka “Hel”. He is part of a larger hacker network called “Lampeduza Republic” o Rescator sold the stolen Target card info in bulk in underground markets at a price of $20-45 per card. o Brian Krebs named Andrey Hodirevski from Ukraine as Rescator. 29 Hel
- 30. Malware Workflow 30 1. Infect System o Adds to autostart via service o Download and run memory scraper 2. Steal Info o Use memory scraping to find credit card data o Output to a file locally o Send the dump file to exfiltration server via SMB 3. Exfiltrate Info o Periodically scan winxml.dll for updates o Upload information to the FTP server
- 31. Dissecting the Malware 31 This malware had 2 modules: o Mmon module – is used for scanning the memory of the POS machine , extract credit card numbers and dump them to a file, then send them to another compromised system inside Target’s network via network share o Bladelogic Uploader module – is used to upload those dumps into an ftp server.
- 32. Dissecting the Target Malware o Mmon module creates a thread that will upload the stolen information to another compromised system within Target’s network using a network share with the following credentials: o hostname: 10.116.240.31 o username: ttcopscli3acsBest1_user o password: BackupU$r o Afterwards, it deletes the mapping of the drive to avoid detection. 32
- 33. More Examples of Lateral Spread Malware o Allaple o Bondat o Bugbear o Dorkbot o Gamarue o Katar o Kenilfe o Mytob o Narilam o Nimda o Pushbot o Rimecud o Sality o Silly o Vobfus
- 34. Countermeasures
- 35. Countermeasures: See o Threat Intelligence o Forensics o Harden the network o Proactive monitoring o Look for data exfiltration
- 36. o SMB file traffic Countermeasures: Find
- 37. Countermeasures: Correlate Inspection Analytics Correlation Internet Lateral Spread Lateral DetectionPerimeter Detection
- 38. Conclusions o It is not sufficient to monitor the egress point for threats o Apply Machine Learning to all malware inspection, including lateral spread o Go deep and wide in the network o Correlate north-south and east-west malware movements o Attack malware at each stage of the malware kill-chain.
- 39. Q&A Thank You! Twitter: @belogor Previous MMW slides on http://cyphort.com/labs/ malwares-wanted/