Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Advanced Persistent Threats: Reality or Myth
1. October 20, 2011
Advanced Persistent Threats –
Myth or Reality?
Rahul Mohandas
Research Manager, McAfee
2. Advanced Persistent Threats Agenda
• Threat Landscape – Past, Present & Future
• Advanced Persistent Threats
– The definition
– Phases
– Threat vectors
– Associated costs
• Recent APT Attacks Demystified
– RSA Hack & Adobe Flash zero-day
– Stuxnet: A step closer to hardware
• Simulating a Real World Attack (DEMO)
The information in this presentation is provided only for educational purposes and for the convenience of McAfee customers. The information contained herein is subject to
2 change without notice, and is provided ―AS IS‖ without guarantee or warranty as to the accuracy or applicability of the information to any specific situation or circumstance.
3. Advanced Persistent Threats
The definition
• Actors – STATE sponsored / activists / members of
organized crime
• Motives – Economic & political gain
• Targets – IP rich organizations
• Goals – Steal sensitive data, monitor communication or
disrupt operations
3 January 2, 2012
4. Advanced Persistent Threats
Phases
Step •
1 Reconnaissance
Step •
2 Establish a backdoor
Step •
3 Steal user credentials
Step •
4 Data exfiltration
Step •
5 Maintain persistence
4 January 2, 2012
6. Advanced Persistent Threats
Associated costs
• APTs are not focusing on costs or revenue.
• 0 day cost ~ $100k
Vulnerability/Exploit Value Source
―Some exploits‖ $200,000 - $250,000 Various Industry Sources
A ―real good‖ exploit over $100,000 Official from SNOsoft research
Vista exploit $50,000 Raimund Genes, Trend Micro
―Weaponized exploit‖ $20,000-$30,000 David Maynor, SecureWorks
• APTs cost
– Stuxnet utilized 4 0-day exploits. If you include the development and weaponized
associated cost, the attack was worth well over half a million dollars.
6 January 2, 2012
9. Advanced Persistent Threats
History of Flash exploits
Detection Description First Reported
CVE-2007-0071 Vulnerability in June 2008
DefineSceneAndFrameLabelData
tag
CVE-2010-1297 Vulnerability in AVM2 New June 2010
Function() vulnerability
CVE-2010- 2884 Vulnerability in ActionScript Virtual September 2010
Machine 2
CVE-2010-3654 Vulnerability in AVM2 MultiName October 2010
button class
CVE-2011-0609 Vulnerability in AVM2 verifier while March 2011
handling branch instructions
CVE-2011-0611 Vulnerability in AVM1 bytecode July 2011
9 January 2, 2012
12. Advanced Persistent Threats
Signature evasion techniques
• Public function loadBytes
(bytes:ByteArray,
context:LoaderContext =
null):void
• Loads from binary data
stored in a ByteArray
object XOR Key
• Bytes:ByteArray — A
ByteArray object. The XOR’ed
contents of the ByteArray Flash
can be any of the file Header
formats supported by the
Loader class: SWF, GIF,
JPEG, or PNG.
12 January 2, 2012
14. Advanced Persistent Threat
Stuxnet - overview
Siemens
PLCs
Nuclear
Enrichment
Centrifuges
Propagation exploits FOUR new,enrichment controllers
Actual Target: delivery online or via USB drive
Initial Specific nuclear unknown vulnerabilities
14 January 2, 2012
15. Advanced Persistent Threat
Stuxnet - under the hood
CVE-2010-
Rootkit MS10-046
2772
Anti-AV
MS10-061
Covert Exploits
Digital MS08-067
Certificate
Stuxnet Worm
MS10-073 MS08-092
Propagation
USB Drives
P2P
Network controller
15 January 2, 2012
16. Advanced Persistent Threat
Stuxnet – working (cont..)
• When the folder is opened in Explorer.exe, the .lnk files exploit the 0-day
vulnerability to silently load the first file ~WTR4141.tmp (a DLL file) into
memory and pass control to it (execute it) in Explorer.exe address space
– Once running, the worm’s rootkit features hide all files names ending in *.lnk and
starting with ~wtr (including the the above files) by hooking the following APIs:
• FindFirstFileW
• FindNextFileW
• FindFirstFileExW
• NtQueryDirectoryFile
• ZwQueryDirectoryFile
• Then it loads the 2nd .tmp file, ~WTR4132.tmp file
(which is a .CPL file)
16 January 2, 2012
17. Advanced Persistent Threat
Stuxnet –MRxCls.sys & MRxNet.sys
0xF8153747BAE8B4AE48837E
E17172151E
• Injects malicious code into existing
processes
(services.exe, svchost.exe, lsass.exe)
• Creates
HKLMSystemCurrentControlSet
ServicesServicesMRxCls registry key
0xCC1DB5360109DE3B857654297
D262CA1
• Monitors system events and activities
(i.e. – new program loading, hides
*.tmp files)
• Creates
HKLMSystemCurrentControlSet
ServicesServicesMRxNet registry key
17 January 2, 2012
18. Stuxnet
Command and Control (C&C/C2)
• Stuxnet attempts to access following C&C servers:
– www.mypremierfutbol.com
– www.todaysfutbol.com
• The data is encrypted and sent:
– http://mypremierfutbol.com/index.php?data=66a96e2888c9bb53f503e334
d5d775e99b7905ac6e541529e2dadd4640fa3f995391d36ff2a7c058a21d6
99d2fb4a875ec1ce7a0f9e7dd11b6bfa1fe5377d602c39621b7f329
• Malware uses RPC protocol for requesting a service from the client
(compromised machine) over the network.
• Following actions may be executed as a response to RPC calls:
– create process, terminate process, read file, write file, delete file, set file
attribute, inject file to a system process
18 January 2, 2012
RSA hacked in March 2011 using a Adobe Flash vulnerability.CVE2011-0609 discovered as a zero day in March 2011.The carrier Flash file was embedded inside the Excel file.Upon executing the excel file with a vulnerable version of flash player the exploit is triggered It loads shellcode inside memory, performs heap-spraying, and loads a Flash byte stream from memory to exploit the vulnerability.Once the exploit is successful a backdoor (PoisonIvy) is installed on the machine.
Getproperty- Get the named property of the given target.Coerce -Convert a value to the type given by the name argument. This implements the ES4 implicit conversion.
Discovered in July 2010 by VirusBlokAda company in Minsk, BelarusAffecting 14 plants to-date in Iran, Indonesia, India, UK, North America, KoreaTargets Siemens WinCC and SIMATIC Process Control System (PCS7)A user opens a folder that contains the .lnk template files (.pif files also vulnerable)Rootkit drivers signed with valid certificates (Realtek and Jmicron)UPX packed, XOR encoded everywhereOnce loaded, queries Siemens database with known default passwordConnected to C&C servers, sending sensitive dataManipulating the database to control the HMI output and manipulating the PLC’s
Using four 0-day vulnerabilities plus Conficker (MS08-067) *Shortcut icon vulnerability (CVE-2010-2568/MS10-046) – affecting every version of Windows since Windows 2000 (even Win95) (patched Aug. 2)Design flaw in Print Spooler (MS10-061/CVE-2010-2729) (patched on Tues)Two privilege escalations exploits [win32k.sys] (yet to be patched) *
Decrypt the configuration data used by the threatDrop two .sys files and install them as a kernel level rootkitAccess files created by the Siemens Step 7 software packageUpdate itselfDrop more .dll and .dat filesInfect removable drives with custom .lnk filesInject into the lsass.exe process and execute custom codeInject into the iexplore.exe processCheck if certain antivirus applications are runningScan the network for serversRemove itselfCommunicate with the C&C server