monthly cyber threat briefing - hitrust alliance · 1 855.hitrust (855.448.7878) © 2015 hitrust...
TRANSCRIPT
1 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
Monthly Cyber Threat Briefing October 2015
2 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
Presenters • Majed Oweis: Team Lead, US-CERT • Tawfiq Shah: Senior Threat Intelligence Analyst, Armor • Jason Trost: VP Threat Research Threatstream • Thomas Skybakmoen: Research Vice President, NSS Labs, Inc. • Dennis Palmer: Senior Security Analyst, HITRUST • Q&A Session
3 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
NCCIC/US-CERT REPORT
4 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
• Follow-on analysis report (AR) to AR-15-20004 • AR-15-20004 provided appendices A through I, which cite indicators of
compromise (IOCs) from nine (9) campaigns that were identified (Appendix J contains information for mitigation & countermeasures).
• AR-15-20004A contains additional appendices K through M, with IOCs from three (3) additional campaigns that were identified.
• Both reports available in the US-CERT Portal
TLP: AMBER (FOUO) Analysis Report (AR)-15-2004A: Fax-Themed Email Spear-Phishing Email Campaigns
5 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
Report locations on the US-CERT Portal: AR-15-20004:
• PDF: https://portal.us-cert.gov/member/libraryV3/main.cfm?action=9&returnAction=17&cf=2&st=20004&libid=562943
• STIX https://portal.us-cert.gov/member/libraryV3/main.cfm?action=9&returnAction=17&cf=2&st=20004&libid=562942
AR-15-20004A posting location TBD.
6 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
Questions? Comments? Contact US-CERT at: • Email: [email protected] • Phone: 1-888-282-0870 • Website: www.us-cert.gov
Contact CISCP at: [email protected]
7 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
ARMOR THREAT TRENDS
8 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
NAME HITS RELATED TECHS/MALWARE
Stagefright Vulnerability 378 Android, Google, Exploit, Smartphone, Zimperium
Certifi-gate 40 Android, Google, HTC Corporation, Check Point Software Technologies Ltd, Mobile Phone
CVE-2014-6271 (Shellshock) 22 Bash, Yahoo, Linux, Unix, Apple
CVE-2015-0666 17 Exploit, Cisco Systems Inc, CWE, bug ID CSCus00241, Prime Data Center Network Manager
CVE-2014-0160 (Heartbleed) 13 OpenSSL, Yahoo, Google, Encryption, SSL
CVE-2015-1538 12 Exploit, Google, Python, FTR, Android
CVE-2015-5764 11 Apple, Safari URI, iPhone, HTML, iOS
CVE-2015-7384 10 Node4, GitHub, Google, UTC
CVE-2015-3824 9 Google, Android, FTR, Trend Micro, Zimperium
CVE-2015-1539 8 Google, FTR, Android, LG Corp, Zimperium
MS08-067 7 Microsoft, Conficker, Honeypot, Microsoft Windows, Metasploit
CVE-2015-2342 6 VMware Inc, RCE, vCenter Remote Code Execution, Metasploit, vCenter
CVE-2015-3829 6 Google, FTR, Android, MP4 Atom Integer Overflow Remote Code Execution, Zimperium
CVE-2015-3827 5 Google, FTR, Android, LG Corp, Zimperium
CVE-2015-3826 5 Google, FTR, Android, Zimperium, Huawei Technologies
CVE-2015-3828 5 Google, FTR, Android, Zimperium, Huawei Technologies
CVE-2015-3864 4 Exploit, Google, M7, Exodus, Exodus Intelligence
MS15-061 3 Microsoft Windows, NCC Group, Microsoft, Kaspersky Lab, Duqu2
CVE-2015-3636 3 Android, Linux, TowelRoot, Universal, Ubuntu
CVE-2014-7915 3 Android, Integer, CWE
vmsa-2015-0007 3 VMware Inc, ESXi 5.5 U3, Exploit, vCenter Server, RTS
NAME HITS reduction RELATED TECHS/MALWARE
Stagefright Vulnerability 17 Android, Google, Exploit, Smartphone, Zimperium
CVE-2015-3636 2 Android, Linux, TowelRoot, Universal, Ubuntu
CVE-2015-5764 1 Apple, Safari URI, iPhone, HTML, iOS
CVE-2015-1538 1 Exploit, Google, Python, FTR, Android
CVE-2013-0422 1 Java, Oracle Corp, Blackhole, Whitehole, Cool Exploit Kit
CVE-2014-0160 (Heartbleed) 1 OpenSSL, Yahoo, Google, Encryption, SSL
ACTION: Identify all systems with related vulnerabilities and remediate throughout the chain.
Top Vulnerability Exploits in October
9 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
ACTION: Ensure Anti-malware technologies are updated and verify signatures are detecting/removing the above malware.
NAME HITS ASSOCIATED SIGNATURES
YiSpecter 978
Exploit 235
Xorddos 30 Linux.Xorddos Linux/XOR.DDoS
XcodeGhost 26
Dridex 19
Dridex.B Troj/Dridex-CA Dridex.K Troj/Dridex-BZ TR/Dridex.A.1 Troj/Dridex-BT Troj/Dridex-BW Troj/Dridex-CQ Troj/Dridex-W Troj/Dridex-G
Ghost Push 17
Shifu 16
Top Emerging Malware Entities
10 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
Threat Actor Noise (Activity)
Top Activity of Threat Actors for the Last 30 Days
11 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
ACTION: Establish methodologies and fingerprint suspicious IPs and proactively block them from your environment.
NAME HITS
46[.]109[.]168[.]179 28
118[.]170[.]130[.]207 23
188[.]118[.]2[.]26 22
81[.]183[.]56[.]217 21
43[.]229[.]53[.]70 10
194[.]168[.]4[.]100 7
194[.]168[.]8[.]100 7
46[.]161[.]40[.]23 7
46[.]172[.]71[.]251 6
114[.]44[.]192[.]128 6
182[.]100[.]67[.]4 6
133[.]208[.]22[.]170 3
Top Suspicious IP Addresses in the last 30 days NAME HITS
43[.]229[.]53[.]78 5
216[.]243[.]31[.]2 4
87[.]222[.]67[.]194 4
107[.]170[.]193[.]184 4
123[.]151[.]149[.]222 4
96[.]254[.]171[.]2 4
199[.]203[.]59[.]121 4
121[.]101[.]208[.]41 4
5[.]39[.]222[.]253 3
95[.]215[.]0[.]203 3
195[.]68[.]234[.]148 3
12 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
Incident: Syriahak1993 Malware. Around September 12, 2015, the following malicious executables were observed: 1468DF07DD503AE984A45DDFA9152A26 29F851D7C864108D7D54E3351F193909 4DEB668D40C94A2CF0A143DBFFFC5366 These binaries connect to the Syria themed dynamic C2 domain syriahak1993.no-ip.biz , which has resolved to the following IPs: 185.14.29.237 (Netherlands) 82.222.193.114 (Turkey) Interestingly, both of these IPs seem to have resolutions from Russian nexus domains - the Netherland’s IP resolves a number of likely legitimate .ru websites, while the Turkish IP has resolved the following suspicious domains: dimwitso.orosun.net and orosun.net was registered through reg.ru with privacy protected WHOIS. While the Netherlands IP resolved to the following domain, incandescencyp.binzaerd.biz and binzaerd.biz, it was registered by the Russian email address, [email protected], who also registered the following suspicious domains: qarambyiu.biz radiegus.biz trollward.biz
ACTION: Have Threat Intel team/provider vet possible domain creation maps.
Syriahak1993 Malware
13 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
IP Finger Printing the Syriahak1993 Malware
14 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
Incident: Famous Tony Suspicious Domains. A large number of domains that were registered to the e-mail [email protected] have been identified and associated to this incident. Many domains use Typosquatting or other techniques to spoof legitimate websites, potentially in preparation for Phishing or malware attacks. Below are some of the spoofed domains along with the company and real domain that the suspicious domains are likely spoofing. Format: COMPANY (Real domain) <Fake domain> SISQUOC HEALTHCARE (sisquochealthcare.com) <sisqouchealthcare.com> TTS JAPAN (ttsjapan.com) <ttsjapan-jp.com> US GLOBAL PETROLEUM (usglobalpetroleum.com) <usglobalspetroleum.com>, <usglobalpetroleums.com>, <us-globalpetroleum.com> TELCO INTERCON (telcointercon.com) <telcointercom.com> LEATHERMAN (leatherman.com) <leathernam.com> FIDELITY INVESTMENTS (fidelity.com) <fidelityinvests.com> TORMEX (tormex.com) <tormex.net> UBS INVESTMENT BANKING COMPANY (ubs.com) <ubsinvestmentbankplc.com>
Famous Tony Suspicious Domain Squatting (Cybersquatting) Continues
ACTION: Establish alerts with your threat intelligence provider/subscription to keep an eye on suspicious domains.
15 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
ACTION: Ensure network security sensors have the appropriate signatures to detect the Dridex indicators.
Dridex Incident: Dridex returned this month.
Dridex is a strain of banking malware that leverages macros in Microsoft Office to infect systems. Once a computer has been infected, Dridex attackers can steal banking credentials and other personal information on the system to gain access to the financial records of a user.
Dridex operates by first arriving on a user's computer as a malicious spam e-mail with a Microsoft Word document attached to the message. If the user opens the document, a macro embedded in the document surreptitiously triggers a download of the Dridex banking malware, enabling it to first steal banking credentials and then attempt to generate fraudulent financial transactions.
Below are the SHA256 hashes of the malicious payload:
2A12822134B4C3F1396212E04BC462FDF23082A55FDBC15E91722D07D54FD4B2
C1E8FCE5B72DA6F2CE43920CA9E6574750F7E994C51F6084E90C115FE9D2B804
A6CFCF501AEAA319B576AF713FEF10E227775E59E82224D1182D309BE5DC80BD
761B17C4F926C403813B5C2C4C79F3D64C3B5D5A96E841E454FD5791E56F67DB
436C99C88EA0A7312F3D60B127D0735E4698599B2F83B4DF3A1DC67764235256
A497DE7F2488F093AA74562695A2CE705CBDDBD2C4A357F5C785F23EA7450F43 represents the hash of the executable ultimately downloaded via any of the following URLs:
http://www.norlabs.de/123/1111.exe
http://www.ifdcsanluis.edu.ar/123/1111.exe
http://hobby-hangar.net/123/1111.exe
http://zahnrad-ruger.de/123/1111.exe
http://miastolomza.pl/123/1111.exe
16 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
THREATSTREAM EMERGING THREATS
17 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
ThreatStream Emerging Threats Briefing
Jason Trost VP Threat Research
ThreatStream Labs
18 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
October 2015 – Cyber Security Awareness Month
• Lots of public data breaches resulting in public credential exposures this month
• Sourced from paste sites, Google dorks, DarkWeb, Pony botnet dumps, publicly dumped databases from large breaches, and most recently VirusTotal
Breach
19 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
Credential Exposures in Virustotal Uploads • Virustotal - source of credential exposures • October 1 – 9th: Nearly 500K credentials found
Next-gen Network Sensors
AV and Host-based Sensors
Evidence Corpus From IR / Research (h/t Brian Carter, Anthem)
20 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
Global Trends
42M Credentials Total Top sources: • Ashley Madison • Patreon • Pastebin • Pony botnet • Hell Forum • Slexy.org
21 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
Trends across HITRUST Orgs ~13K Credentials Total 260 HITRUST Orgs Top sources: • Ashley Madison • Hell Forum • Pastebin • Pony botnet • Patreon • Virustotal
22 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
Credentials on Virustotal
461K Credentials Total
23 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
HITRUST Credentials in Virustotal
290 Credentials Total 68 HITRUST Orgs
24 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
Pastebin
1.8M Credentials Total
25 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
HITRUST Credentials on Pastebin
1,845 Credentials total 157 HITRUST Orgs
26 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
What to do about this? • Watch for Credential Exposures affecting your org and your org’s supply chain • Perform searches or setup keyword alerts for your organization in CTX
– Your org’s email domains – Your org’s key personnel’s personal email address – Your supply chain’s email domains
• Force password resets for accounts with exposed passwords or weak hashes • Notify users and supply chain as needed • Capture metrics, maybe you need a corporate policy limiting use of corporate
email addresses on 3rd party sites?
27 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
Configuring Keyword Alerts
28 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
Advanced Search
29 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
What to do about Virustotal? • May want to audit which of your security appliances might be sending files to Virustotal and disable
• PII, user lists, etc. should be encrypted when emailed since you never know who is watching or how these messages are propagated to places like Virustotal
• Use CTX like previously mentioned to identify these
30 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
NSS LABS VULNERABILITY TRENDS AND LIVE DEMO
31 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
Threat Capabilities Report • NSS observed a surge in command and control activity in the South America
in September. • Exploits and attack campaigns primarily targeted Adobe, Silverlight and
Internet Explorer. • The number of Silverlight attacks surged in September, compared to previous
3 months. • The majority of attacks continued to focus on popular enterprise operating
systems such as Windows 7 SP1 (71%) and Windows XP SP3 (26%). • In latter part of August, NSS observed exploit (CVE-2014-6332) was used to
deliver antivirus software from two Chinese vendors in a campaign targeting Chinese users.
32 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
Top Targeted Applications and Operating Systems
Application/OS Combination Windows 7 SP1 Windows Vista SP1 Windows XP SP3
Adobe Flash Player 10.2.152.26 • •
Adobe Flash Player 17.0.0.188 •
Adobe Reader 9.2 • •
Internet Explorer 7 •
Internet Explorer 8 •
Internet Explorer 9 • •
Silverlight 1 • •
Silverlight 3 • •
Silverlight 4.0.5 •
Silverlight 4.0.51204 • •
Data from September 2015 - NSS Labs
33 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
Top Origin of Threats
Action: While not feasible to remove access to popular domains in the United States, removing access to e.g. Russia and other countries might be, however.
Canada, 4%
China, 20%
Germany, 1%
France, 3%
UK, 6%
Hong Kong, 14%
Italy, 3% Netherlands, 4%
Russia, 2%
United States, 44%
Data from September 2015 - NSS Labs
34 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
Top Command and Control Hosting by Geo Country Rank
China 1 United States 2 Hong Kong 3 Romania 4
Portugal 5
Ukraine 6
Bulgaria 7 Venezuela 8 Argentina 9
Poland 10
Data from September 2015 - NSS Labs
35 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
C&C Server Locations & Callback Ports 10 commonly used command and control (C&C) server locations in combination with 10 commonly used callback ports
Action: Track C&C port behavior to limit data breaches.
Country/Port 80 443 8080 3128 82 38950 88002 1733 42857 40008 Argentina* Bulgaria China • • • • • • • • Hong Kong • Poland* Portugal • Romania • • Ukraine • United States • • • Venezuela*
Data from September 2015 - NSS Labs
36 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
CAWS: Live Presentation
https://caws.nsslabs.com/
37 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
HITRUST
38 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
CSF Controls Related to Threats CSF Control for Compromised Credentials • Control Reference: 01.d User Password Management
– Control Text: All users shall have a unique identifier (user ID) for their personal use only, and an authentication technique shall be implemented to substantiate the claimed identity of a user.
– Implementation requirement: Passwords should be confidential, passwords should be changed under indication of compromise, passwords should not be reused, passwords should not be shared or provided to anyone.
39 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
CSF Controls Related to Threats CSF Control for Vulnerability Patching • Control Reference: *10.m Control of technical vulnerabilities
– Control Text: Timely information about technical vulnerabilities of systems being used shall be obtained; the organization's exposure to such vulnerabilities evaluated; and appropriate measures taken to address the associated risk
– Implementation Requirement: Specific information needed to support technical vulnerability management includes the software vendor, version numbers, current state of deployment (e.g. what software is installed on what systems) and the person(s) within Appropriate, timely action shall be taken in response to the identification of potential technical vulnerabilities. Once a potential technical vulnerability has been identified, the organization shall identify the associated risks and the actions to be taken. Such action shall involve patching of vulnerable systems and/or applying other controls.
40 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
CSF Controls Related to Threats CSF Control for Suspicious Domain Registrations (Cybersquatting) • Control Reference: 01.i Policy on the Use of Network Services
– Control Text: Users shall only be provided access to internal and external network services that they have been specifically authorized to use. Authentication and authorization mechanisms shall be applied to users and equipment.
– Implementation requirement: The organization shall specify the networks and network services to which users are authorized access.
41 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
CSF Controls Related to Threats CSF Control for Dropper tools dropping basic Backdoors / RATs • Control Reference: 09.j Controls Against Malicious Code
– Control Text: Detection, prevention, and recovery controls shall be implemented to protect against malicious code, and appropriate user awareness procedures on malicious code shall be provided.
– Implementation Requirement: Protection against malicious code shall be based on malicious code detection and repair software, security awareness, and appropriate system access and change management controls.
42 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
Q&A SESSION
43 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
Visit www.HITRUSTAlliance.net for more information
To view our latest documents, visit the Content Spotlight