monthly cyber threat briefing - hitrust alliance · 1 855.hitrust (855.448.7878) © 2015 hitrust...

1 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net

© 2015 HITRUST Alliance. All Rights Reserved.

Monthly Cyber Threat Briefing October 2015



Presenters • Majed Oweis: Team Lead, US-CERT • Tawfiq Shah: Senior Threat Intelligence Analyst, Armor • Jason Trost: VP Threat Research Threatstream • Thomas Skybakmoen: Research Vice President, NSS Labs, Inc. • Dennis Palmer: Senior Security Analyst, HITRUST • Q&A Session



NCCIC/US-CERT REPORT



• Follow-on analysis report (AR) to AR-15-20004 • AR-15-20004 provided appendices A through I, which cite indicators of

compromise (IOCs) from nine (9) campaigns that were identified (Appendix J contains information for mitigation & countermeasures).

• AR-15-20004A contains additional appendices K through M, with IOCs from three (3) additional campaigns that were identified.

• Both reports available in the US-CERT Portal

TLP: AMBER (FOUO) Analysis Report (AR)-15-2004A: Fax-Themed Email Spear-Phishing Email Campaigns



Report locations on the US-CERT Portal: AR-15-20004:

• PDF: https://portal.us-cert.gov/member/libraryV3/main.cfm?action=9&returnAction=17&cf=2&st=20004&libid=562943

• STIX https://portal.us-cert.gov/member/libraryV3/main.cfm?action=9&returnAction=17&cf=2&st=20004&libid=562942

AR-15-20004A posting location TBD.



Questions? Comments? Contact US-CERT at: • Email: [email protected] • Phone: 1-888-282-0870 • Website: www.us-cert.gov

Contact CISCP at: [email protected]



ARMOR THREAT TRENDS



NAME HITS RELATED TECHS/MALWARE

Stagefright Vulnerability 378 Android, Google, Exploit, Smartphone, Zimperium

Certifi-gate 40 Android, Google, HTC Corporation, Check Point Software Technologies Ltd, Mobile Phone

CVE-2014-6271 (Shellshock) 22 Bash, Yahoo, Linux, Unix, Apple

CVE-2015-0666 17 Exploit, Cisco Systems Inc, CWE, bug ID CSCus00241, Prime Data Center Network Manager

CVE-2014-0160 (Heartbleed) 13 OpenSSL, Yahoo, Google, Encryption, SSL

CVE-2015-1538 12 Exploit, Google, Python, FTR, Android

CVE-2015-5764 11 Apple, Safari URI, iPhone, HTML, iOS

CVE-2015-7384 10 Node4, GitHub, Google, UTC

CVE-2015-3824 9 Google, Android, FTR, Trend Micro, Zimperium

CVE-2015-1539 8 Google, FTR, Android, LG Corp, Zimperium

MS08-067 7 Microsoft, Conficker, Honeypot, Microsoft Windows, Metasploit

CVE-2015-2342 6 VMware Inc, RCE, vCenter Remote Code Execution, Metasploit, vCenter

CVE-2015-3829 6 Google, FTR, Android, MP4 Atom Integer Overflow Remote Code Execution, Zimperium

CVE-2015-3827 5 Google, FTR, Android, LG Corp, Zimperium

CVE-2015-3826 5 Google, FTR, Android, Zimperium, Huawei Technologies

CVE-2015-3828 5 Google, FTR, Android, Zimperium, Huawei Technologies

CVE-2015-3864 4 Exploit, Google, M7, Exodus, Exodus Intelligence

MS15-061 3 Microsoft Windows, NCC Group, Microsoft, Kaspersky Lab, Duqu2

CVE-2015-3636 3 Android, Linux, TowelRoot, Universal, Ubuntu

CVE-2014-7915 3 Android, Integer, CWE

vmsa-2015-0007 3 VMware Inc, ESXi 5.5 U3, Exploit, vCenter Server, RTS

NAME HITS reduction RELATED TECHS/MALWARE

Stagefright Vulnerability 17 Android, Google, Exploit, Smartphone, Zimperium

CVE-2015-3636 2 Android, Linux, TowelRoot, Universal, Ubuntu

CVE-2015-5764 1 Apple, Safari URI, iPhone, HTML, iOS

CVE-2015-1538 1 Exploit, Google, Python, FTR, Android

CVE-2013-0422 1 Java, Oracle Corp, Blackhole, Whitehole, Cool Exploit Kit

CVE-2014-0160 (Heartbleed) 1 OpenSSL, Yahoo, Google, Encryption, SSL

ACTION: Identify all systems with related vulnerabilities and remediate throughout the chain.

Top Vulnerability Exploits in October



ACTION: Ensure Anti-malware technologies are updated and verify signatures are detecting/removing the above malware.

NAME HITS ASSOCIATED SIGNATURES

YiSpecter 978

Exploit 235

Xorddos 30 Linux.Xorddos Linux/XOR.DDoS

XcodeGhost 26

Dridex 19

Dridex.B Troj/Dridex-CA Dridex.K Troj/Dridex-BZ TR/Dridex.A.1 Troj/Dridex-BT Troj/Dridex-BW Troj/Dridex-CQ Troj/Dridex-W Troj/Dridex-G

Ghost Push 17

Shifu 16

Top Emerging Malware Entities



Threat Actor Noise (Activity)

Top Activity of Threat Actors for the Last 30 Days



ACTION: Establish methodologies and fingerprint suspicious IPs and proactively block them from your environment.

NAME HITS

46[.]109[.]168[.]179 28

118[.]170[.]130[.]207 23

188[.]118[.]2[.]26 22

81[.]183[.]56[.]217 21

43[.]229[.]53[.]70 10

194[.]168[.]4[.]100 7

194[.]168[.]8[.]100 7

46[.]161[.]40[.]23 7

46[.]172[.]71[.]251 6

114[.]44[.]192[.]128 6

182[.]100[.]67[.]4 6

133[.]208[.]22[.]170 3

Top Suspicious IP Addresses in the last 30 days NAME HITS

43[.]229[.]53[.]78 5

216[.]243[.]31[.]2 4

87[.]222[.]67[.]194 4

107[.]170[.]193[.]184 4

123[.]151[.]149[.]222 4

96[.]254[.]171[.]2 4

199[.]203[.]59[.]121 4

121[.]101[.]208[.]41 4

5[.]39[.]222[.]253 3

95[.]215[.]0[.]203 3

195[.]68[.]234[.]148 3



Incident: Syriahak1993 Malware. Around September 12, 2015, the following malicious executables were observed: 1468DF07DD503AE984A45DDFA9152A26 29F851D7C864108D7D54E3351F193909 4DEB668D40C94A2CF0A143DBFFFC5366 These binaries connect to the Syria themed dynamic C2 domain syriahak1993.no-ip.biz , which has resolved to the following IPs: 185.14.29.237 (Netherlands) 82.222.193.114 (Turkey) Interestingly, both of these IPs seem to have resolutions from Russian nexus domains - the Netherland’s IP resolves a number of likely legitimate .ru websites, while the Turkish IP has resolved the following suspicious domains: dimwitso.orosun.net and orosun.net was registered through reg.ru with privacy protected WHOIS. While the Netherlands IP resolved to the following domain, incandescencyp.binzaerd.biz and binzaerd.biz, it was registered by the Russian email address, [email protected], who also registered the following suspicious domains: qarambyiu.biz radiegus.biz trollward.biz

ACTION: Have Threat Intel team/provider vet possible domain creation maps.

Syriahak1993 Malware



IP Finger Printing the Syriahak1993 Malware



Incident: Famous Tony Suspicious Domains. A large number of domains that were registered to the e-mail [email protected] have been identified and associated to this incident. Many domains use Typosquatting or other techniques to spoof legitimate websites, potentially in preparation for Phishing or malware attacks. Below are some of the spoofed domains along with the company and real domain that the suspicious domains are likely spoofing. Format: COMPANY (Real domain) <Fake domain> SISQUOC HEALTHCARE (sisquochealthcare.com) <sisqouchealthcare.com> TTS JAPAN (ttsjapan.com) <ttsjapan-jp.com> US GLOBAL PETROLEUM (usglobalpetroleum.com) <usglobalspetroleum.com>, <usglobalpetroleums.com>, <us-globalpetroleum.com> TELCO INTERCON (telcointercon.com) <telcointercom.com> LEATHERMAN (leatherman.com) <leathernam.com> FIDELITY INVESTMENTS (fidelity.com) <fidelityinvests.com> TORMEX (tormex.com) <tormex.net> UBS INVESTMENT BANKING COMPANY (ubs.com) <ubsinvestmentbankplc.com>

Famous Tony Suspicious Domain Squatting (Cybersquatting) Continues

ACTION: Establish alerts with your threat intelligence provider/subscription to keep an eye on suspicious domains.



ACTION: Ensure network security sensors have the appropriate signatures to detect the Dridex indicators.

Dridex Incident: Dridex returned this month.

Dridex is a strain of banking malware that leverages macros in Microsoft Office to infect systems. Once a computer has been infected, Dridex attackers can steal banking credentials and other personal information on the system to gain access to the financial records of a user.

Dridex operates by first arriving on a user's computer as a malicious spam e-mail with a Microsoft Word document attached to the message. If the user opens the document, a macro embedded in the document surreptitiously triggers a download of the Dridex banking malware, enabling it to first steal banking credentials and then attempt to generate fraudulent financial transactions.

Below are the SHA256 hashes of the malicious payload:

2A12822134B4C3F1396212E04BC462FDF23082A55FDBC15E91722D07D54FD4B2

C1E8FCE5B72DA6F2CE43920CA9E6574750F7E994C51F6084E90C115FE9D2B804

A6CFCF501AEAA319B576AF713FEF10E227775E59E82224D1182D309BE5DC80BD

761B17C4F926C403813B5C2C4C79F3D64C3B5D5A96E841E454FD5791E56F67DB

436C99C88EA0A7312F3D60B127D0735E4698599B2F83B4DF3A1DC67764235256

A497DE7F2488F093AA74562695A2CE705CBDDBD2C4A357F5C785F23EA7450F43 represents the hash of the executable ultimately downloaded via any of the following URLs:

http://www.norlabs.de/123/1111.exe

http://www.ifdcsanluis.edu.ar/123/1111.exe

http://hobby-hangar.net/123/1111.exe

http://zahnrad-ruger.de/123/1111.exe

http://miastolomza.pl/123/1111.exe



THREATSTREAM EMERGING THREATS



ThreatStream Emerging Threats Briefing

Jason Trost VP Threat Research

ThreatStream Labs



October 2015 – Cyber Security Awareness Month

• Lots of public data breaches resulting in public credential exposures this month

• Sourced from paste sites, Google dorks, DarkWeb, Pony botnet dumps, publicly dumped databases from large breaches, and most recently VirusTotal

Breach



Credential Exposures in Virustotal Uploads • Virustotal - source of credential exposures • October 1 – 9th: Nearly 500K credentials found

Next-gen Network Sensors

AV and Host-based Sensors

Evidence Corpus From IR / Research (h/t Brian Carter, Anthem)



Global Trends

42M Credentials Total Top sources: • Ashley Madison • Patreon • Pastebin • Pony botnet • Hell Forum • Slexy.org



Trends across HITRUST Orgs ~13K Credentials Total 260 HITRUST Orgs Top sources: • Ashley Madison • Hell Forum • Pastebin • Pony botnet • Patreon • Virustotal



Credentials on Virustotal

461K Credentials Total



HITRUST Credentials in Virustotal

290 Credentials Total 68 HITRUST Orgs



Pastebin

1.8M Credentials Total



HITRUST Credentials on Pastebin

1,845 Credentials total 157 HITRUST Orgs



What to do about this? • Watch for Credential Exposures affecting your org and your org’s supply chain • Perform searches or setup keyword alerts for your organization in CTX

– Your org’s email domains – Your org’s key personnel’s personal email address – Your supply chain’s email domains

• Force password resets for accounts with exposed passwords or weak hashes • Notify users and supply chain as needed • Capture metrics, maybe you need a corporate policy limiting use of corporate

email addresses on 3rd party sites?



Configuring Keyword Alerts



Advanced Search



What to do about Virustotal? • May want to audit which of your security appliances might be sending files to Virustotal and disable

• PII, user lists, etc. should be encrypted when emailed since you never know who is watching or how these messages are propagated to places like Virustotal

• Use CTX like previously mentioned to identify these



NSS LABS VULNERABILITY TRENDS AND LIVE DEMO



Threat Capabilities Report • NSS observed a surge in command and control activity in the South America

in September. • Exploits and attack campaigns primarily targeted Adobe, Silverlight and

Internet Explorer. • The number of Silverlight attacks surged in September, compared to previous

3 months. • The majority of attacks continued to focus on popular enterprise operating

systems such as Windows 7 SP1 (71%) and Windows XP SP3 (26%). • In latter part of August, NSS observed exploit (CVE-2014-6332) was used to

deliver antivirus software from two Chinese vendors in a campaign targeting Chinese users.



Top Targeted Applications and Operating Systems

Application/OS Combination Windows 7 SP1 Windows Vista SP1 Windows XP SP3

Adobe Flash Player 10.2.152.26 • •

Adobe Flash Player 17.0.0.188 •

Adobe Reader 9.2 • •

Internet Explorer 7 •

Internet Explorer 8 •

Internet Explorer 9 • •

Silverlight 1 • •

Silverlight 3 • •

Silverlight 4.0.5 •

Silverlight 4.0.51204 • •

Data from September 2015 - NSS Labs



Top Origin of Threats

Action: While not feasible to remove access to popular domains in the United States, removing access to e.g. Russia and other countries might be, however.

Canada, 4%

China, 20%

Germany, 1%

France, 3%

UK, 6%

Hong Kong, 14%

Italy, 3% Netherlands, 4%

Russia, 2%

United States, 44%




Top Command and Control Hosting by Geo Country Rank

China 1 United States 2 Hong Kong 3 Romania 4

Portugal 5

Ukraine 6

Bulgaria 7 Venezuela 8 Argentina 9

Poland 10




C&C Server Locations & Callback Ports 10 commonly used command and control (C&C) server locations in combination with 10 commonly used callback ports

Action: Track C&C port behavior to limit data breaches.

Country/Port 80 443 8080 3128 82 38950 88002 1733 42857 40008 Argentina* Bulgaria China • • • • • • • • Hong Kong • Poland* Portugal • Romania • • Ukraine • United States • • • Venezuela*




CAWS: Live Presentation

https://caws.nsslabs.com/



HITRUST



CSF Controls Related to Threats CSF Control for Compromised Credentials • Control Reference: 01.d User Password Management

– Control Text: All users shall have a unique identifier (user ID) for their personal use only, and an authentication technique shall be implemented to substantiate the claimed identity of a user.

– Implementation requirement: Passwords should be confidential, passwords should be changed under indication of compromise, passwords should not be reused, passwords should not be shared or provided to anyone.



CSF Controls Related to Threats CSF Control for Vulnerability Patching • Control Reference: *10.m Control of technical vulnerabilities

– Control Text: Timely information about technical vulnerabilities of systems being used shall be obtained; the organization's exposure to such vulnerabilities evaluated; and appropriate measures taken to address the associated risk

– Implementation Requirement: Specific information needed to support technical vulnerability management includes the software vendor, version numbers, current state of deployment (e.g. what software is installed on what systems) and the person(s) within Appropriate, timely action shall be taken in response to the identification of potential technical vulnerabilities. Once a potential technical vulnerability has been identified, the organization shall identify the associated risks and the actions to be taken. Such action shall involve patching of vulnerable systems and/or applying other controls.



CSF Controls Related to Threats CSF Control for Suspicious Domain Registrations (Cybersquatting) • Control Reference: 01.i Policy on the Use of Network Services

– Control Text: Users shall only be provided access to internal and external network services that they have been specifically authorized to use. Authentication and authorization mechanisms shall be applied to users and equipment.

– Implementation requirement: The organization shall specify the networks and network services to which users are authorized access.



CSF Controls Related to Threats CSF Control for Dropper tools dropping basic Backdoors / RATs • Control Reference: 09.j Controls Against Malicious Code

– Control Text: Detection, prevention, and recovery controls shall be implemented to protect against malicious code, and appropriate user awareness procedures on malicious code shall be provided.

– Implementation Requirement: Protection against malicious code shall be based on malicious code detection and repair software, security awareness, and appropriate system access and change management controls.



Q&A SESSION



Visit www.HITRUSTAlliance.net for more information

To view our latest documents, visit the Content Spotlight

monthly cyber threat briefing - hitrust alliance · 1 855.hitrust (855.448.7878) © 2015 hitrust...

Documents