Saturday, October 19, 2013

You're Owned and Just Don't Know It. The Malware Obfuscation attack.

Note
NO company listed on this page offers a "Magic Bullet Solution or Tool.  Just wanted to clarify that   FYI.  Some remediation and solution providers are listed at the bottom.

As far as solution providers and tools:  Everyones environment is different, and each requires its own set of tools based on budget, corporate culture, and topology. 


Onward,

  I'm going to ask you a question that I don’t want you to answer.  Just to take a moment and think about it.  Do you think your network is already compromised, and you just haven’t found out about it yet?
That thought probably keeps you up at night, or it should.

“The bad guys” aka The Adversary 
What do they want? This all depends on the threat actor, some just want to see the world burn, what do the rest want?
Many are after Intellectual Property, financial information, destroying company reputation, etc.
Financials
Customer reputation
Money
Contacts
Destruction

Often it’s just a global crimeware kit, and the author discovered he had much more than a user with a bank account, and sells you out to the highest bidder.

The Magic Bullet Solution: 
Organizations from various sectors are spending vast amounts of money on more, and more advanced threats tools.
Managers, CISOs, and CIOs are speaking with vendors or reading articles advertising various tools, which may or may not fit within your companies budget, and the vendors are selling these tools as a "silver bullet solution."
The reality is most organizations already have an arsenal of tools, and not enough staff to review the data that's already being collected, and attempting to monitor their production environment.  These new tools only add more information the analysts cannot ingest, let alone form a picture of what's actually occurring on the network.

The adversary has the same or similar tools, and knows exactly what tools your organization uses, and they know how you use them, against you, and I'll tell you why.  For the single-purpose of staying one-step ahead of these tools, and continuing to perfect their obfuscation techniques.

The Con’s Recon: 
How does an adversary gain information about an organization?
This information is learned using what is called social profiling; this can be accomplished on sites similar to, LinkedIn, Facebook, Twitter, and Google. With the use of these sites an adversary has the ability to track your organization, and create an organizational chart, down to who reports to whom, and which manger reports to which director, and which director reports to which VP, and so forth. This includes phone numbers, email addresses, personal blogs, and through social engineering can even obtain information about where your children go to school, what your personal schedule is, and what packages you're expecting in the mail.
People like to talk about themselves, and they like to blog, tweet, and post on pictures on Facebook showing what they’re doing.  This also can leave geo location information in pictures.  Without proper privacy settings on any of these platforms this information is practically public to the entire world!

The tools of the Trade:
Cree-py
Maltego 
The Harvester
http://checkusernames.com/ Check Usernames - Useful for checking the existence of a given username across 160 Social Networks
Human Intelligence (HUMINT) Methodology always involves direct interaction - whether physical, or verbal.
Gathering is usually done under an assumed identity (remember pretexting?).
Key Employees
Partners/Suppliers
IMINT can also refer to satellite intelligence, (cross over between IMINT and OSINT if it extends to Google Earth and its equivalents).
Covert Gathering - Corporate
On-Location Gathering
Physical security inspections
Wireless scanning / RF frequency scanning
Employee behavior training inspection
Accessible/adjacent facilities (shared spaces)
Dumpster diving
Types of equipment in use
Offsite Gathering
Data center locations
Network provisioning/provider
Foundstone has a tool, named SiteDigger, which allows us to search a domain using specially strings from both the Google Hacking Database (GHDB) and Foundstone Database (FSDB).

How would you enumerate the targets infrastructure without touching it?

Maltego is a program that can be used to determine relationships and real world links between:
People
Groups (Social Networks)
Companies
Organizations
Web Sites
Domains



So again what information do I want with these tools???
Network blocks, and owned ASNs
Email adresses
External infrastructure profile
Technologies used Peremeter tools
Purchase agreements 3rd party vendors
Remote access
Application usage  Browser user agents…
Defense technologies
Human capability

These individual targets are going to be inside your organization, and closest to the data the advisory is trying to gain access, and with the least possible resistance.
This can all be done with a simple phone call to an individual administrative assistant, and actually use the personal information they received on the Internet to use against the victim.  All to make that individual perceive they're giving information to a person they know or trust.
Gain a false sense of trust in order to get the individual target to drop their defenses.

The Delivery
With all this reconnaissance information,  an adversary can build a profile of what tools are being used in your perimeter, what operating systems are used on workstations, and potentially account names, and  even passwords, once again, only using social engineering.

This is the intelligence required to create the perfect RAT , which will be used, once inside the organization.
Exploits can be written, and used against specific operating systems, common applications like browsers, Adobe or Oracle products.  This even includes version each application is using.
Yes social engineering.

With the intelligence gathered on your organization the RAT is packaged up, and all that’s left is a creative method of delivery. Phishing, Watering Hole, Thumb Drive, or in this case a spear phishing attack.
The delivery will most likely make it through your perimeter because the scoring is fairly low, often only choosing a single target to decrease the fidelity of the event from triggering an alert.

Of course this was tested against your perimeter with several previous fake fishing type email probes to several recipients or potentially single-user with nothing more than a URL, and a short message

 The intent is to create a DNS query (roll call) from the link is clicked on.  In reality it was nothing but a harmless http or https request, none of which would cause an alarm by any of your perimeter tools.  This query, would of course, resolve to a local address in a legitimate hosting provider's ASN, and the would be monitored for hits using DNS monitoring tools.

The weaponized email will contain a link that will actually perform an http /GET to download a well-known EK.

It’s the Payload inside this EK that will contain the RAT the adversary created, both making the advanced threat tools and the cyber security department played the fool.
You see the average response will most likely be this was a typical malware campaign, and will most likely end up as a reimaged of the host within a given period of time.

The RAT will use the information gleaned from their “Recon” social engineering phase against your company’s weaknesses.

Once the emails embedded URL is clicked, and the payload is delivered, the dropper EK actually extracts its contents with various premeditated exploits by either embedding them into memory or even a video card.  The exploit could be a utility that spoofs the source of browser updates, or well known exploits targeting Adobe or Oracle products, or just attempts to finds cloud storage with open file shares like Dropbox, or vulnerabilities in your already known operating systems.

The first objective of the RAT has been known and used for a long time with tools like Metasploit or other hacking tools; looking for a jump host.  The adversary wants off this machine and onto another machine as quick as possible (persistence).

At this point there’s no requirement for any command-and-control, thus there's no contact from the RAT.  The communication would be limited to lateral movement and only detected if you use, or have  a solid endpoint security solution.
Now the RAT's objective is to harvest data on the infected machine or machines, and only then make a connection to a predetermined location and exfiltrate using SSL HTTP or FTP.  This exfiltration of data could even be transmitted from several of the jump hosts in a peer-to-peer sharing application, and in several simultaneous garbage looking transmissions like bit torrent.

Remember the RAT is already inside the perimeter.  The adversary is in the squishy center of your network.
The infected hosts can remain silent for as long as the adversary deems fit for sufficient information gathered, and the security department to completely forget the original alert from the first infected host of the phishing infection.

A few days later the victim companies financials, accounts, passwords, intellectual properly,  network topology from critical systems show up on Pastebin or in the media, or sold off to the highest bidder.

A few take away points:

  • Crack SSL if your organization permits it, and understand your egress traffic.
  • Don't take a crimeware kit for face value. Use your Advanced Threat tools but do the Forensics @Volatility is priceless. You might have missed the advanced threat you've been looking for.
  • Stop wasting money on tools that are always one step behind the adversary and always promising, "that feature is in the next release”
  • Find respectable companies that can help find tools to fit your organizations needs and at an affordable price.
  • Use Passive tools to prevent giving away your indicators letting the adversary know you saw them.  Virustotal "search feature",  OpenDNS
  • COLLABORATE  COLLABORATE COLLABORATE with other organizations in your industry.  This is priceless information.  What activity are you both seeing, and put two and two together.
  • RSS research feeds are your friend.  A great project to mention for Security professionals for RSS feeds is The OpenSourceRSSList       
I highly recommend this list for #DFIR #Infosec || research groups like:






Naming a few off the top of my head. Solid research groups!! 
  • Pull out indicators you can use for advance threat detection tools.
  • Find and follow Forensic groups or DFIR.  Their already doing this research for you including cracking XOR, Obfuscation, identifying fake registrar's selling domains to crimeware organizations..   etc.
  • Get HELP.  Stop reading fluff in magazine reviews.  RIGHT tools, and the right advise for your infrastructure!  Accuvant MicroSolved 
  • Most important of all; Have a good incident response plan or IRT.  Know what, and how you're going to recover from this type of breech when it finally hits your organization.


- Jim @RazorEQX  (lacking an editor)

Hope this helps.   In the end we can all #awkwardhug



No comments:

Post a Comment