Presentation is loading. Please wait.

Presentation is loading. Please wait.

Hacking Exposed 7 Network Security Secrets & Solutions Chapter 6 Cybercrime and Advanced Persistent Threats 1.

Similar presentations

Presentation on theme: "Hacking Exposed 7 Network Security Secrets & Solutions Chapter 6 Cybercrime and Advanced Persistent Threats 1."— Presentation transcript:

1 Hacking Exposed 7 Network Security Secrets & Solutions Chapter 6 Cybercrime and Advanced Persistent Threats 1

2 Cybercrime and Advanced Persistent Threats What is an APT? – Operation Aurora – Anonymous – RBN What APTs are not? Examples of popular APT tools and techniques Common APTs indicators 2

3 What is an APT? APT: US Air Force, 2006 Advanced: capable of crafting custom exploits and tools for selected targets Persistent: long-term objective without being detected – low-profile without interrupting normal operation Threat: organized, funded, and motivated Examples: – Spear-phishing email Include malware to exploit user’s computer Or refer the user to a server delivering custom malware Email systems and exploit malware (Trojan droppers): leased or pay per install – Other techniques: SQL injection, meta-exploits, phishing, social networking 3

4 Multiple Phases of APTs Targeting – Collect info about the target and test: vulnerability scanning, social engineering, spear-phishing Access/compromise – Gain access: ascertain host info, collect credentials for additional compromises, obfuscate intention by malware Reconnaissance – Enumerate networks and systems Lateral movement – Move through network to other hosts Data collection and exfiltration – Establish collection points and exfiltrate via proxy Administration and maintenance – Maintain access over time 4

5 Operation Aurora Code-named by investigators Google, Juniper, Adobe, and at least 29 others – Lost trade secrets and competitive info in 6 months Gain access to victims’ network – By targeted spear-phishing emails to employees with a link to Taiwanese website hosting a malicious JavaScript which exploits IE vulnerability for remote code execution – Malicious JavaScript, CRC routine of 16 constants, undetected by virus scanners IE vulnerability – allows Trojan downloaders to download and install backdoor Trojan RAT (remote administration tool) for SSL-encrypted communications Follow-up steps: network reconnaissance, compromise Active Directory, access computers for trade secrets, exfiltrate info From China? – CRC code published in simplified Chinese language – 6 command-and-control IP addresses in Taiwan, traced to 2 schools in China Other APTs campaigns with similar patterns: Night Dragon in 2010, RSA Breach and Shady RAT in 2011 5

6 Anonymous From 2011, a loosely affiliated group or collection of groups, to expose sensitive info to public or interrupt services (DOS) A variety of hacking techniques – SQL injection, cross-site scripting, web service vulnerability exploits, social engineering (targeted spear-phishing, imitating employees like help desk personnel) 6

7 RBN (Russian Business Network) From St. Petersburg to international cybercrime Operates several botnets for spamming, phishing, malware distribution – Identity or financial theft – Very sophisticated malware tools to remain persistent – A platform for subscribers to conduct activities Hosts pornographic subscription websites 7

8 What APTs Are Not Not “hacks of opportunity” Neither a single piece of malware, a collection of malware, nor a single activity Coordinated and extended campaigns with a purpose – whether competitive, financial, reputational, or otherwise 8

9 Examples of Popular APT Tools and Techniques Malicious email Gh0st attack Memory capture File/process capture Lost Linux host Indicators of compromise 9

10 Malicious E-mail Phishing email with URL to click To trace back, use tools – WHOIS – Robtex Swiss Army Knife Internet Tool – PhishTank 10

11 Gh0st Attack Gh0st RAT (Remote Administration Tool) From China: 2008-2010 on the office of Dalai Lama Gh0st RAT – Existing rootkit removal, file manager, screen control, process explorer, keystroke logger, remote terminal, Webcam eavesdropping, voice monitoring, dial-up profile cracking, remote screen blanking, remote input blocking, session management, remote file downloads, custom gh0st server creation 11

12 Indicators of Compromise For malware to survive a reboot – Using various “Run” registry keys – Creating a service – Hooking into an existing service – Using a scheduled task – Disguising communications as valid traffic – Overwriting the master boot record – Overwriting the system’s BIOS Forensics techniques and incident response procedures documented in RFC 3227, in the order of volatility – Memory – Page or swap file – Running process info – Network data such as listening ports or connections – System registry – System or application log files – Forensics image of disk – Backup media Toolkit on CD-ROM – AccessData FTK Imager – Sysinternals Autoruns – Sysinternals Process Explorer – Sysinternals Process Monitor – WinMerge – Currports – Sysinternals Vmmap 12

13 Memory Capture Memory dump to external mass-storage device and analyze malware – Hacking tools use process injection and obfuscation Memory dump: FTK Imager Memory analysis: HBGary, FDPro, Responder Pro, Mandiant Memoryze, Volatility Framework – Extract process-related info, threads, strings, dependencies, comm., Windows OS files (Pagefile.sys – page file, Hiberfil.sys – swap file; right click to export the files) – The Sandman Project: approach to analyze memory files – Steps in Volatility Framework: image identification  retrieve processes  check connections of processes  look into a process with PID  dump DLLs from this process  check content of DLL with strings command  Volatility plug-ins to check traces of malware (e.g. malfind plug-in: detect hidden or injected processes)  upload result files to VirusTotal 13

14 File/Process Capture (1/2) Master File Table (MFT): metadata (filename, timestamp, file size, etc.), timeline is important Network/process/registry: netstat to find connections and process PID Host file: check any changes Currports: look into a current open port and its DLL Process Explorer: lookup a process, its DLL references, and cmd.exe shell executions Process Monitor: lookup process-kernel interactions  understand how malware modifies a compromised system and provide indicators for detection tools VMMap: show virtual/physical memory map, check DLL strings  malware strings to imply RAT DNS Cache: find other possible infection hosts Registry Query: reg query to check for suspicious Registry entries of Run keys 14

15 File/Process Capture (2/2) Scheduled Tasks: at to find scheduled tasks Event Logs: psloglist to retrieve System and Security Event logs  commands issued by attackers Prefetch Directory: last 128 unique programs executed Collecting interesting files: ntuser.dat (user profile), index.dat (requested URLs),.rdp files (remote desktop session info),.bmc files (bit map to clients), antivirus log files (virus alerts) Analyzing RDP files: servers accessed, login info, etc. in XML  attackers use RDP to connect to other servers Analyzing BMC files: cached bitmap image for performance  BMC Viewer to find attacker’s access to applications, files, network, credentials Investigating System 32 Directory for anomalies: diff system32 directory with cache directory to find files changed since installation .dll,.bat,.rar,.txt Antivirus logs: check configurations that exclude detection of certain PUP (Potentially Unwanted Program), e.g. netcat/nc Network: analyze traffic between compromised host to C&C server  other targeted hosts  signatures for IDS 15

16 Summary of Gh0st Attack Phishing email Backdoor placed when malicious link clicked Backdoor hides itself to survive a reboot Connection to C&C Check internal domain, create accounts, use Terminal Server to hop to other hosts (Event Logs) Add/modify some files (diff \System32) Look for documents and zip for exfiltration Create a 2 nd backdoor using netcat Create user account and execute FTP (Windows Security Event Log) Schedule a new job to clean logs everyday 16

17 Linux APT Attack Scenario: Apache Tomcat server with weak credentials Metaexploit Framework to penetrate and get a shell – Connect to Tomcat, find \shadow.bak, crack passwords – With root account, Sudo su – to run all commands – Upload PHP backdoor, create a SUID root shell for getting root back in case a password gets changed – Use host pivot to other hosts: leave little on the host To diagnose the host – Block access by firewall – Check root account history, check added/modified files, check logs for sudo su – commands – Check listening ports and connections with netstat and lsof – Check hidden files in RAM drives, drive slack space, /dev, hard-to-see file or directory like “.. ” (dot-dot-space), /tmp and /var/tmp 17

18 Summary of Linux APT Attack Root access through Tomcat server with weak credentials Evidences of scripts and SUID shell binaries – Several ways to get back: accounts, PHP shell, SUID shell, etc. Attackers explore environment and look for other targets With Metaexploit Framework, compromised host used as a pivot host (without tools installed) Run shells like Meterpreter in memory without disk writes 18

19 Poison Ivy RAT A ubiquitous tool used by many APT campaigns (Operation Aurora, RSA Attacks, Nitro) – Similar to gh0st RAT – Source code available for custom-purposed Trojans – Deployable by phishing email with a Trojan dropper suffixed with a self-executing “7zip” extension – Detected by Malicious Software Removal Tool (MSRT) – Often seen on “snatch-and-grab” compromises of computers A tool itself is not an APT, the persistent campaign is! 19

20 TDSS Malware A botnet of hosts compromised by TDSS – “Malware as a service” for subscribers DDoS attacks, click fraud for advertising revenues, backdoor installation and execution, etc. Subscription through websites such as Targeted at compromised networks of hosts in selected companies Utilized in more APT campaigns since 2011 TDSS – A rootkit with encrypted files and communications, C&C communications over compromised hosts, proxies, and P2P networks – Numerous infection vectors Application and server zero-day exploits, Black Hole Exploit kit, spear-phishing emails, viral worms via P2P/IM/NetBIOS, rogue DHCP servers, etc. 20

21 Common APT Indicators Indicators – Network comm. utilizing SSL or private encryption methods, or sending/receiving base64-encoded strings – Services registered to Windows NETSVCS keys in SYSTEM folder with DLL or EXE extensions – Copies of cmd.exe as svchost.exe or other file names in TEMP folder – LNK files referencing executables that no longer exist – RDP files referencing external IP addresses – Windows Security Event Log entries with external IP addresses or computer names that do not match organizational naming conventions – Windows Application Event Log entries of antivirus and firewall stop and restart – Etc. Recent APT procedures: 14 steps (expanded from the previous steps) 21

22 APT Detection Administrative procedures – Create a file system index to audit changes A simple diff analysis of index files – Alert admin logons – Firewall or IDS to monitor inbound RDP/VNC/cmd.exe Products – Endpoint security products (AV, HIPS, file system integrity checking) Sandbox based or reverse engineering based anti-APT products – File system auditing products for change control and auditing – Network intelligence/defense products (IDS/IPS) – Network monitoring products (Tcpdump) – Security information/event management products with correlation and reporting databases 22

Download ppt "Hacking Exposed 7 Network Security Secrets & Solutions Chapter 6 Cybercrime and Advanced Persistent Threats 1."

Similar presentations

Ads by Google