Presentation is loading. Please wait.

Presentation is loading. Please wait.

Firesale, Fancy Bears & BotNets

Published byRussell Gilmore Modified over 7 years ago

Similar presentations

Presentation on theme: "Firesale, Fancy Bears & BotNets"— Presentation transcript:

1 Firesale, Fancy Bears & BotNets
1D10T / HDN

2 Recap Firesale Back in 2014-2015
Disruption of Elections via electronic warfare Cyber Berkut (”special” police unit…) Ties to Russia(?)

3 IP connections came up from Donbas and Eastern Ukraine groups linked to Russia and the FSB, we followed them to these websites and C&C servers that were online when we started the investigation Who was it??? Lead to these guys Which is like this

4 Searching for more details on our friends...
After submitting our results to Cert and DHS the servers went offline..... (did I mention we never got any credit...yeah)

5 Then this happened.... Yeah right...

6 Signatures that we found mapped to at least two other confirmed Nation State (FSB) sponsored attacks (APT38 / Sandworm) Simularities maybe??? Signatures in the code were similar to other attacks that are suspected from APT 38 + Sandworm

7 FireSale – Attack on Ukraine CI
Disinformation Plant Facebook and other sites pointing to specific groups Groups (mysteriously have issues) Some servers go offline Samples map to other previous FSB and Russia attacks Infection Stage – Social Engineering Observe weak & blind spots Careful crafted s sent to targets Infection Phase 2 Pickup BlackEnergy via C&C Servers Install driver files based on hardware type Install “Timer” Wait for new orders Plan Create Game Plan Gather Intel on Targets Develop multiple infection vectors Phishing / Social Engineering VPN / Hide in plain site attack structure Build C&C Archeicture Discovery Install ololo.exe Connect to C&C servers based on location Infect AD Servers and spread Confirm location and industry Day 0 Order for Day 0 is sent (election disruption) Execute Payload to disrupt servers Execute payload to get admin rights Look for video files Delete tracks

8 CYBER KILL CHAIN Reconnaissance
Harvesting addresses, conference information, etc Weaponization Coupling exploit with backdoor into deliverable payload Delivery Delivering weaponized bundle to the victim via , web, usb, etc Exploitation Exploiting a vulnerability to execute code on victim’s system Installation Installing malware on the assets Command & Control (c2) Command channel for remote manipulation of victim’s system Action On The Objectives With ‘Hands On Keyboard’ access, intruders accomplish

9 Update Firesale Infector was a file send via (tada) phishing
Excel with macro virus (#facepalm) Multiple attacks using similar vectors Some new shit to cover tracks and make things more difficult After the attack happened we saw more that indicated an actual campaign

10 Update Firesale What bugged me was the fact that this was way too much work for a one-off attack We found no real cyber crime related motive (money, fame, shits- n-giggles) So what was the real intention? I assumed it was a POC and more was to come….. Turns out I was right...

11 FIRESALE ENTRY POINTS INTO CI NETWORKS
FRONT DOORS “PRIVATE / CORP NET” BUSINESS LAN BACK DOORS INTERNET OTHER FACILITY SUPERVISORY NETWORK BLIND SPOTS “CONFIDENTAL” CONTROL SYSTEM FIELD SYSTEM “CRITICAL”

12 FIRESALE ATTACK POINTS INTO CORPORATE NETWORKS
UNNECESSARY PORTS & SERVICES RUNNING WEAK FIREWALL RULES BUSINESS LAN LACK OF NETWORK ACCESS CONTROLS INTERNET ENTRY PATH BACK DOORS WEAK VPN RULES & COMPROMISED CLIENT CRM WEAK PASSWORDS WEAK FIREWALL RULES SUPERVISORY NETWORK

13 Conclusion Classical vectors of targeting a VPN user with a very well crafted phishing was the initial way into the network Looked like legitimate gov correspondence The malware was dormant until just before the elections then the magic started If elections were disrupted would this happen again and to the US or Germany? We found out that a reasonable assumption was yes Some info I collected later on on social media botnets and other pwns lead me to believe it “could” be the same organizers (as always lack of data avoids a 100% ID)

14 And then there was FancyBear

15 Timeline of additional attacks after the elections…
US DNC & CO… DNC Servers (ed guess based on signatures) Clinton Servers (ed guess based on signatures) Voter Registration DBs (DarkNet) Data Falsification (End Game) Social Media Tampering (Current) PowerGrid 1,5-2 months after Media / Election attack SCADA systems used by new variant and older pieces of BlackEnergy Different attack but some simularities PowerGrid again Similar attacks, target was vpn based user Infected network and caused disruptions Media Industry 1St Attack Massive infection campaign (phishing attack) Industry-wide Targeted Airport Kiev Airport Goal to cause disruptions European Attacks Metal Industry / Thyssen Other attacks

16 So what are these guys up to now?
After initial attack, toolkit got updated with more goodies Campaign produced more attacks Election Disruptions was a good idea Then data got pwned again Voter data, SSNs, PI anyway… Voting machines are vulnerable New target Elections USA(?)

17 New targets??? We discussed in the update that the initial infection and disrutpion in Ukraine was only a possible POC As Nov 8 came closer I saw more and more seemingly „unrelated“ pwns and attacks form a cluser of probabilities that there ”may“ be another agenda going on Then Voter Reg Databases got pwnd and leaked SSN was already out there in the dark.. Then more dataz-Driving licenses A trend appears? Lastly – Voting machines with not real patch managent (2+ years in some cases…) Yeah #facepalm

18 US Elections My prediction was that something would happen during elections ifthe same folks were at play.. Then at around 830AM During Election Day The Crazy Started...

19 US Elections Saw an interesting Botnet start to ddos various services
Different than other attacks Infections happened very quickly and used different ports this time Attacks came in waves (30-45 sec) Got stronger and stronger but not over .6gbs Involved 12k attackers and infectors

20 Nov 8 Election Day.. Nice Botnet traffic DDOS
Funny enough more in swing states Was this a coincidence? If so why not just pwn shit for real? Connections to RU, CN, USA... A group or nation? Not the same as other DDOS‘s

21 Nov 8 Election Day.. Interesting attack not like LizardSquad, etc...
If an attack is different then is it the same? No, different group and goal We saw disruptions before in Ukraine Same actors? Data is incomplete but a guess

22 There is always an 1d10t…. So we have DDOS again (also was used by CyberBerkut before) We have massive infections and DDOS attacks Lots of Telnet, port 7547 (DSL mgmt ports) Telcos got hit, ATT, T-Mobile, Verizon, Level3 HTTP irregular traffic Hardcoded passwords (WTF)..

23 There is always an 1d10t…. DSL Modems and BusyLinux......without security.... Millions of DSL modems around and many with BusyBox in various forms

24 Botnets and fancy bears (again)
2+ months before elections twitter „users“ appeared and followed me and others Interesting traits where that users spammed and hate-posted anyone against Trump I wanted to know who it was and if it was our friends from the Ukraine attacks

25 Observation..Twitter Accounts cropped up left and right
“women“ “vets“ ... #MAGA #Imwithisrael ... You get the picture Users shitposted alot... Attacked anyone not supporting Trump Soon after attacks on the websites from RU, Vietnam, China, US, etc.

26 Observation..Twitter After months of fighting got smarter
Used pyton to monitor attackers timelines and build a picture Timeline Friends Followers Was there a link back to Russia?

27 Observation..Twitter Analysis of multiple accounts looked like bots and corrdinated attacks and a Campaign? Wikileaks acts weird After folks question Wikileaks a msg We were compromised now... The message looked like GRU/FSB Coordination with Pro Trumps and Wikileaks / News This never happend before... Against Gov, but now that changed...

28 Twitter and FancyBear New „users“ appeared like crazy previous to the election After elections 100‘s of these „users“ just disappeared... I smell Bots n Campaigns but who.... Started collecting manual data about some specific users A picture with common connections emerged Time for some homework...

29 Social Botnet – A Pre Study
BotorNot Based on initial study back in 2011(!) Updated in 2016 here: bots/fulltext#

30 Social Botnet – Python/HTTP API
BotorNot Provides an api for python that can be installed via pip Provides an api fpr http / tweepy, twitter api Based on initial study back in 2011(!) Updated in 2016 here:

31 Beginning I wanted to track attacks that I suspect are nation-state in nature Collect data based on bayesian / neural networks and classifiers Use the data to alert and defend against new attacks

32 What kind of data… Collect data about risks that is neutral
Collect data about breaches Collect data from crawlers Collect data manually, from audits, etc.

33 Data Storage How much data do I need to classify?
Where and how do I store that data? Standardizing and pruning excess data Elastic Search Database

34 Using the data for intelligence
What does the data say, what can I use it for? Using a way to „classify“ something as „something“ Bayesian Algorithms and Neural Networks... Putting this all together into my own system

35 NSight / CVUE Solution Components Cloud CyberNSight
Automation AI / Self Defense GUI CyberNsight technology Appliance Core Build Sensors / Data

36 Collecting various endpoints and areas to build the big picture
IOT / Hybrid Risk Identification Threat Defense Automation HDN Group Lab Actionable Risk Intelligence Data Qualification Smart Devices / Home / Office Automation IOT – Internet of Things Security < Smart Phones / Tabs House Automation / Smart Devices / Smart Home IOT Production Smart Devices Critical Infrastructure Devices CNsight Communication DSL Modems + CyberVUE -SMB Data Synchronizer Management Risk Data Collection Reporting Risk Intelligence Attack Servers (C&C) Threat Actors Sensor Rollout & Admin E-SOCs (Enemy SOCs) Social Media Defense Analysis CyberVUE – Data Collector

37 Sensors Initial start was with RasberryPi
Shit, gets pwnd too quickly, back to init 0 Need security….. Okay Ipchains, Suricata....

38 Sensors Based on a modified version of Opnsense (pfsense had more vulns) Includes additional packages for NMAP, GeoDB (for attacker IPs) and a few other goodies Developed based on need for offering an on-premise security / audit tool that stays with customer The need for collecting risk and threat information Adding functionality for cuckoo malware analysis

39 CVUE- Who Attacks from Where?

40 CVUE-Qualifying Attackers and ports

41 CVUE-DNS and Domain Info, Flux or not?

42 Sensors and Collectors
After building sensors that collect data that is neutral the question was then storage an analysis for predictions I built a server and system from scratch with a Database and Linux Build light and secure code Connects with crawlers, manual, automated data and elastic search Build classifiers, predict risks and report them Keep everything easy to use and some fancy-schmancy for reporting

43 Nsight-Centralized Threats and Risks Dashboard

44 Nsight-Botnets and Co (attackers, members and infectors)

45 Nisght-Centralized Logging, Data collection and Standardization

46 References Real Time Peer-to-Peer Botnet Detection Framework: Guntuku,Narang and Hota ype=printable twitter/ _Analysis

Download ppt "Firesale, Fancy Bears & BotNets"

Similar presentations

1© Copyright 2011 EMC Corporation. All rights reserved. Advanced Persistent Threat Sachin Deshmanya & Srinivas Matta.

1© Copyright 2011 EMC Corporation. All rights reserved. Advanced Persistent Threat Sachin Deshmanya & Srinivas Matta.
©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.

©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.
BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.

BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.
CHC DI Group. What We Will Cover Securing your devices and computers. Passwords. Emails. Safe browsing for shopping and online banks. Social media.

CHC DI Group. What We Will Cover Securing your devices and computers. Passwords. s. Safe browsing for shopping and online banks. Social media.
©2014 Bit9. All Rights Reserved Endpoint Threat Prevention Charles Roussey | Sr. Sales Engineer Detection and Response in Seconds.

©2014 Bit9. All Rights Reserved Endpoint Threat Prevention Charles Roussey | Sr. Sales Engineer Detection and Response in Seconds.
Honeypot and Intrusion Detection System

Honeypot and Intrusion Detection System
Bots Used to Facilitate Spam Matt Ziemniak. Discuss Snort lab improvements Spam as a vehicle behind cyber threats Bots and botnets What can be done.

Bots Used to Facilitate Spam Matt Ziemniak. Discuss Snort lab improvements Spam as a vehicle behind cyber threats Bots and botnets What can be done.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
Understanding Computer Viruses: What They Can Do, Why People Write Them and How to Defend Against Them Computer Hardware and Software Maintenance.

Understanding Computer Viruses: What They Can Do, Why People Write Them and How to Defend Against Them Computer Hardware and Software Maintenance.
By Gianluca Stringhini, Christopher Kruegel and Giovanni Vigna Presented By Awrad Mohammed Ali 1.

By Gianluca Stringhini, Christopher Kruegel and Giovanni Vigna Presented By Awrad Mohammed Ali 1.
MIS 105 LECTURE 1 INTRODUCTION TO COMPUTER HARDWARE CHAPTER REFERENCE- CHP. 1.

MIS 105 LECTURE 1 INTRODUCTION TO COMPUTER HARDWARE CHAPTER REFERENCE- CHP. 1.
Speaker: Hom-Jay Hom Date:2009/10/20 Botnet Research Survey Zhaosheng Zhu. et al July 28-August 01 2008.

Speaker: Hom-Jay Hom Date:2009/10/20 Botnet Research Survey Zhaosheng Zhu. et al July 28-August
1 Botnets Group 28: Sean Caulfield and Fredrick Young ECE 4112 Internetwork Security Prof. Henry Owen.

1 Botnets Group 28: Sean Caulfield and Fredrick Young ECE 4112 Internetwork Security Prof. Henry Owen.
CURRENT STATUS OF CYBERCRIME  Security is the fastest growing service in IT  Cyber Crime Costs $750 Billion annually  70% of threats arrive via email.

CURRENT STATUS OF CYBERCRIME  Security is the fastest growing service in IT  Cyber Crime Costs $750 Billion annually  70% of threats arrive via .
Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.

Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.
Common System Exploits Tom Chothia Computer Security, Lecture 17.

Common System Exploits Tom Chothia Computer Security, Lecture 17.
An Anatomy of a Targeted Cyberattack

An Anatomy of a Targeted Cyberattack
Understanding and breaking the cyber kill chain

Understanding and breaking the cyber kill chain
November 14, 2016 bit.ly/nercomp_defendingyourdata16

November 14, 2016 bit.ly/nercomp_defendingyourdata16
Defining your requirements for a successful security (and compliance

Defining your requirements for a successful security (and compliance

Similar presentations

Ads by Google