220 likes | 487 Views
Hacking Exposed 7 Network Security Secrets & Solutions. Chapter 6 Cybercrime and Advanced Persistent Threats. Cybercrime and Advanced Persistent Threats. What is an APT? Operation Aurora Anonymous RBN What APTs are not? Examples of popular APT tools and techniques Common APTs indicators.
E N D
Hacking Exposed 7Network Security Secrets & Solutions Chapter 6 Cybercrime and Advanced Persistent Threats
Cybercrime and Advanced Persistent Threats • What is an APT? • Operation Aurora • Anonymous • RBN • What APTs are not? • Examples of popular APT tools and techniques • Common APTs indicators
What is an APT? • APT: US Air Force, 2006 • Advanced: capable of crafting custom exploits and tools for selected targets • Persistent: long-term objective without being detected • low-profile without interrupting normal operation • Threat: organized, funded, and motivated • Examples: • Spear-phishing email • Include malware to exploit user’s computer • Or refer the user to a server delivering custom malware • Email systems and exploit malware (Trojan droppers): leased or pay per install • Other techniques: SQL injection, meta-exploits, phishing, social networking
Multiple Phases of APTs • Targeting • Collect info about the target and test: vulnerability scanning, social engineering, spear-phishing • Access/compromise • Gain access: ascertain host info, collect credentials for additional compromises, obfuscate intention by malware • Reconnaissance • Enumerate networks and systems • Lateral movement • Move through network to other hosts • Data collection and exfiltration • Establish collection points and exfiltratevia proxy • Administration and maintenance • Maintain access over time
Operation Aurora • Code-named by investigators • Google, Juniper, Adobe, and at least 29 others • Lost trade secrets and competitive info in 6 months • Gain access to victims’ network • By targeted spear-phishing emails to employees with a link to Taiwanese website hosting a malicious JavaScript which exploits IE vulnerability for remote code execution • Malicious JavaScript, CRC routine of 16 constants, undetected by virus scanners • IE vulnerability • allows Trojan downloaders to download and install backdoor Trojan RAT (remote administration tool) for SSL-encrypted communications • Follow-up steps: network reconnaissance, compromise Active Directory, access computers for trade secrets, exfiltrate info • From China? • CRC code published in simplified Chinese language • 6 command-and-control IP addresses in Taiwan, traced to 2 schools in China • Other APTs campaigns with similar patterns: Night Dragon in 2010, RSA Breach and Shady RAT in 2011
Anonymous • From 2011, a loosely affiliated group or collection of groups, to expose sensitive info to public or interrupt services (DOS) • A variety of hacking techniques • SQL injection, cross-site scripting, web service vulnerability exploits, social engineering (targeted spear-phishing, imitating employees like help desk personnel)
RBN (Russian Business Network) • From St. Petersburg to international cybercrime • Operates several botnets for spamming, phishing, malware distribution • Identity or financial theft • Very sophisticated malware tools to remain persistent • A platform for subscribers to conduct activities • Hosts pornographic subscription websites
What APTs Are Not • Not “hacks of opportunity” • Neither a single piece of malware, a collection of malware, nor a single activity • Coordinated and extended campaigns with a purpose– whether competitive, financial, reputational, or otherwise
Examples of Popular APT Tools and Techniques • Malicious email • Gh0st attack • Memory capture • File/process capture • Lost Linux host • Indicators of compromise
Malicious E-mail • Phishing email with URL to click • To trace back, use tools • WHOIS • Robtex Swiss Army Knife Internet Tool • PhishTank
Gh0st Attack • Gh0st RAT (Remote Administration Tool) • From China: 2008-2010 on the office of Dalai Lama • Gh0st RAT • Existing rootkit removal, file manager, screen control, process explorer, keystroke logger, remote terminal, Webcam eavesdropping, voice monitoring, dial-up profile cracking, remote screen blanking, remote input blocking, session management, remote file downloads, custom gh0st server creation
Indicators of Compromise • For malware to survive a reboot • Using various “Run” registry keys • Creating a service • Hooking into an existing service • Using a scheduled task • Disguising communications as valid traffic • Overwriting the master boot record • Overwriting the system’s BIOS • Forensics techniques and incident response procedures documented in RFC 3227, in the order of volatility • Memory • Page or swap file • Running process info • Network data such as listening ports or connections • System registry • System or application log files • Forensics image of disk • Backup media • Toolkit on CD-ROM • AccessData FTK Imager • SysinternalsAutoruns • Sysinternals Process Explorer • Sysinternals Process Monitor • WinMerge • Currports • SysinternalsVmmap
Memory Capture • Memory dump to external mass-storage device and analyze malware • Hacking tools use process injection and obfuscation • Memory dump: FTK Imager • Memory analysis: HBGary, FDPro, Responder Pro, MandiantMemoryze, Volatility Framework • Extract process-related info, threads, strings, dependencies, comm., Windows OS files (Pagefile.sys – page file, Hiberfil.sys – swap file; right click to export the files) • The Sandman Project: approach to analyze memory files • Steps in Volatility Framework: image identification retrieve processes check connections of processes look into a process with PID dump DLLs from this process check content of DLL with strings command Volatility plug-ins to check traces of malware (e.g. malfind plug-in: detect hidden or injected processes) upload result files to VirusTotal
File/Process Capture (1/2) • Master File Table (MFT): metadata (filename, timestamp, file size, etc.), timeline is important • Network/process/registry: netstat to find connections and process PID • Host file: check any changes • Currports: look into a current open port and its DLL • Process Explorer: lookup a process, its DLL references, and cmd.exe shell executions • Process Monitor: lookup process-kernel interactions understand how malware modifies a compromised system and provide indicators for detection tools • VMMap: show virtual/physical memory map, check DLL strings malware strings to imply RAT • DNS Cache: find other possible infection hosts • Registry Query: reg query to check for suspicious Registry entries of Run keys
File/Process Capture (2/2) • Scheduled Tasks: at to find scheduled tasks • Event Logs: psloglist to retrieve System and Security Event logs commands issued by attackers • Prefetch Directory: last 128 unique programs executed • Collecting interesting files: ntuser.dat (user profile), index.dat (requested URLs), .rdpfiles (remote desktop session info), .bmcfiles (bit map to clients), antivirus log files (virus alerts) • Analyzing RDP files: servers accessed, login info, etc. in XML attackers use RDP to connect to other servers • Analyzing BMC files: cached bitmap image for performance BMC Viewer to find attacker’s access to applications, files, network, credentials • Investigating System 32 Directory for anomalies: diff system32 directory with cache directory to find files changed since installation .dll, .bat, .rar, .txt • Antivirus logs: check configurations that exclude detection of certain PUP (Potentially Unwanted Program), e.g. netcat/nc • Network: analyze traffic between compromised host to C&C server other targeted hosts signatures for IDS
Summary of Gh0st Attack • Phishing email • Backdoor placed when malicious link clicked • Backdoor hides itself to survive a reboot • Connection to C&C • Check internal domain, create accounts, use Terminal Server to hop to other hosts (Event Logs) • Add/modify some files (diff \System32) • Look for documents and zip for exfiltration • Create a 2nd backdoor using netcat • Create user account and execute FTP (Windows Security Event Log) • Schedule a new job to clean logs everyday
Linux APT Attack • Scenario: Apache Tomcat server with weak credentials • Metaexploit Framework to penetrate and get a shell • Connect to Tomcat, find \shadow.bak, crack passwords • With root account, Sudosu – to run all commands • Upload PHP backdoor, create a SUID root shell for getting root back in case a password gets changed • Use host pivot to other hosts: leave little on the host • To diagnose the host • Block access by firewall • Check root account history, check added/modified files, check logs for sudosu – commands • Check listening ports and connections with netstatand lsof • Check hidden files in RAM drives, drive slack space, /dev, hard-to-see file or directory like “.. ” (dot-dot-space), /tmp and /var/tmp
Summary of Linux APT Attack • Root access through Tomcat server with weak credentials • Evidences of scripts and SUID shell binaries • Several ways to get back: accounts, PHP shell, SUID shell, etc. • Attackers explore environment and look for other targets • With Metaexploit Framework, compromised host used as a pivot host (without tools installed) • Run shells like Meterpreter in memory without disk writes
Poison Ivy RAT • A ubiquitous tool used by many APT campaigns (Operation Aurora, RSA Attacks, Nitro) • Similar to gh0st RAT • Source code available for custom-purposed Trojans • Deployable by phishing email with a Trojan dropper suffixed with a self-executing “7zip” extension • Detected by Malicious Software Removal Tool (MSRT) • Often seen on “snatch-and-grab” compromises of computers • A tool itself is not an APT, the persistent campaign is!
TDSS Malware • A botnet of hosts compromised by TDSS • “Malware as a service” for subscribers • DDoS attacks, click fraud for advertising revenues, backdoor installation and execution, etc. • Subscription through websites such as AWMProxy.net • Targeted at compromised networks of hosts in selected companies • Utilized in more APT campaigns since 2011 • TDSS • A rootkit with encrypted files and communications, C&C communications over compromised hosts, proxies, and P2P networks • Numerous infection vectors • Application and server zero-day exploits, Black Hole Exploit kit, spear-phishing emails, viral worms via P2P/IM/NetBIOS, rogue DHCP servers, etc.
Common APT Indicators • Indicators • Network comm. utilizing SSL or private encryption methods, or sending/receiving base64-encoded strings • Services registered to Windows NETSVCS keys in SYSTEM folder with DLL or EXE extensions • Copies of cmd.exe as svchost.exe or other file names in TEMP folder • LNK files referencing executables that no longer exist • RDP files referencing external IP addresses • Windows Security Event Log entries with external IP addresses or computer names that do not match organizational naming conventions • Windows Application Event Log entries of antivirus and firewall stop and restart • Etc. • Recent APT procedures: 14 steps (expanded from the previous steps)
APT Detection • Administrative procedures • Create a file system index to audit changes • A simple diff analysis of index files • Alert admin logons • Firewall or IDS to monitor inbound RDP/VNC/cmd.exe • Products • Endpoint security products (AV, HIPS, file system integrity checking) • Sandbox based or reverse engineering based anti-APT products • File system auditing productsfor change control and auditing • Network intelligence/defense products (IDS/IPS) • Network monitoring products (Tcpdump) • Security information/event management products with correlation and reporting databases