340 likes | 569 Views
Rob Davis, CISSP Managing Partner. Anatomy of Modern Malware Attacks. Our analysis of the Verizon DBIR. 87%. 40. 35. 29. 55%. 58%. 33%. How do they get in?.
E N D
Rob Davis, CISSP Managing Partner Anatomy of Modern Malware Attacks
Our analysis of the Verizon DBIR 87% • 40 • 35 • 29 55% 58% 33% • How do they get in? • Nearly all detected attacks utilize a combined attack approach yet 75% of targets are opportunity based. Once the host and company is identified it is sold on the open market. Malware based attacks are increasing in complexity and continues to be one of the easiest methods to compromise a network. Watering hole and multi-redirection attacks dropping keyloggers and backdoors are the most common. • 52 3 2 1 Hacking to obtain credentials for access to perimeter services (VPN, Citrix, OWA) are the basis for 4 out of 5 attacks. • Percentage of infected systems by country according to BitDefenders. Soccial Engineering has shown a huge increase based on phishing attacks. The DBIR states that 95% of all attacks employeed phishing as the initial attack method. The liklihood of a click success is 80% after sending just 6 emails. 78% Of attacks are rated as low or very low difficulity. 1 2 3 4 Initial Compromise of system (phishing / hacking) System infected and credentials exported. Lateral Movement to other hosts. Misuse is defined as the insider threat where priviledge abuse and theft occur to exfiltrate information. Perimeter DLP monitoring is not always a solution since USB keys and online filesharing is used . ProfilingAttacker profiles victims and the sites visited by industry or personel interest. Vulnerable SitesThe attacker will test the websites visited for vulnerabilities. CompromiseWhen the attacker finds the vulnerable website, Javascript is injected redirecting to exploit Wait for the PreyThe compromised website is now waiting to infect the profiled victim. • Undetected Presence. Primary methods of infection have changed to primarly use malware droppers through phishing and driveby attacks. • 13 Physical Tampering of Point of Sale, ATMs and Credit Card swipers is on the rise globally based on the number of reported incidents. • Watering Hole Attacks
Security CapabilitiesPeople, Process, Configuration, Technology • The Defendable Network • Make Initial Compromise as Difficult as Possible • Restrict Lateral Movement of Attackers • Improve Visibility and Monitoring (Situational Awareness for quick detection and recovery capability from security events) Misuse of Legitimate Credentials Installing malicious software (malware) Application Attack (SQL Injection, XSS)
Dynamic Malware Detection (Host 10.22.155.80 – Multiple Infections and Callbacks Detected)
Obfuscated JavaScript to Detect Vulnerability to Exploit This is what obfuscated looks like. Commercial and private tools exist to automatically create the JavaScript. It is not encrypted so you can reverse engineer with some effort.
Malware EXE #2 Installed (Next session was malware EXE #3 – 6.exe) The User-Agent and request headers have changed for this web session. This download is via the first piece of malware versus coming through the browser – and the malware is proxy aware (nice job!).
Example of Malware Payload (531K) Encrypted to Avoid Analysis by Cloud Based Systems
VirusTotal Analysis is Negative – Can’t Even Identify File Type
Exfiltration of Encrypted Data – Most Likely Local Admin and User Domain Credentials (Need to Change User Passwords)
Single Packet UDP Outbound for Command and Control (VERY Difficult to Detect for Most Organizations) 9e:8b:b7:f1:28:94:8d:ab:c9:c0:d1:99:9a:f7:d3:b9 b5:f3:a1:97:91:9c:9e:98:1d:39:6c:37:f9:70:7a:62:96:94:0b:06
Use NetWitness to Examine ANY Hosts Using UDP 16464 Outbound Two Additional Hosts Identified – One Verified as Infected
Dynamic Malware Detection (Host 10.225.146.113)
Grab Malware File from FireEye – Submit to VirusTotal Who Else Has Seen This? The Answer is Nobody ….
Malware Payload is a PDF – No Executable Downloads Unusual since PDF exploit is typically a dropper used to fetch more malware.
Malware Payload is a PDF – No Executable Downloads User finally takes matter into his own hands – grabs Hitman Pro, Malware Bytes, and Spybot!
How Did this All Begin?? Just a Man at Work Wanting to Watch TV ….
What Does Increased Network Visibility Give You? Additional Hosts to Investigate – Many Compromised but not All …. Can you verify what files/scripts have been executed in your environment?
Example of Dynamic Malware Analysis Results Two Additional Hosts Identified – One Verified as Infected
Windows Local Administrator Credentials Stolen Exfiltration of local administrator credentials. If you use the same local admin passwords then attackers can easily move laterally.
Windows Local Administrator Credentials Stolen Exfiltration of domain user credentials. This is why you don’t want to use Windows credentials for remote access.
Maintaining Persistence After Compromise • Attacker has already: • Gained initial access • Infected systems with backdoor malware • Obtained domain credentials • Downloaded complete organizational structure from Exchange