Threats in Connected World Day 2, Track 2, 09:45

Transcription

Threats in Connected World
Bhavin Gandhi
Sr. Technical Consultant – Trend Micro India
What was War - Earlier
Country A against Country B
¾ India - Pakistan
¾ US - Iraq
¾ Nato - Germany
¾ World War 1, 2… etc
That’s What War….. Was
Dirty & Bloody with lots of noise, mayhem and blackouts
3
But Now….
Time has changed and the definition as well
¾ No visible damage to Life & Property
¾ No Fires and Noise
¾ No supply chain management
¾ No Troops and Ammunitions
¾ Definition of heroes has changed since 9/11
4
It’s all about Little Ones and Zeroes
5
Advanced Persistent Threat (APT)
Copyright 2014 Trend Micro Inc.
6
Sophistication
Evolving Threat Landscape
Employee Data
Leaks
Traditional
Malware
Vulnerability
Exploits
Time
7
Advanced
Malware
Targeted
Attacks
Hackers Stole $81M from Bangladesh Bank
Social Media Accounts
Panama Papers Leak
10
Confidential © 2014 Trend Micro Inc.
We see the TIP of the APT ICEBERG
Attacks in the News
Most go unreported. 90% of
companies found previously
unknown Malware*
APTs
Cyber Espionage
Targeted Attacks
Cyber Threats
* Trend Micro Study
Networks are becoming Cyber Swiss Cheese
Employees are often exploited
91% of targeted attacks begin with a spear-phishing email
Poison Ivy
Monitoring a few ports is
insufficient
12
EvilGrab
Monitoring a few apps & protocols
is insufficient
IXESHE
Attacks are dynamic not static in
nature
ADVERSARY
Resources & expertise for hire
Target
rget rich guerilla offen
offense
Ease of execution
Focused objectives

ENTERPRISE
Resource
ource & expertise constraints
constra
Broad static defense
Detection complexity
Low signal to noise ratio
75% of attacks require little skill to execute1……yet require advanced skills to detect
and remediate

63% of security professionals believe it is only a matter of time until their enterprise
is targeted2

13
$5.9M is average cost of targeted attack3
Hackers Have an Unfair Advantage!
All that’s needed is a credit card and a mouse!
14
Code for Sale
LIST OF SOFTWARE INCLUDED IN THIS PACKAGE:
Cracking Tools
Crypters
DoSers, DDoSers, Flooders
1.VNC Crack
1.
Carb0n
Crypter
and Nukers
2.Access Driver
v1.8
1. rDoS
3.Attack Toolkit v4.1 & source code
2.
Fly
Crypter
v2.2
2. zDoS
included
3.
JCrypter
3. Site Hog v1
4.Ares
4.
Triloko
Crypter
Remote5.Brutus
Administration
4. Panther Mode
2
Host Booters
Tools/Trojans
5. Final Fortune
2.4 Delphi 2.8 5. Halloween
1. MeTuS
Analysis :
1. Cerberus
1.03.4
BETA
Scanners 2. XR Host Booter 2.1Crypter
Packers
· OllyDbg
1.10
&: Plugins - Modified
Deh Crypter
2. Turkojan
4 ·GOLD
1. DD7 Port3. Metus 2.0 GB HEX6.Editor
:
FSG
2.0
by SLV
*NEW*
7.
Hatrex
Crypter
3.
Beast
2.07
Scanner
· Biew v5.6.2
Edition
· MEW8.93
11 1.2
SE
· W32Dasm
- Patched
*NEW*
8.
Octrix
Crypter
v3.0.0
2. SuperScan
4. 4.0
BioZombie v1.5· Hiew v7.10 *NEW*4. Shark· PEiD
· UPX +
1.25
& GUI
*NEW*
0.93
Plugins
*NEW*
9.
NewHacks
5.
Archelaus
Beta
3. Trojan Hunter
·
WinHex
v12.5
*NEW*
5. Host Booter and
· SLVc0deProtector
0.61Beta · RDG Packer
Detector v0.5.6
Crypter
v1.5
Decompilers :
Spammer
English*NEW*
*NEW*
10.
Refruncy
Crypter
Binders:
4.
ProPort
v2.2
·
DeDe
3.50.04
Fake Programs
Stealers
· ARM: Protector v0.3
Rebuilding
Ultra
Hackers
Tools
for
sale
1.
Albertino
Binder
5.
Bitching
· VB ?Decompiler? Lite
1. PayPal Money
1. Dark Screen Price
*NEW*
·=ImpRec
1.6 - Fixed by MaRKuS_THVirus
Builders
is
0.0797
BTC
(bitcoin)
$25
2. BlackHole
Binder
Threads v3.1Stealer V2
v0.4 *NEW*
Hack
· WinUpack
v0.31 Beta
DJM/SnD
*NEW*
1. Nathan's
Image
3.
F.B.I.
Binder
·
Flasm
2. Windows 2.
7 Serial
Dark IP Stealer
*NEW*
· Revirgin
1.5 - Fixed *NEW*
Worm
4.
Predator
1.6
Unpackers :
Generator 3. Lab Stealer
Patchers
: B *NEW*
· LordPE
De Luxe
2. Dr.
VBS
Virus
Confidential | Copyright 2015 Trend Micro Inc.
5. PureBiND3R by d3will
100’s of Items
A Targeted Attack in Action: Social, Stealthy
Extracts data of interest – can
go undetected for months!
Gathers intelligence about
organization and individuals
Attackers
Targets individuals
using social engineering
$$$$
Establishes link to
Command & Control server
Moves laterally across network
seeking valuable data
Employees
Large Spear-phishing Incidents
Most costly data breach incidents, all caused by spear-phishing:
Source: Trend Labs
18
Email: The dominant attack vector
• 91% of targeted attacks begin with a spear
phishing attack
• The median time for the first user of to open a
malicious spear phishing email is 1 minute, 40
seconds. Source
• It takes under a minute for an endpoint to be
entirely encrypted by ransomwareSource
20
Unexpected Costs
Unexpected Strategic Impacts
Unexpected Risks
Unexpected Career Impacts
Standard Defenses are Insufficient

Next-gen
Next
t-gen Firewall
Advanced reconnaissance
Spear-phishing emails
Embedded payloads
Unknown malware & exploits
oiits
Dynamic command and control
oll
(C&C) servers
BYOD and remote employees
create a broad attack surface
Intrusion
DS)
Detection (IDS)
In
Intrusion
ntrusion
Pre
evention
on
n (IPS)
(
Prevention
Traditional
AV
Email /Web
Gateways
Advanced methods can evade traditional defenses
29
Simple & Efficient
Infection & payload
Lateral movement
C&C callback
Dynamic blacklist
Web proxy
SMTP relay
Storage
!
Mail Server
!
App Server
!
Endpoint
!
30
af12e45b49cd23...
48.67.234.25:443
68.57.149.56:80
d4.mydns.cc
b1.mydns.cc
...
Data Center Security
31
Virtualization and Cloud
Increased efficiency
and agility
IT Operations
Is security slowing
me down?
LEGACY APPLICATIONS
THAT DON’T GET PATCHED?
Security patches no longer issued for:
8
3
March
October
February
April
2009
2010
2013
2014
January
July
2009
2010
10.1
33
6
July
2015
Windows 2000 & XP vulnerabilities still being announced after EOL
- The cost of a custom support contract for Windows 2000 is $200K annually
PATCHING IS A NIGHTMARE
HOW FAST DOES IT HAPPEN FOR YOU?
Vulnerability
Disclosed or
Exploit Available
EXPOSURE
PATCHED
SOAK
Patch
Available
34
Test
Begin
Complete
Deployment Deployment
Responsibility for Security is Shared in the Cloud
Cloud Service Provider
Customer
Facilities
Operating System
Physical security
Applications
Physical infrastructure
Data
Network infrastructure
Account / Security Groups
Virtualization infrastructure
Network Configuration
35
Traditional on-premise security
Applied at the perimeter
On-premises
Firewall
2016 Trend
MicroMicro
Inc. Inc.
36Copyright
Copyright
2016 Trend
IPS
Load
Balancer
Web
Tier
App
Tier
DB
Tier
Build a workload-centric security strategy
Network
&
Security
Groups
2016 Trend
MicroMicro
Inc. Inc.
37Copyright
Copyright
2016 Trend
Elastic
Load
Balanc
er
Web
Tier
in the
cloud
App
Tier
in the
cloud
DB
Services
Ransomware
38
39
40
Ransomware by the Numbers
$200-$10k
Typical Ransom Paid
-FBI, April 2016
>50%
% of US Hospitals hit by
Ransomware in 2015
-HIMSS Analytics, 2016
90,000
#of systems per day infected
by Locky Ransomware
-Forbes, February 2016
42
Jan 2016 - Ransomwares
SPN DETECTION HITS
LECTOOL
EMPER
CRYPRADAM
MEMEKAP
CRYPNISCA
CRYPJOKER
CRYPRITU
CRYPNISCA
CRYPJOKER
CRYPRITU
SPAM
DISGUISED AS
PDF ATTACHMENT
MEMEKAP
LECTOOL
EMPER
CRYPRADAM
INFECTION VECTOR
SPAM
SPAM
SPAM
SPAM
SPAM
MODE OF PAYMENT
NO RANSOM
NOTE
2 BTC
13 BTC
0.5 BTC
need to email malware
author to get payment
instructions
1 BTC
0.1 BTC
ENCRYPTED DATA
PERSONAL FILES
PERSONAL FILES
+
DB FILES WEB PAGES
DB FILES
NO ADDITION
TO PERSONAL FILES
DB FILES
DB FILES
DB FILES
ENCRYPTION
KEYS ARE GENERATED
LOCALLY
PRIVATE KEY IN THE
SERVER
KEYS ARE GENERATED
LOCALLY
ENCRYPTION KEY IN THE
SERVER
KEYS ARE GENERATED
LOCALLY
KEYS ARE GENERATED
LOCALLY AND DELETED
PUBLIC KEY
FROM C&C
SELF-DESTRUCT
NO
43
NO
NO
NO
NO
NO
NO
Feb 2016 - Ransomwares
SPN DETECTION HITS
CRYPGPCODE
CRYPHYDRA
CRYPDAP
CRYPZUQUIT
CRYPGPCODE
CRYPHYDRA
CRYPDAP
CRYPZUQUIT
MADLOCKER
LOCKY
MADLOCKER
LOCKY
INFECTION VECTOR
INVOICE SPAM
EXPLOIT KIT
DISGUISED AS
PDF ATTACHMENT
SPAM
SPAM
1.505 BTC
2 BTC
536 GBP
MACRO OR JS
ATTACHMENT
MODE OF PAYMENT
400 DOLLARS with
instruction from author
how to pay
0.8 BTC
$350
1 BTC
0.5 - 1 BTC
ENCRYPTED DATA
PERSONAL FILES
PERSONAL FILES
+
NO ADDITION
TO PERSONAL FILES
DB FILES
SYNC MANGER
LOGGER
NO ADDITION
TO PERSONAL FILES
WEB PAGES
WALLET
DB FILES
CODES
ENCRYPTION
KEYS ARE GENERATED
LOCALLY
KEYS ARE GENERATED
LOCALLY
PUBLIC KEY
FROM C&C
PUBLIC KEY
FROM C&C
KEYS ARE GENERATED
LOCALLY
SELF-DESTRUCT
NO
44
NO
NO
NO
NO
ENCRYPTION KEY FROM
C&C
March 2016 - Ransomwares
Power shell
script
SPN DETECTION HITS
It speaks!!
CERBER
CRYPAURA
CERBER
CRYPAURA
KeRanger
KERANGER
TESLA 4.0
SURPRISE
MAKTUB
MAKTUB
TESLA
PETYA
SURPRISE
unique
INFECTION VECTOR
Powerware
POWERWARE
PETYA
CRIPTOSO
COVERTON
CRYPTOSO
COVERTON
+
EXPLOIT KIT
SPAM
APPSTORE
MACRO OR JS
ATTACHMENT EXPLOIT KIT
TERMS-OF_SERVICE
(TOS) SPAM
TEAM VIEWER
JOB APPLICATION WITH MACRO DOWNLOADER
DROPBOX LINK
ATTACHMENT
MODE OF PAYMENT
1.24-2.48 BTC
<TO BE
UPDATED>
1 BTC
1.3 BTC
1.4 – 3.9 BTC
$588 - $1638
0.5 to 25 BTC
0.99 – 1.98 BTC
$431 - $862
ENCRYPTED DATA
1.18 – 2.37 BTC
$500 - $1000
1 BTC then
increases by 1 BTC
daily
1 BTC
unique
PERSONAL FILES
PERSONAL FILES
DB FILES
MACOS
FILES
DB FILES
GAMES
GAMES WALLET
ACCOUNTING/
FINANCE FILES
CODES
OVERWRITES MBR
& BSOD
US TAX
RETURN FILES
DB FILES
ENCRYPTION
PRIVATE KEY IS OBTAINED
AFTER PAYMENT
PUBLIC KEY
FROM C&C
PUBLIC KEY
FROM C&C
AES KEY GENERATED
5 KEY PAIRS
PRIVATE KEY IS OBTAINED PRIVATE KEY IS OBTAINED
LOCALLY
GENERATED LOCALLY
AFTER PAYMENT
AFTER PAYMENT
1 KEY REQUIRES RSA KEY
AFTER PAYMENT
AFTER PAYMENT
SELF-DESTRUCT
NO
45
NO
NO
NO
NO
NO
NO
NO
Protecting Against Ransomware
46
Back-up and Restore
Automated: 3 copies, 2 formats, 1
air-gapped from network
Access Control
Limit access to business critical data
Keep Current with Patching
Minimize exploits of
vulnerabilities
Don’t Pay the Ransom
Pay-off encourages further attacks,
no guarantee of data recovery
Employee Education on Phishing
Awareness, best practices,
simulation testing
Improve Security Posture
Follow best practices for current
solution, additional technology
Network Traffic
Scanning
Vulnerability
Shielding
Server
Lateral
Movement
Prevention
47
Malware
Sandbox
Network
Lateral
Movement
Prevention
Ransomware
Behavior
Monitoring
Application
Control
Endpoint
Vulnerability
Shielding
Email Gateway
Spear phishing
Protection
Malware
Sandbox
Web Gateway
IP/Web
Reputation
Throughout history adversaries have
developed countermeasures to security
Proliferation of connected assets & devices
Omnipresent network access
On and off premise applications
50
51 Source : www.darkreading.com
Thank you
53
Reach us on:
Srinivasan N.
[email protected]
Bhavin Gandhi
[email protected]
www.trendmicro.com
54