SMT Attack: Next Generation Attack on Obfuscated Circuits ...
Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit -...
Transcript of Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit -...
![Page 1: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/1.jpg)
![Page 2: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/2.jpg)
#clmel
Emerging Threats - The State of Cyber Security
BRKSEC-2010
Alex Chiu - Threat Researcher for Talos
![Page 3: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/3.jpg)
BRKSEC-2010 Cisco Public© 2015 Cisco and/or its affi liates. All rights reserved.
Agenda
• Intro
• Spear Phishing with 0-day
• Malvertising
• Angling for Exploitation
• Rig Exploit Kit
• Stan and Kyle
• Snowshoe Spam
• String of Paerls
• HeartBleed
• ShellShock
• Sponsored Attacks
– Group 72
– Wiper Malware
– Cryptowall 2.0
3
![Page 4: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/4.jpg)
Talos
![Page 5: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/5.jpg)
© 2015 Cisco and/or its affi liates. All rights reserved.BRKSEC-2010 Cisco Public
Welcome to the Machine
Talos Development
Talos Detection R&D
Talos Outreach
Talos Vulnerability R&D
Talos Intelligence
![Page 6: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/6.jpg)
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Talos Detection Content
6
TALOS
NGFW
ESA
AMP
Cloud
WSA
NGIPS
![Page 7: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/7.jpg)
© 2015 Cisco and/or its affi liates. All rights reserved.BRKSEC-2010 Cisco Public
Common GoalsPissing Off The Bad Guys – A Good Thing™
• Blacklisted Domains– Malware Downloaders
– C & C
– Domains for Tools
– eMail & Web
• Blacklisted Address Space– For Malware
– For C & C
– For their Tools
• Published NGIPS Detection– Tools Activity
– C & C Activity
– Gave it to the Community – Free, Gratis, Nada
• Published AV Detection
– Tools
– Malware
– AMP
![Page 8: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/8.jpg)
Spear Phishing with 0-day
![Page 9: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/9.jpg)
© 2015 Cisco and/or its affi liates. All rights reserved.BRKSEC-2010 Cisco Public
Phishing on the Next Level…
• Attack began April 24, 2014
• Initially a highly targeted spear phishing campaign
• Zero day exploit, compromise upon clicking
• Our data immediately lead us to additional attacks
9
![Page 10: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/10.jpg)
© 2015 Cisco and/or its affi liates. All rights reserved.BRKSEC-2010 Cisco Public
Indicators of Compromise (IOC)
• Subjects:– Welcome to Projectmates!
– Refinance Report
– What's ahead for Senior Care M&A
– UPDATED GALLERY for 2014 Calendar Submissions
• Associated Domains – http://profile.sweeneyphotos.com
– http://web.neonbilisim.com
– http://web.usamultimeters.com
– http://inform.bedircati.com
10
![Page 11: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/11.jpg)
© 2015 Cisco and/or its affi liates. All rights reserved.BRKSEC-2010 Cisco Public
Convincing Phish
11
![Page 12: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/12.jpg)
© 2015 Cisco and/or its affi liates. All rights reserved.BRKSEC-2010 Cisco Public
Convincing Phish
12
![Page 13: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/13.jpg)
© 2015 Cisco and/or its affi liates. All rights reserved.BRKSEC-2010 Cisco Public
Anatomy of an Exploit
• IE vulnerability that uses JavaScript to cause exploitation
13
![Page 14: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/14.jpg)
© 2015 Cisco and/or its affi liates. All rights reserved.BRKSEC-2010 Cisco Public
Anatomy of an Exploit
• Where is it..
14
![Page 15: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/15.jpg)
© 2015 Cisco and/or its affi liates. All rights reserved.BRKSEC-2010 Cisco Public
Anatomy of an Exploit - Conclusion
• Targeted Phishing Campaign using a 0-day– Exploit NOT obfuscated!
• Advanced obfuscation of payload
• Seemed to focus on manufacturing and industrial vertical
• Patch eventually released
15
![Page 16: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/16.jpg)
Malvertising
![Page 17: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/17.jpg)
© 2015 Cisco and/or its affi liates. All rights reserved.BRKSEC-2010 Cisco Public
The Malvertising Ecosystem
![Page 18: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/18.jpg)
© 2015 Cisco and/or its affi liates. All rights reserved.BRKSEC-2010 Cisco Public 18
![Page 19: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/19.jpg)
© 2015 Cisco and/or its affi liates. All rights reserved.BRKSEC-2010 Cisco Public
The Normal Web
cnn.com:
26 domains
39 hosts
171 objects
557 connections
![Page 20: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/20.jpg)
© 2015 Cisco and/or its affi liates. All rights reserved.BRKSEC-2010 Cisco Public
Threat: Malvertising
![Page 21: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/21.jpg)
A Match Made in Heaven, Malvertising, Exploit Kits and Dynamic DNS
![Page 22: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/22.jpg)
© 2015 Cisco and/or its affi liates. All rights reserved.BRKSEC-2010 Cisco Public
Fiesta Exploit Kit
• January of 2014 alone over 300 companies affected
• Drive by download attack
22
![Page 23: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/23.jpg)
© 2015 Cisco and/or its affi liates. All rights reserved.BRKSEC-2010 Cisco Public
Fiesta Exploit Kit
• Malicious file types for all web content since mid-december 2013
23
![Page 24: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/24.jpg)
© 2015 Cisco and/or its affi liates. All rights reserved.BRKSEC-2010 Cisco Public
Fiesta Exploit Kit
24
![Page 25: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/25.jpg)
© 2015 Cisco and/or its affi liates. All rights reserved.BRKSEC-2010 Cisco Public
Fiesta Exploit Kit
25
![Page 26: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/26.jpg)
© 2015 Cisco and/or its affi liates. All rights reserved.BRKSEC-2010 Cisco Public
Fiesta Exploit Kit
26
![Page 27: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/27.jpg)
© 2015 Cisco and/or its affi liates. All rights reserved.BRKSEC-2010 Cisco Public
Dynamic DNS
27
![Page 28: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/28.jpg)
© 2015 Cisco and/or its affi liates. All rights reserved.BRKSEC-2010 Cisco Public
Fiesta Exploit Kit– Dynamic DNS
• A total of 6 IP addresses were responsible for hundreds of dynamic hosts
28
![Page 29: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/29.jpg)
© 2015 Cisco and/or its affi liates. All rights reserved.BRKSEC-2010 Cisco Public
Dynamic Detection of Malicious DNS - Reputation
Average
Baseline
29
![Page 30: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/30.jpg)
© 2015 Cisco and/or its affi liates. All rights reserved.BRKSEC-2010 Cisco Public
Dynamic Detection of Malicious DNS – AV Blocks
Average
Baseline
30
![Page 31: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/31.jpg)
© 2015 Cisco and/or its affi liates. All rights reserved.BRKSEC-2010 Cisco Public
Dynamic Detection of Malicious DNS
• What are we blocking with AV?
31
![Page 32: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/32.jpg)
© 2015 Cisco and/or its affi liates. All rights reserved.BRKSEC-2010 Cisco Public
Dynamic Detection of Malicious DNS
32
![Page 33: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/33.jpg)
© 2015 Cisco and/or its affi liates. All rights reserved.BRKSEC-2010 Cisco Public
Mitigations
• Web security appliances / Cloud Web security
• Reputation systems
• Block some/all Dynamic DNS providers using RPZ
• Client side protection
– Antivirus
– HIPS
– AMP Everywhere
33
![Page 34: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/34.jpg)
Angling for Exploitation
![Page 35: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/35.jpg)
© 2015 Cisco and/or its affi liates. All rights reserved.BRKSEC-2010 Cisco Public
Angler Exploit kit
• Spreading via ad networks
• Hello Silverlight! CVE-2013-0074, CVE-2013-3896
35
![Page 36: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/36.jpg)
36
Angler Exploit Kit
![Page 37: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/37.jpg)
© 2015 Cisco and/or its affi liates. All rights reserved.BRKSEC-2010 Cisco Public
Angler Exploit Kit
37
![Page 38: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/38.jpg)
38
![Page 39: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/39.jpg)
© 2015 Cisco and/or its affi liates. All rights reserved.BRKSEC-2010 Cisco Public
Angler Exploit Kit
39
![Page 40: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/40.jpg)
40
Phoning home
![Page 41: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/41.jpg)
© 2015 Cisco and/or its affi liates. All rights reserved.BRKSEC-2010 Cisco Public
Blocking the Campaign
• 7 unique Silverlight payloads
• 5 unique Angler droppers
• IOC City
– Linked to >650 domains
– 21 Hotmail addresses
– Way too many to list here go view the blog @ http://blogs.cisco.com/tag/trac/
• Multiple vulnerabilities being exploited..
41
![Page 42: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/42.jpg)
Rig Exploit Kit
![Page 43: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/43.jpg)
© 2015 Cisco and/or its affi liates. All rights reserved.BRKSEC-2010 Cisco Public
Rig Exploit Kit
43
• Advertised on criminal forums in April
• Began blocking April 24– Blocked over 90 domains
– 17% of all CWS customers affected
– Distributed Cryptowall
• Yet another exploit kit continuing the trend of silverlight exploits
– Silverlight: CVE-2013-0074
– Java: CVE-2013,2465, CVE-2012-0507
– Flash: CVE-2013-0634
![Page 44: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/44.jpg)
© 2015 Cisco and/or its affi liates. All rights reserved.BRKSEC-2010 Cisco Public
Requests to Rig Landing Page
44
![Page 45: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/45.jpg)
© 2015 Cisco and/or its affi liates. All rights reserved.BRKSEC-2010 Cisco Public
Content Type
45
![Page 46: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/46.jpg)
© 2015 Cisco and/or its affi liates. All rights reserved.BRKSEC-2010 Cisco Public 46
![Page 47: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/47.jpg)
© 2015 Cisco and/or its affi liates. All rights reserved.BRKSEC-2010 Cisco Public
Mitigations
47
• Over 26 malicious files examined
• >190 IOCs
• IPS
– Silverlight: CVE-2013-0074
– Java: CVE-2013,2465, CVE-2012-0507
– Flash: CVE-2013-0634
• Web Security Appliance
• Cloud Web Security
![Page 48: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/48.jpg)
Stan and Kyle
![Page 49: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/49.jpg)
© 2015 Cisco and/or its affi liates. All rights reserved.BRKSEC-2010 Cisco Public
Kyle & Stan Malvertising Campaign
• Malicious ads served on major websites such as Amazon, Yahoo, and YouTube
• Malware disguised as a legitimate application
![Page 50: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/50.jpg)
© 2015 Cisco and/or its affi liates. All rights reserved.BRKSEC-2010 Cisco Public
Example Attack Sequence
![Page 51: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/51.jpg)
© 2015 Cisco and/or its affi liates. All rights reserved.BRKSEC-2010 Cisco Public
Mitigations
51
• 6941 domains blocked
• Web Security Appliance
• Cloud Web Security
• AMP
![Page 52: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/52.jpg)
Snow Shoe Spam
![Page 53: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/53.jpg)
© 2015 Cisco and/or its affi liates. All rights reserved.BRKSEC-2010 Cisco Public
The Spam Landscape
![Page 54: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/54.jpg)
© 2015 Cisco and/or its affi liates. All rights reserved.BRKSEC-2010 Cisco Public
The Spam LandscapeIncrease in “Snowshoe” spam
![Page 55: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/55.jpg)
© 2015 Cisco and/or its affi liates. All rights reserved.BRKSEC-2010 Cisco Public
The Spam LandscapeIncrease in “Snowshoe” spam
Spam broken down by Sender Type
![Page 56: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/56.jpg)
© 2015 Cisco and/or its affi liates. All rights reserved.BRKSEC-2010 Cisco Public
Why Do These Techniques Work?
• Anti-Spam, especially reputation based metrics for IP address, is a volume business.. Low volume senders are attempting to
fly “under the radar”
• Domains are inexpensive and largely a disposable quantity
• Some anti-spam content filters can be foiled by highly dynamic content
• Some spammers are getting better at targeting their email, and avoiding spamtraps
![Page 57: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/57.jpg)
© 2015 Cisco and/or its affi liates. All rights reserved.BRKSEC-2010 Cisco Public
Snowshoe Spam - Mitigations
• Cisco Outbreak Filters– 14 hour lead time over traditional AV
• Delay Quarantine
• Intelligent Multiscan
– More detection engines can detect more spam
• Use DNS
– Look for hundreds of hostnames using a single IP or hundreds of IPs without hostnames
• Advanced Malware Protection (AMP)
• Webinar: http://cs.co/snowshoe
57
![Page 58: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/58.jpg)
String of ‘Paerls’
![Page 59: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/59.jpg)
© 2015 Cisco and/or its affi liates. All rights reserved.BRKSEC-2010 Cisco Public
A Lovely Spearphish
59
![Page 60: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/60.jpg)
© 2015 Cisco and/or its affi liates. All rights reserved.BRKSEC-2010 Cisco Public
1989 Called
60
![Page 61: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/61.jpg)
© 2015 Cisco and/or its affi liates. All rights reserved.BRKSEC-2010 Cisco Public
The word Macro
61
![Page 62: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/62.jpg)
© 2015 Cisco and/or its affi liates. All rights reserved.BRKSEC-2010 Cisco Public
This Isn’t the First Time
62
![Page 63: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/63.jpg)
© 2015 Cisco and/or its affi liates. All rights reserved.BRKSEC-2010 Cisco Public
Something about these c2 Servers..
63
![Page 64: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/64.jpg)
© 2015 Cisco and/or its affi liates. All rights reserved.BRKSEC-2010 Cisco Public
More...
64
![Page 65: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/65.jpg)
© 2015 Cisco and/or its affi liates. All rights reserved.BRKSEC-2010 Cisco Public
And More....
65
![Page 66: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/66.jpg)
© 2015 Cisco and/or its affi liates. All rights reserved.BRKSEC-2010 Cisco Public
And...more...
66
![Page 67: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/67.jpg)
© 2015 Cisco and/or its affi liates. All rights reserved.BRKSEC-2010 Cisco Public
Even More Clever
67
![Page 68: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/68.jpg)
© 2015 Cisco and/or its affi liates. All rights reserved.BRKSEC-2010 Cisco Public
Mitigations
68
• We revealed and blocked the entire infrastructure • Associated domains (>20)
• Revealed malware MD5
• Cloud Web Security
• Web Security Appliance
• IPS
• ESA
![Page 69: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/69.jpg)
HeartBleed
![Page 70: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/70.jpg)
© 2015 Cisco and/or its affi liates. All rights reserved.BRKSEC-2010 Cisco Public
What is Heartbleed?
• If the specified heartbeat request length is larger than its actual length, this memcpy() will read memory past the request buffer and store it in the response buffer which is sent to the attacker
• OpenSSL1.0.1 – 1.0.1f are vulnerable
• Bug was introduced in December 2011 but not found/disclosed until April 2014
– OpenSSL is used by 2/3 of Internet web servers and many products
• Approximate 534,156 services are vulnerable
– STILL over 120,000 vulnerable
• Cisco was one of the first security companies to provide IPS coverage
![Page 71: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/71.jpg)
© 2015 Cisco and/or its affi liates. All rights reserved.BRKSEC-2010 Cisco Public
Security Impact
• Bigger than 443• Any SSL service is being targeted
• Most prominent sites have already patched
• Many, many, smaller sites are not patched…
• Worst case: Private keys, credentials and more leaked• Hijacked accounts -> more exploit kits
• Embedded devices are unlikely to patch
• May enable lateral movement
• Without security monitoring there is no real way to know if you were exploited
• The client side attack is also concerning
![Page 72: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/72.jpg)
© 2015 Cisco and/or its affi liates. All rights reserved.BRKSEC-2010 Cisco Public
Network Telemetry Attacker Sources
![Page 73: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/73.jpg)
© 2015 Cisco and/or its affi liates. All rights reserved.BRKSEC-2010 Cisco Public
Network Telemetry Successful Attacks
![Page 74: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/74.jpg)
© 2015 Cisco and/or its affi liates. All rights reserved.BRKSEC-2010 Cisco Public
Attacker Success
Not seen response
87.47%
Response
12.53%
No Response
87.47%
![Page 75: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/75.jpg)
© 2015 Cisco and/or its affi liates. All rights reserved.BRKSEC-2010 Cisco Public
Services Being Targeted
Destination Port/ICMP Code
465 (smtps)/tcp
995 (pop3s)/tcp
993 (imaps)/tcp
443 (https)/tcp
![Page 76: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/76.jpg)
© 2015 Cisco and/or its affi liates. All rights reserved.BRKSEC-2010 Cisco Public
Services Attack Success
Source Port/ICMP Type
465 (smtps)/tcp
995 (pop3s)/tcp
993 (imaps)/tcp
443 (https)/tcp
![Page 77: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/77.jpg)
© 2015 Cisco and/or its affi liates. All rights reserved.BRKSEC-2010 Cisco Public
Client Side Exploitation is a Reality
Server Ports
94.61%
Client ports
5.39%
Server Ports
94.61%
![Page 78: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/78.jpg)
© 2015 Cisco and/or its affi liates. All rights reserved.BRKSEC-2010 Cisco Public
Alert Volume...
![Page 79: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/79.jpg)
Shellshock
![Page 80: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/80.jpg)
© 2015 Cisco and/or its affi liates. All rights reserved.BRKSEC-2010 Cisco Public
Shellshock: CVE-2014-6271
![Page 81: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/81.jpg)
© 2015 Cisco and/or its affi liates. All rights reserved.BRKSEC-2010 Cisco Public
Shellshock Exploitation
We 1st detected attempts to exploit Shellshock 0400 GMT 24 Sept.
![Page 82: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/82.jpg)
© 2015 Cisco and/or its affi liates. All rights reserved.BRKSEC-2010 Cisco Public
Shellshock Creativity
• Illegitimate Probing (no exploitation)• Cloud-based and/or other legitimate
scanners (no exploitation)• Lateral movement / Privilege
escalation
• Attempts to establish reverse shell• Attempts to retrieve sensitive files
(passwd file, HTTPS certificate, etc.)• Stealing bitcoins• Remote patching attempts
Types of Activity
• HTTP (typically cgi)• DHCP
• SSH• inetd• qmail, procmail, exim
• OpenVPN• ???
Affected Protocols & Programs
![Page 83: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/83.jpg)
© 2015 Cisco and/or its affi liates. All rights reserved.BRKSEC-2010 Cisco Public
Mitigations
83
• This will be around along time
• Upgrade
• Still many vulnerable machines out there
![Page 84: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/84.jpg)
Sponsored Attacks
![Page 85: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/85.jpg)
© 2015 Cisco and/or its affi liates. All rights reserved.BRKSEC-2010 Cisco Public
Threat: APT
![Page 86: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/86.jpg)
© 2015 Cisco and/or its affi liates. All rights reserved.BRKSEC-2010 Cisco Public
Exploit Kits
![Page 87: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/87.jpg)
© 2015 Cisco and/or its affi liates. All rights reserved.BRKSEC-2010 Cisco Public
Evolving Exploit Kits
87
Shifts in the attack vectors Java
Silverlight
Flash
Java drop 34%
Silverlight rise
228%
Log Volume
![Page 88: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/88.jpg)
© 2015 Cisco and/or its affi liates. All rights reserved.BRKSEC-2010 Cisco Public
Exploit KitsNuclear Exploit Kit
![Page 89: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/89.jpg)
© 2015 Cisco and/or its affi liates. All rights reserved.BRKSEC-2010 Cisco Public
Group 72
Group 72 Takedown“Operation SMN” refers to the takedown of a threat actor that has targeted and exploited individual victims and organisations worldwide. Cisco was one of the
participants in this effort.
![Page 90: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/90.jpg)
© 2015 Cisco and/or its affi liates. All rights reserved.BRKSEC-2010 Cisco Public
Mitigations
90
• Gh0stRat — Win.Trojan.Gh0stRAT, 19484, 27964
• PoisonIVY / DarkMoon —Win.Trojan.DarkMoon, 7816, 7815, 7814, 7813, 12715, 12724
• Hydraq — Win.Trojan.HyDraq, 16368, 21304
• HiKit — Win.Trojan.HiKit, 30948
• Zxshell — Win.Trojan.Zxshell, 32180, 32181
• DeputyDog — Win.Trojan.DeputyDog, 28493, 29459
• Derusbi — Win.Trojan.Derusbi, 20080
![Page 91: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/91.jpg)
Wiper Malware
![Page 92: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/92.jpg)
© 2015 Cisco and/or its affi liates. All rights reserved.BRKSEC-2010 Cisco Public
Wiper Malware
92
• Good enough development cycle
• If you don’t need an F1 car why build one?
• A growing trend? • Many verticals targeted..
• Oil & Energy
• Electronics
• Entertainment
• Banking & Finance
• Many reasons using wipers may make sense..
![Page 93: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/93.jpg)
© 2015 Cisco and/or its affi liates. All rights reserved.BRKSEC-2010 Cisco Public
Building a Better Mousetrap
![Page 94: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/94.jpg)
© 2015 Cisco and/or its affi liates. All rights reserved.BRKSEC-2010 Cisco Public
Protecting the Customer
• Talos always want to deliver up-to-date detection for the latest threats in the quickest most efficient manner possible.
• The quality of the detection should never be dismissed
• For full details, please read our blog: http://blogs.cisco.com/talos/wiper-malware
![Page 95: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/95.jpg)
Cryptowall 2.0
![Page 96: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/96.jpg)
© 2015 Cisco and/or its affi liates. All rights reserved.BRKSEC-2010 Cisco Public
Cryptowall 2.0
• Data is the new target
• Ransomware
– Becoming more popular
– Using more evasive techniques
![Page 97: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/97.jpg)
© 2015 Cisco and/or its affi liates. All rights reserved.BRKSEC-2010 Cisco Public
Evasive Techniques
• Encrypted Binary
• Anti-VM check
• Uses TOR for Command & Control
• Runs 32-bit & 64-bit code simultaneously
![Page 98: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/98.jpg)
© 2015 Cisco and/or its affi liates. All rights reserved.BRKSEC-2010 Cisco Public
Stopping Ransomware
• Before:
• ESA Stops the spam which is the primary infection vector.
• During:
• AMP, NGFW, IPS in addition to CWS & WSA detect and block attempts at downloading malware.
• After:
• IPS & NGFW identify and block malware operation and spread.
For more information, see our blog entry: http://blogs.cisco.com/security/talos/cryptowall-2
![Page 99: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/99.jpg)
Ghost
![Page 100: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/100.jpg)
© 2015 Cisco and/or its affi liates. All rights reserved.BRKSEC-2010 Cisco Public
Ghost in the Machine – CVE-2015-0235
100
• 0-day vulnerability in GNU C Library– gethostbyname()
– gethostbyname2()
• An Exploit for the Exim mail server exits that bypasses – “bypasses all existing protections
(ASLR, PIE, NX) on 32-bit and 64-bit machines”
– A Metasploit module is intended to be released
![Page 101: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/101.jpg)
© 2015 Cisco and/or its affi liates. All rights reserved.BRKSEC-2010 Cisco Public
Ghost in the Machine – CVE-2015-0235
• How bad is it really?– Application must accept hostname input to
one of the deprecated functions BUT..
– Malformed hostname must consist of digits and only three dots or less
• What kind of software could be vulnerable?
– Relatively few real-world applications accept this type of data as input
– Ex: Exim mail server, procmail, pppd and others
• A patch has existed since May of 2013but security impact not realised-PATCH
101
![Page 102: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/102.jpg)
Conclusions
![Page 103: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/103.jpg)
© 2015 Cisco and/or its affi liates. All rights reserved.BRKSEC-2010 Cisco Public
Defence in Depth
103
•
•
•
• Follow me on twitter: @acchiu_security
• Annual Security report: www.cisco.com/go/ASR
![Page 104: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/104.jpg)
© 2015 Cisco and/or its affi liates. All rights reserved.BRKSEC-2010 Cisco Public
Call to Action
• Visit the World of Solutions for– Cisco Campus –
– Walk in Labs –
– Technical Solution Clinics
• Meet the Engineer
• Lunch time Table Topics
• DevNet zone related labs and sessions
• Recommended Reading: for reading material and further resources for this session, please visit www.pearson-books.com/CLMilan2015
104
![Page 105: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/105.jpg)
© 2015 Cisco and/or its affi liates. All rights reserved.BRKSEC-2010 Cisco Public
Sophisticated Attackers
Complex Geopolitics
Boardroom Engagement
The Challenges Come from Every Direction
Misaligned Policies
Dynamic Threats
Defenders
Complicit Users
105
![Page 106: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/106.jpg)
© 2015 Cisco and/or its affi liates. All rights reserved.BRKSEC-2010 Cisco Public
Cisco 2015 Annual Security Report
Now available:
cisco.com/go/asr2015
106
![Page 107: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/107.jpg)
Q & A
![Page 108: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/108.jpg)
© 2015 Cisco and/or its affi liates. All rights reserved.BRKSEC-2010 Cisco Public
Give us your feedback and receive a
Cisco Live 2015 T-Shirt!
Complete your Overall Event Survey and 5 Session
Evaluations.
• Directly from your mobile device on the Cisco Live
Mobile App
• By visiting the Cisco Live Mobile Site
http://showcase.genie-connect.com/clmelbourne2015
• Visit any Cisco Live Internet Station located
throughout the venue
T-Shirts can be collected in the World of Solutions
on Friday 20 March 12:00pm - 2:00pm
Complete Your Online Session Evaluation
Learn online with Cisco Live! Visit us online after the conference for full
access to session videos and
presentations. www.CiscoLiveAPAC.com
![Page 109: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/109.jpg)
![Page 110: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/110.jpg)
![Page 111: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/111.jpg)
Far East Targeted by Drive by Download Attack
![Page 112: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/112.jpg)
© 2015 Cisco and/or its affi liates. All rights reserved.BRKSEC-2010 Cisco Public
Far East Targeted by Drive by
• Began Blocking July 11th 2014
• Affected 27 companies across 8 verticals – Not a watering hole
112
![Page 113: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/113.jpg)
© 2015 Cisco and/or its affi liates. All rights reserved.BRKSEC-2010 Cisco Public 113
![Page 114: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/114.jpg)
© 2015 Cisco and/or its affi liates. All rights reserved.BRKSEC-2010 Cisco Public
Far East Targeted by Drive by
114
• Sites hosting malicious content:– ep66.com.tw
– aanon.com.tw
– hongpuu.com.tw
– npec.com.tw
• Flash file exploited CVE-2014-0515
– obfuscated
![Page 115: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/115.jpg)
© 2015 Cisco and/or its affi liates. All rights reserved.BRKSEC-2010 Cisco Public
Far East Targeted by Drive by
115
![Page 116: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/116.jpg)
© 2015 Cisco and/or its affi liates. All rights reserved.BRKSEC-2010 Cisco Public
Far East Targeted by Drive by
116
![Page 117: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/117.jpg)
© 2015 Cisco and/or its affi liates. All rights reserved.BRKSEC-2010 Cisco Public
Far East Targeted by Drive by
117
• Encryption key “Fifa@Brazil14”
• Port 443 but not SSL
![Page 118: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/118.jpg)
© 2015 Cisco and/or its affi liates. All rights reserved.BRKSEC-2010 Cisco Public
Mitigations
118
• Blocklist– ep66.com.tw
– aanon.com.tw
– hongpuu.com.tw
– npec.com.tw
• CVE-2014-0515
• AMP
![Page 119: Emerging Threats - The State of Cyber Security Live 2015 Melbourne... · Anatomy of an Exploit - Conclusion •Targeted Phishing Campaign using a 0-day –Exploit NOT obfuscated!](https://reader034.fdocuments.in/reader034/viewer/2022042316/5f045c2f7e708231d40d980e/html5/thumbnails/119.jpg)