Greg Hoglund - Understanding Chinese APT Hackers: Attribution, Attack Trends and Why It Matters
-
Upload
laura-rice -
Category
Documents
-
view
109 -
download
1
description
Transcript of Greg Hoglund - Understanding Chinese APT Hackers: Attribution, Attack Trends and Why It Matters
Understanding Chinese APT Attackers
Greg Hoglund
CTO ManTech CSI & VP, Cofounder HBGary
October 2012
Until recently, this information was known only to those with security clearances. ALL DATA IN THIS
PRESENTATION IS UNCLASSIFIED AND REFERENCED FROM PUBLIC SOURCES
Chinese Espionage
• A focused, organized, and ongoing program of computer exploitation, with the explicit goal of stealing intellectual property and strategic economic information.
Much of the public information about Chinese espionage was leaked via the Wikileaks U.S. Diplomatic Cables
Byzantine Hades
• Byzantine Hades is linked to the First Technical Recon Bureau (TRB) – a division under the GSD 3rd Department of China’s Peoples Liberation Army* - China’s equivalent of the NSA
*http://www.strategypage.com/htmw/htiw/articles/20110417.aspx
Where to learn more
This report details the 3rd Department and it’s various bureaus
Public Information
• Aurora, Shady RAT, Night Dragon, and others are linked to this single government-sponsored spying program
• These attacks have been running since 2003
They have been penetrating U.S. & foreign networks for NINE YEARS
Chinese Freelancers
• Not all attacks appear to originate directly from government systems. Some appear to be ‘freelancer’ hacking groups – but they target the same kinds of data in similar ways
Attack strategies
• Extensive use of hash cracking, rainbow tables
– PTH toolkit and friends
• Entrenchment strategy
– Multiple backup plans, backup CNC protocol & servers both
• Avoidance of packing, rootkits, etc.
• Staging data for exfil
– Watch out for 3-day weekends
Why do they stay in?
• Polymorphism
• Private source code
• Small number of targets
– not addressed by “big” AV
• Translate.google.com example
• Hide in plain sight
Example
– seclogon.dll malware RAT
– seclogin.dll legitimate binary
– TTP: drops 1.txt, 2.txt into c:\RECYCLER, etc…
Cracking hashes remains the primary attack method
A collection of utilities found on a CNC server
C:\RECYCLER a.bat asx1.rar asx2.rar C:\$RECYCLE.BIN run.bat loe.rar
net use \\machine1\ipc$ pass DOMAIN/user
dir \\machine1\c$
net use \\machine2\ipc$ pass DOMAIN/user
dir \\machine2\c$
net use \\machine2\ipc$ pass DOMAIN/user
dir \\machine2\c$
Batch files are common
Installing a sethc.exe backdoor
Anti-forensics
Cleans the log Adds/removes services Stomps filetimes Removes last login times Secure deletes files Zaps slack disk …
GAP
Prepare Infect Interact Exploit
Reconnaissance
Weaponization
Delivery
Detonation
Command and Control
Escalation & Lateral Movement
Entrenchment
Data Exfiltration
Defense Solutions
Attacker’s exposure
Cost to attacker
High detection potential
Cost to remediate
Attack Progression
October 17, 2012 18
*Source for graph: Verizon Data Breach Report 2010
Average length of time before Shady RAT was discovered: 8 ½ months
Length of time from “Compromise to Discovery” in 2010*
Also..
Time Exploited
Future / Emerging Vectors
Social Media + Bring Your Own Device
bit.ly ? You can’t even tell what you are clicking on…
Social Networking Space
Injected Java-script
Social Networking Attack (I)
Social Networking Space
Social Network Attack (II)
Compromised Credential
The New CNC
Continuous Protection
Make your Infrastructure Smarter
Compromise Detected
Reimage Machine Get Threat Intel
More Compromise
Scan Hosts
Intelligent Perimeter
Host Analysis
Event Timeline
Malware Strings
IP, DNS, URL
Registry Scan NTFS Scan
Memory Scan
Update
GPO’s
Update
NIDS
Update
AV
event
Enterprise-wide Physical Memory and Processes
Enterprise-wide registry and Windows objects
Group Tour
APT Group
• Multiple DoD contractor targets • 30+ C&C domains in play
– nilaye.com, helpmgr.net, etc… – Registrations thru ENOM, Inc.
• ~10 Personas – Wal Rook (culture reference: Chinese general) – Tom Hansen – Tom Hason variant
• Full featured C&C protocol • No stealth
Parking
• Used to park at 127.0.0.1, now parking at yahoo.com, google, blogspot, etc…
• No longer 255.255.255.255, 1.1.1.1, etc…
• Indicates they know you are using DNS logs to find parked domains
• HBGary has new methods to discover these website-parked domains
– This involves data mining search engine web caches for historical indexed content of yahoo, etc.
APT Group
• DoD contractor-wide compromises
• Full RAT, many variants, private sourcecode
– Drops malicious screensaver, executable, DLL
• C&C protocol unchanged
– All use the same DNS registration email
– New registration email appeared recently
– ~5 Personas (variants of Xue) • Xue Lan, Lan Xue, Xue Sun, Sun Xue
• Serves malicious PDF from “esnips” social networking site
– FY11_DSDLP.PDF DoD program
Unique String Tracking
• Group uses a consistent RAT built from private source code
• HBGary has specific unique strings that always appear in this group’s malware
– These can be scanned for in physical memory
Infection Phases
• babysleep.scr connect to
– goodfeelingauto.com
• drops auto.exe
• We have also seen several other variants
– i.e., party.exe from mysundayparty.com
• This is all the same malware, but with different compile times, indicating private sourcecode
APT Group
• Very widespread, 30-50 known victims – DoD contractors, manufacturing, etc.
• Rasauto32 backdoor, nwsapagent backdoor • C&C: infosupports.com, blackcake.net,
purpledaily.org, many others • Persona: Yingxi Yuan for registrations • TTP: drop MD5-modified version of cmd.exe
– Sometimes dropped as “ati.exe” – Change metadata to ‘Macrosoft’ for example – Trying to hide this shell from your MD5 sweeps
APT Group
• Well over a dozen known DoD contractors hit • Uses google code site for C&C, base64 encoded
comments • Usernames all variants of XSL/XLS
– XSL2012, XLS2012 transposed – XXTALTAL, XXTALATL transposed – XSLPROFILE
• Recently this group changed to a new naming scheme and made pages private – HBGary has a means to extract cleartext from these
private versions via google-cache
Backdoor connects to compromised web server
Web server that has been compromised
by hacker
Backdoor downloads base64 encoded file containing instructions
Command and Control
A.
B.
D.
C.
HTML to make this look like a 404 error page.
C&C control files
• Group has C&C servers running in Hong Kong and also at a Chinese university
• Updates to OPSEC
– Company_name.html old way
– Sexy_monkey.html new way
APT Group
• spoolsv RAT, man-in-the-middle print driver
• C&C is designed to look like HP driver update
– This is fairly advanced compared to other groups
• C&C DNS: hpwsvs.com, others…
• Full RAT, remote command shell
• Creates DNS strings with single-byte pushes
Takeaway
• Use your threat intelligence
• You need endpoint visibility
• The perimeter is vanishing
• Security is a counter intelligence problem, not a technology
– Security will not be provided solely by blinking appliances in the rack
HBGary Active Defense dramatically reduced the time between network intrusion and discovery.
- U.S. Government Contractor
We can't live without it. Active Defense is saving us major money.
- Top 10 Financial Institution
Digital DNA is a game changer.
- Big Consulting Company
Responder with Digital DNA is definitely a need-to-have item in our toolbox.
- VP eCrime Unit, Fortune 50 Bank
Thank you Q&A For more information: http://hbgary.com/publications Request a copy of “APT World at War: Region China” poster Contact: [email protected]