The New Era of Cyber Threats - Home - VOXvox.veritas.com/legacyfs/online/veritasdata/IS B08.pdf ·...

The New Era of Cyber Threats

Orla Cox Sean Kiernan Sr Manager Manager, Development

Security Response Security Response Symantec Security Response 1

SYMANTEC VISION 2012

403 million new malware variants discovered in 2011

13 new malware variants discovered per second

5.5 billion attacks blocked by Symantec in 2011

Some Interesting Statistics…


Hacktivism

What Drives the Modern Day Attacks?

Symantec Security Response 3

Money

Targeted Attacks

Sabotage Espionage

DDoS

Defacement

Banking Trojan

Extortion

Scam


So cyberspace is real....It’s the great irony

of our Information Age

– the very technologies that empower us

to create and to build also empower

those who would disrupt and destroy

Targeted Attacks - Sabotage 4

Barack Obama

Sabotage Attacks


Damaging attacks used to be done for “fun”

Some Background…


Attackers aim to cause havoc and disruption

Attacks causing damage are becoming more organized

Potential state involvement


Timeline of Attacks on Critical Infrastructure


2 0 0 7 2 0 0 8 2 0 0 9 2 0 1 0 2 0 1 1 2 0 1 2

W32.Gauss

AUG 2012

Estonia DDoS

APR 2007

W32.Duqu

[dyü-kyü]

SEP 2011

W32.Disttrack

SEP 2012

W32.Stuxnet

JUL 2010

W32.Flamer

W32 FLAMER

MAY 2012


The Rogue Gallery


W32.Disttrack

Exploits:

Region:

Actions:

Year: 2012

0

Middle East

Deletes Files/OS

Notes: Overwrites MBR

W32.Stuxnet

Exploits:

Region:

Actions:

Year: 2010

4

Middle East/Asia

Damages Machinery

Notes: Siemens PLC Code

W32.Flamer

Exploits:

Region:

Actions:

Year: 2012

2

Middle East

Delete Files/OS

W32 FLAMER

Notes: Steals Information

Uses Bluetooth

Recent threats used to perform sabotage on victims…


Case Study: W32.Disttrack – Shamoon Attacks


Destructive attacks against energy companies

Two middle eastern organizations targeted in quick succession

Multi Stage Attack

• Gather information about target network

• Acquire user credentials

• Gain access to domain controllers

• Spread to computers across network

• Trigger destructive payload


W32.Disttrack Behavior


Main module

Attack local network shares

• Copies itself to: %System%\trksvr.exe • Starts service: TrkSvr • Deletes itself

• Drop and runs: PKCS7 (C&C server coms module) • Filename: netinit.exe

• Drop and runs: PKCS12 (Disk wiper component) • Filename: %System%\[RANDOM NAME].exe

Run as service Run as executable

No command line args With command line args

Past destruction date?

Copies itself to: \\[REMOTE IP]\ADMINS$\system32\[RANDOME NAME].exe \\[REMOTE IP]\C$\system32\[RANDOME NAME].exe \\[REMOTE IP]\D$\system32\[RANDOME NAME].exe \\[REMOTE IP]\E$\system32\[RANDOME NAME].exe

Executes itself using: 1. Scheduled remote job 2. Create a remote service


W32.Disttrack – Wiping Module


• Uses legitimate disk driver to read/write disk sectors

• Identifies all system and boot partitions and wipes them all

• Overwrite files with random strings, creating the following pattern on the disk:

• Overwrites MBR with 192K of random data

192K Wiped 1 MB Untouched 192K Wiped 1 MB Untouched …


Espionage

Targeted Attacks - Espionage 11

“Targeted threats are a class of

malware destined for one

specific organization or industry.

A type of crimeware, these

threats are of particular concern

because they are designed to

capture sensitive information.” Wikipedia


Timeline of Cyber Espionage Attacks


2 0 0 7 2 0 0 8 2 0 0 9 2 0 1 0 2 0 1 1 2 0 1 2

Hydraq/Aurora

DEC 2009

W32.Stuxnet

JUN 2009

Hydraq

Ghostnet

JUN 2008

Night Dragon

FEB 2011

Trojan.Taidoor

FEB 2012

台门

LuckyCat

FEB 2012

Elderwood

SEP 2012


Information Theft

Targeted Attacks – Espionage 13

Information is

source of wealth &

power

Types of Info

Designs

Business Plans

Financial Info

Personnel Info Information is

a key asset of any organization


Targeted Attacks Do Happen • Industrial espionage, hactivism or state sponsored

activity

• 151 targeted attacks per day in June 2012

• Small business often not well protected, but connected to others


1001-1500 (2.6%)

501-1000 (2.9%)

251-500 (2.9%)

1-250 (37%) 2501+ (44%)

1501-2500 (11%)

Number of employees of the targeted organization per attack


Top 10 Most Attacked Sectors 2011


25.4%

15.4% 13.5%

6.2% 6% 5.9% 4.3%

3.2% 3.2% 3%


How They Operate


INCURSION

Attacker breaks into the network by delivering targeted malware to vulnerable systems and employees

DISCOVERY

Attacker then maps organization’s defenses from the inside

Create a battle plan

CAPTURE

Accesses data on unprotected systems

Installs malware to secretly acquire data or disrupt operations

EXFILTRATION

Data sent to attacker for analysis

Information may be used for various purposes including fraud and planning further attacks

RECONNAISSANCE INCURSION DISCOVERY CAPTURE EXFILTRATION

SYMANTEC VISION 2012 Targeted Attacks – Espionage 17

How Are The Attacks Carried Out?


Case Study: Taidoor

• 4 year long targeted attack campaign targeting influencers of US/Taiwanese policy

• Targeted a variety of industries but over time focus narrowed towards think thanks

• Peak number of targeted emails coincided with a US-Taiwanese Defence industry conference in Sept 2011

• “Mr X”, a naval warfare expert, was of particular interest

• Targeted 66 times in 2011!


Trojan.Taidoor

FEB 2012

台门


Case Study: Taidoor


31% 12%

5%

47%

• Highly targeted email based attacks

• Emails usually contain files with exploit code (rarely use zero-days)

Emails may be generic or tailored for each targeted individual

PDF file format is the most commonly used file format for these attacks


Spear Phishing Attacks – How It Works


Attacker sends

email with

malicious

document or link

1

Exploit is triggered

when user opens

the document or

clicks on link

2 Backdoor is

installed

3

http://badstuffhere.com


Case Study: Elderwood Project

• Long-running series of campaigns

• Same group responsible for the Hydraq/Aurora attacks in 2009

• Unlike many other groups, the Elderwood gang have access to zero days

• Better equipped than other groups that we have seen

– Nitro group used 1 zero day

– Sykipot group used 2 zero days

– Stuxnet used 4 zero days

– Elderwood have used 8 zero days!

• Uses both spear-phishing and watering hole attacks


Elderwood

SEP 2012


Watering Hole Attacks – How They Work


Usage increased substantially in

2012

Attacker hacks legitimate Web server and injects

IFRAME into Web pages 1

2 User browses to legitimate Web site

3 Returned Web pages contain IFRAME pointing to

server hosting exploit kit

Steps in Attack

Server Hosting Exploit Kit

Hacked Web Server

IFRAME

2

1

3

<html> <iframe> </html>




Who’s Targeted


Targets may be any organization with valuable intellectual property

Defense

Shipping Aeronautics

Arms Energy

Manufacturing Engineering Electronic

Financial

NGO

Software

There may be primary

and secondary targets.

Secondary targets are

used as

stepping stones

to the primary

target


Targeted Attacks - Conclusion


• Attackers are persistent

– Attack campaigns can span several years

– Individuals may be targeted multiple times

• Attacks aren’t always sophisticated, and don’t always use zero days

• Majority of attacks originate through email, although watering hole techniques are increasing

• Attackers most often seek intellectual property


Demonstration



Protecting Against Modern Attacks


Technology Effectiveness Reason

Email/IM SPAM Filtering Weak • Personalized emails to victims evade SPAM filters

Antivirus Signature Scanning Weak • Attackers can pre-scan executables with existing AV software, and modify until they are no longer detected • Spaghetti code confuses heuristic scanning

Intrusion Prevention Systems Moderate • Most 0-day attacks evade IPS scanners • Protocol anomaly detection may have blocked post- infection communications

Browser Shield & Buffer Overflow Protection

High • Doesn’t require a-priori knowledge of the exploit • Triggers on anomalies in execution path

URL Blocking / Content Filtering Weak • Attacker-generated domains unknown to filter • These domains are therefore typically allowed

File Reputation Scanning High • Relies only on the community reputation of the file, which is typically low for personalized malware files

Behavior Blocking High • Prevents malicious behaviors

Application and Device Control Moderate • Block external devices • Prevent some exploit conditions

Data Loss Prevention Moderate • Network compromised, but sensitive data retained

.Cloud Email Security High •Advanced email heuristics block targeted attack emails


How to get more information

Blog http://www.symantec.com/connect/symantec-blogs/sr

Twitter http://twitter.com/threatintel

Whitepapers http://www.symantec.com/security_response/whitepapers.jsp


http://www.symantec.com/connect/symantec-blogs/sr



https://twitter.com/threatintel

http://www.symantec.com/security_response/whitepapers.jsp

http://www.symantec.com/security_response/whitepapers.jsp

Thank you!

Copyright © 2011 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.


Orla Cox Sean Kiernan

Sr Manager Manager, Development

Security Response Security Response


Other sessions of interest

29

• ISB09 (114, tomorrow 9:00)

– SONAR, Insight, Skeptic and GIN - The Symantec secret sauce

• ISB12/13/14 (117, this afternoon)

– Messaging security deployment options - which is really best for you?

– Web security deployment options - which is really best for you?

– Are You Getting the Most From Symantec Protection Suite?

• ISB11 (114, tomorrow 11:45)

– Demo: integrating Symantec products to get the ultimate protection

• ISB07 (114, tomorrow 13:45)

– The roadmap for Symantec infrastructure protection products

The New Era of Cyber Threats - Home - VOXvox.veritas.com/legacyfs/online/veritasdata/IS B08.pdf ·...

Documents

Transcript of The New Era of Cyber Threats - Home - VOXvox.veritas.com/legacyfs/online/veritasdata/IS B08.pdf ·...