The Evolving Threat Landscape
Orla Cox Director, Security Response
Evolving Threat Landscape 2014 SYMANTEC VISION SYMPOSIUM 2014 1 Attacker motivations
CYBERCRIME ESPIONAGE Financial Trojans Nation states
Ransomware Corporate
SUBVERSION SABOTAGE
DDoS Physical damage
Social media hacking Data destruction
Evolving Threat Landscape 2014 SYMANTEC VISION SYMPOSIUM 2014 2 CYBERCRIME
Evolving Threat Landscape 2014 SYMANTEC VISION SYMPOSIUM 2014 3 Financial Trojans at a glance
FINANCIAL INSTITUTES COUNTRIES IMPACTED INCREASE IN INFECTIONS REGULARLY ATTACKED > 1400 88 X3
1M USA TOP 10 COUNTRIES 88K AUSTRALIA 206K JAPAN MOST INFECTED 84K INDIA 178K UK WITH FINANICIAL 71K ITALY 135K GERMANY TROJANS 47K MEXICO 118K CANADA (Q1 2013) 43K BRAZIL
Evolving Threat Landscape 2014 SYMANTEC VISION SYMPOSIUM 2014 4
Financial Trojans – common features and techniques
http://
10/16
SMITH
WWW
JOHN 1234 1234 1234 1234 MAN-IN-THE- CERTIFICATES/ PAYMENT SCREEN/VIDEO DESKTOP HIJACK BROWSER DNS CHANGES CARD DATA Steal certificates. Aka “Webinjects“ Used for Capture screen Hijacks remote Hooks browser authentication & shots & videos. desktop and VNC & manipulates authorizing Stealing payment Allows malware to services to gain browser content transactions. card details circumvent virtual unauthorized when logging into Manipulates DNS keyboards remote access online services settings for MITM attacks
Evolving Threat Landscape 2014 SYMANTEC VISION SYMPOSIUM 2014 5 Ransomware Cybercrime gangs who favored fakeAV Infection numbers continue have moved to ransomware to increase
1000 861 800 625 660 600 421 419 400 286 178 189 200 112 107 138 141
0 J F M A M J J A S O N D
INFECTION # INCREASED 500% IN 2013!
Evolving Threat Landscape 2014 SYMANTEC VISION SYMPOSIUM 2014 6 Ransomware: How they work • Ransomware disables the computer by disabling a number of tools and programs in the registry • Disables the keyboard and mouse, leaving only the number pad active • Downloads and displays a warning message, typically purporting to be from law enforcement • The warning message typically states that the user has been found accessing illegal content and that a fine must be paid to unlock the computer
Evolving Threat Landscape 2014 SYMANTEC VISION SYMPOSIUM 2014 7 Ransomware: Can’t speak English? No worries! The ransomware selects the message to be displayed depending on the location of the computer
Evolving Threat Landscape 2014 SYMANTEC VISION SYMPOSIUM 2014 8 Ransomware: Payment • If the user enters the payment PIN, it is sent to the attacker’s command and control server
• The computer is rarely unlocked Enter PIN after payment
123456789
Command & control server
Enter PIN Evolving Threat Landscape 2014 SYMANTEC VISION SYMPOSIUM 2014 9 Cryptolocker: The evolution of ransomware • Cybercriminals now holding data to ransom • Data on infected computer is encrypted using strong encryption • Payment requested for decryption of files • Decryption not possible without private key
Evolving Threat Landscape 2014 SYMANTEC VISION SYMPOSIUM 2014 10 Evolving Cybercrime Networks TRADITIONAL BOTNET PEER TO PEER BOTNET
Single point of failure No single point of failure Only one or a few C&C servers Every peer acts as C&C server Vulnerable to takedown & sinkholing Difficult to take down or sinkhole Unsurprisingly, cybercriminals are increasingly moving to P2P infrastructure
Evolving Threat Landscape 2014 SYMANTEC VISION SYMPOSIUM 2014 11 How we took out half a million ZeroAccess bots • ZeroAccess uses a highly resilient decentralized, P2P botnet architecture • Every botnet member acts as a C&C server making sinkholing almost impossible • Created sinkholes that acted like peers • Inserted our sinkhole addresses into peer lists; peer lists then ZA propagated through the botnet • Eventually bots only have our sinkhole peer addresses SYMC • Game over for ZeroAccess! ZA
Evolving Threat Landscape 2014 SYMANTEC VISION SYMPOSIUM 2014 12 Operation Tovar: Takedown of GameOver Zeus & Cryptolocker COLLABORATION BETWEEN LAW ENFORCEMENT AND SECURITY INDUSTRY
Flaw in C&C communication was exploited to redirect traffic to servers owned by law enforcement
Security industry assists Infections show signs of with cleanup increasing again, need for providing removal tools ongoing action
Evolving Threat Landscape 2014 SYMANTEC VISION SYMPOSIUM 2014 13 SUBVERSION
Evolving Threat Landscape 2014 SYMANTEC VISION SYMPOSIUM 2014 14 Subversion through hacktivism
WEBSITE DEFACEMENT DDOS ATTACK SOCIAL MEDIA HACKING
Y U I http:// H J K L
? START WWW DDoS
PREFERENCE FOR HACKING SOCIAL MEDIA SOCIAL MEDIA ACCOUNTS VULNERABLE Powerful communications medium Social engineering attacks Easy to propagate false market moving news Password guessing/brute force Fast, and news can spread virally Guessing security questions
Evolving Threat Landscape 2014 SYMANTEC VISION SYMPOSIUM 2014 15 Distributed denial of service (DDoS) attacks DDOS ON THE RISE Attack size +216% Attacks are shorter Max of 400 GBPS Q1-Q2 2014 but stronger Record level in 2014 TYPES OF ATTACKS AMPLIFICATION/ BOTNETS REFLECTION WEB APPLICATIONS
Attacker controlled Abusing DNS, NTP, Attacks against specific botnets. Increasingly SNMP services to service based features. using hacked Linux servers multiply attack size Accounts for 69% of DDoS using HTTP*
Evolving Threat Landscape 2014 SYMANTEC VISION SYMPOSIUM 2014 16 Why DDoS? TARGETS Gaming industry Media IT services MOTIVATION Financial institutions IMPLICATIONS Profit Government agencies Service downtime Political Reputation damage Disputes Bandwidth costs Create a diversion Resource costs
EASE OF ACCESS Free tools available “Rent a DDoS” services
Evolving Threat Landscape 2014 SYMANTEC VISION SYMPOSIUM 2014 17 CYBERESPIONAGE
Evolving Threat Landscape 2014 SYMANTEC VISION SYMPOSIUM 2014 18 Cryptolocker: The evolution of ransomware 2013
2012 +91%
NUMBER OF TARGETED ATTACK CAMPAIGNS CONTINUES TO RISE…
Evolving Threat Landscape 2014 SYMANTEC VISION SYMPOSIUM 2014 19 Stages of an attack INCURSION DISCOVERY CAPTURE EXFILTRATION
Attacker breaks into Attacker then maps Accesses data on Data sent to attacker the network by organization’s unprotected systems for analysis defenses from the delivering targeted Installs malware Information may be inside malware to to secretly acquire used for various vulnerable systems Create a battle plan data or disrupt purposes including and employees operations fraud and planning further attacks
RECONNAISSANCEEvolving Threat Landscape 2014 INCURSION DISCOVERY SYMANTECCAPTURE VISION SYMPOSIUM 2014 EXFILTRATION20 Turla: Case study of a cyberespionage campaign A campaign which has systematically targeted the governments and embassies of former Eastern Bloc countries
STAGE 1: RECONNAISSANCE Initial reconnaissance to identify targets of interest DURATION >4 YEARS STAGE 2: SURVEILLANCE Long term surveillance on targets of interest
Evolving Threat Landscape 2014 SYMANTEC VISION SYMPOSIUM 2014 21 Turla: Two-pronged attack strategy
Evolving Threat Landscape 2014 SYMANTEC VISION SYMPOSIUM 2014 22 Turla: Selecting targets Turla uses a two phased target selection process…
PHASE 2: TARGET REFINEMENT Wipbot delivered to IP addresses Associated with intended targets PHASE 1: PROFILING Fingerprinting of visitors to Wipbot gathers info about watering hole website compromised computer Info gather to determine which Turla delivered to victims exploits work best of greatest interest Turla’s advanced features allow it to remain undetected for longer, facilitates long term recon missions
Evolving Threat Landscape 2014 SYMANTEC VISION SYMPOSIUM 2014 23 Turla: Victim profile
Profile of victims and use of advanced techniques bears the hallmarks of a state-sponsored operation
REGIONS VICTIMS Targets mostly in Mostly embassies of former Western European countries Eastern Bloc countries Some infections in other regions including: Some ministries in Kazakhstan, China, Jordan, other countries were also Poland, Ukraine, Armenia targeted
Evolving Threat Landscape 2014 SYMANTEC VISION SYMPOSIUM 2014 24 SABOTAGE
Evolving Threat Landscape 2014 SYMANTEC VISION SYMPOSIUM 2014 25 A brief history of sabotage attacks… W32.STUXNET W32.FLAMER W32.GAUSS
W32 FLAMER GAUSS
JUL 2010 MAY 2012 AUG 2012
2007 … 2010 2011 2012 2013
ESTONIA DDOS W32.DUQU W32.DISTTRACK TROJAN.JOKRA
[dyü-kyü] APR 2007 SEP 2011 SEP 2012 MAR 2013
Evolving Threat Landscape 2014 SYMANTEC VISION SYMPOSIUM 2014 26 Dragonfly: Attacks against the energy sector Dragonfly attack group has been active since 2011, but shifted focus to the energy sector in early 2013…
ACTIVITIES TARGETS Information theft Electricity infrastructure Sabotage capable Electricity generation Industrial equipment suppliers Pipeline operators
OTHER INDUSTRIES ENERGY SECTOR 2011 2012 2013 2014
Evolving Threat Landscape 2014 SYMANTEC VISION SYMPOSIUM 2014 27 Dragonfly: The tools of the trade
TROJAN.KARAGNY Available in underground markets Adapted for use by Dragonfly group Download/upload/execute files Additional plugins available BACKDOOR.OLDREA Custom made malware RAT – full back door access Used in 90% of cases
Evolving Threat Landscape 2014 SYMANTEC VISION SYMPOSIUM 2014 28 Dragonfly: Infection Vectors
SPAM EMAIL WATERING HOLE SUPPLY CHAIN TARGETING: TARGETING: TARGETING: Spam email sent to senior Visitors to compromised websites Compromise ICS equipment employees and engineers related to energy sector vendors & suppliers HISTORY: HISTORY: HISTORY: February 2013 May 2013 June/July 2013 EMAIL SUBJECTS: EXPLOITS: • “The account” POISONED SOFTWARE: Redirects visitors to other hacked • “Settlement of delivery Malware added to software sites hosting Lightsout exploit kit problem” files/updates on vendor’s websites EMAIL ATTACHMENT: Malware dropped onto Victims unknowingly download and install “Trojanized” Malicious PDF file victim’s computer software updates
Evolving Threat Landscape 2014 SYMANTEC VISION SYMPOSIUM 2014 29 Dragonfly: Is sabotage ready
3 x ICS software vendors specifically targeted DRIVER SOFTWARE
VPN SOFTWARE MGMNT. SYSTEMS
Driver software for specialist PLC devices Provides remote Management systems access to PLC devices for wind turbines, that control industrial biogas & other energy processes infrastructure
Establish beachhead in Access to critical infra- structure can be used for target orgs sabotage Evolving Threat Landscape 2014 SYMANTEC VISION SYMPOSIUM 2014 30 How to get more information
Blog http://www.symantec.com/connect/symantec-blogs/sr
Twitter @threatintel http://twitter.com/threatintel
Whitepapers http://www.symantec.com/security_response/whitepapers.jsp
Evolving Threat Landscape 2014 SYMANTEC VISION SYMPOSIUM 2014 31 Thank you! Orla Cox [email protected] @orlacox
Copyright © 2014 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.
Evolving Threat Landscape 2014 32