TRENDING THE CRIMEWARE ECOSYSTEM
Kevin Stear Threat Analysis Lead RSA FirstWatch @w1mp1 THE ABSTRACT CRIMEWARE ECOSYSTEM Capitalism and open market forces currently drive the evolution of today’s Crimeware environment, where a close-knit ecosystem of goods and services is thriving based on demand from ongoing malicious campaigns. THE CRIMEWARE ECOSYSTEM
UNDERGROUND FORUMS AND EXCHANGES . Underground forums currently occupy several regional network and market segments
. Emerging W. Africa marketplace − Real Nigerians?
. Forums act as key exchanges for Crimeware goods and services − Traffic/Delivery − Hacking-as-a-Service (HaaS) − Malware Development − Infrastructure-as-a-Service (IaaS)
Graphic courtesy of Trend Micro: https://documents.trendmicro.com/assets/wp/wp-cybercrime-and-the-deep-web.pdf https://documents.trendmicro.com/assets/wp/wp-cybercrime-in-west-africa.pdf THE CRIMEWARE ECOSYSTEM GOODS & SERVICES . Traffic . Malware/Payloads − Compromised Site − Ransomware − Malvertising − Info-stealer − Spam Provider − Miner − Traffic Distribution System (TDS) − Remote Access Trojan (RAT) − Exploit Development . Delivery − Exploit Kit . Infrastructure − Drive by Download − Bulletproof Hosting − Droppers/Clickbait − Shadow Domains − Botnets . Hacking − Denial of Service − Credential Harvesting − Reconnaissance − Bug Hunting THE CRIMEWARE ECOSYSTEM
HOW IT WORKS T O G E T H E R
Botnets Domain Shadowing Bulletproof Hosting INFRASTRUCTURE HACKING-as-a-SERVICE Reconnaissance Bug Hunting Denial/Destruct TRAFFIC DELIVERY of EXPLOIT Exploit Kits Malvertising PAYLOADS Compromised Sites Drive-by Download Ransomware Traffic Distribution System (TDS) Clickbait Info-Stealer Miner RAT
Credentials Cash Money New Bots SUSTAINABILITY THE CRIMEWARE ECOSYSTEM
HOW IT WORKS T O G E T H E R – CRIMINAL VIEW
Traffic intersects operational infrastructure Exploits target vulnerable INFRASTRUCTURE client devices
TRAFFIC DELIVERY PAYLOADS HACKING-as-a-SERVICE
Legitimate traffic is herded into designed bottlenecks
Bad stuff lands on the victim machine
Successful payloads and hacking services provide sustainability SUSTAINABILITY THE CRIMEWARE ECOSYSTEM
HOW IT WORKS T O G E T H E R – VICTIM VIEW ( A K A M Y G R A N D M A )
A friendly BOTNET delivers… *DING* ‘you have mail!’ “Oooh,Pictures of my grandkids!” INFRASTRUCTURE *CLICK* (or facepalm)
TRAFFIC DELIVERY PAYLOADS HACKING-as-a-SERVICE
Grandma’s email address is harvested or purchased from a list service Panicked phone call: “Kevin, my computer just all locked up…”
Kevin re-images her machine… SUSTAINABILITY CRIMEWARE TRENDS REALLY … BUT WHY ARE TRENDS IMPORTANT?
Hello all!!! Today we opened our service, into which we invested a lot of time and effort. Right now, we have bruteforced RDP-servers for sale at very low prices, as well as SOCKS. Soon, we’ll be offering SSH-tunnels, VPN, and Shells for sale. We hope you will like us, and that you will find everything you are looking for!!!! We will always be happy to listen to your suggestions regarding the functionality and design of the service, as well as suggestions for improvements, etc. Write using our ticket system…
P.S. Before using our service we strongly recommend that you familiarize yourself with our rules and pricing. Just like in the real world, ignorance of the law does not absolve you of responsibility, same here, not knowing our rules does not excuse you from responsibility if you break them.
“Ultimate Anonymity Services” Shop Offers Cybercriminals International RDPs: https://www.flashpoint-intel.com/blog/uas-shop-international-rdp-servers/ CRIMEWARE TRENDS
THE DECLINE OF EXPLOIT KITS . Shadowfall, a joint RSA and GoDaddy takedown − Disrupts more than 40,000 active shadow domains supporting RIG Exploit Kit (EK) and other malicious campaigns . Decline in Exploit Kits? − Perceived shift away from compromised sites as a traffic source for EK delivery due to increased scarcity of necessary credentials − Industry research support* . Impact − Malspam takes over primary delivery − Malvertising becomes primary traffer
MARKET FORCES AT WORK?
Decline in RIG Exploit Kit: https://researchcenter.paloaltonetworks.com/2017/06/unit42-decline-rig-exploit-kit/ Fluctuation in the Exploit Kit Market – Temporary Blip or Long-term Trend?: https://www.digitalshadows.com/blog-and-research/fluctuation-in-the-exploit-kit-market-temporary-blip-or-long-term-trend/ THE CRIMEWARE ECOSYSTEM
RIG EXPLOIT KIT
RAMNIT Ransomware Domain Shadowing Crypto Currency Miners Bulletproof Hosting CHTHONIC Banking Trojan
Malvertising Exploit Kit Compromised Sites Traffic Distribution System (TDS)
Credentials Cash Money CRIMEWARE TRENDS 2017 SUMMER OF MALSPAM
From Jun-Sep 2017, RSA FirstWatch saw the increased use of Malspam as a delivery vector: . Crimeware: . Targeted: − JACKSBOT − MOONWIND − CVE-2017-8759 − COBALT STRIKE − XMRIG (Miner) − CVE-2017-0262 − ZBOT − DIMNIE − CVE-2017-0199 − CHTHONIC/DIMNIE − NANOBOT − XTREME − HANCITOR/PONY − MONSOON − LOCKY − TRICKBOT − GLOBEIMPOSTER − BEBLOH − CERBER − TRICKBOT − AGENTTESLA − HAWKEYE − EMOTET − LOCKY − LOKIBOT − ZYKLON − CERBER − DRIDEX
Graphic courtesy of @james_inthe_box THE CRIMEWARE ECOSYSTEM CUSTOMER SERVICE! Thanks CERBER… so thoughtful ;) LOCKY AND CERBER
LOCKY Ransomware Botnets Bulletproof Hosting CERBER Ransomware
Malspam Drive-by Download Malvertising
Ransomware remains a RELIABLE REVENEUE STREAM Credentials Cash Money
Backup routinely & use DMARC people! CRIMEWARE TRENDS THE DESTABILIZATION OF UKRAINE … BULLETPROOF HOSTING?
Hey, they’re not enforcing many laws… let’s host our Crimeware campaign over here!?
Graphic courtesy of wikipedia CRIMEWARE TRENDS CREDENTIAL & INFRASTRUCTURE HARVESTING . Continued trend for heightened rate of scanning and brute force attacks . One of many conveniently available and botnet enabled hacking services
Indicative of increased DEMAND for scarce goods?
SSH attacks are on the rise! (HACKING-as-a-SERVICE)
Why is port 22 open???
Chart credit: @bad_packets THE CRIMEWARE ECOSYSTEM
TRICKBOT AND HANCITOR Also indicative of increased DEMAND for scarce goods?
Botnets TRICKBOT Banking Trojan Bulletproof Hosting HANCITOR Info-stealers
Malspam Clickbait
Weird, that PNG file is really an EXE…
Credentials
HEY, THANKS FOR THE BANK ACCOUNT INFORMATION! CRIMEWARE TRENDS BOTNETS . Current Threats − NECURS • Mixed personal computers, servers, other devices… − MIRAI/PERSAI • Internet of Things (IoT) devices − REAPER • IoT devices − SCHOOLBELL • Schools, Libraries, and more
. Just who controls these capabilities?
. How are they being weaponized? − Malspam (e.g., Locky) − Malvertising (e.g., Methbot) − Hacking services (e.g., DDoS) − Operational Relay Botnet (ORB) CRIMEWARE TRENDS
T H E D D O S THREAT INFRASTRUCTURE INVESTMENT: DDoS now comes with pulse wave attacks to to increase your attack surface!! . Distributed Denial of Service (DDoS)
. DDoS Extortion DDoS Protection & Fallback Comms Plan
Arbor Networks 12th Worldwide Infrastructure Security Report: https://pages.arbornetworks.com/rs/082-KNA-087/images/12th_Worldwide_Infrastructure_Security_Report.pdf Help Net Security: https://www.helpnetsecurity.com/2017/09/25/large-ddos-attacks/ CRIMEWARE TRENDS RISE OF THE MINERS . The idea of a mathematically secure chain of blocks began in 1991 and was first conceptualized as digital currency in 1998 as ‘Bit Gold’. Bitcoin was the first decentralized digital currency and was implemented in 2009.
. Blockchain - a chronological series of transactions/records that reference previous blocks to create a immutable and distributed digital ledger.
. RSA FirstWatch tracks actors use of Monero mining and drive-by-mining via coin-hive THE CRIMEWARE ECOSYSTEM
TERROR EXPLOIT KIT NEW REVENUE STREAM: Mining malware and Drive-by-mining represent CAPITAL innovation by threat actors
Domain Shadowing Ransomware Bulletproof Hosting Coinminer
Malvertising TERROR Exploit Kit Traffic Distribution System (TDS)
Cash Money
Threat Intelligence & Domain Reputation Services CRIMEWARE TRENDS PREVALENCE OF SSL AND CODE - SIGNING CERTS . This trend speaks to the growing complexity of not just advanced persistent threat (APT) but also crimeware actors, and directly adds to the mounting challenges faced by defenders, who now increasingly encounter signed malware and encrypted malicious traffic.
What can you do? • Certificate whitelisting/blacklisting • Care about SSL cert meta data • Know what’s in your root store!
‘Borrowing Microsoft Code Signing Certificates’: https://blog.conscioushacker.io/index.php/2017/09/27/borrowing-microsoft-code-signing-certificates/ ‘Subverting Trust in Windows – A Case Study of the “How” and “Why” of Engaging in Security Research’: https://pages.arbornetworks.com/rs/082-KNA- 087/images/12th_Worldwide_Infrastructure_Security_Report.pdf CRIMEWARE TRENDS MALVERTISING AND MALSPAM REMAIN PRIMARY DELIVERY 1 V E C T O R S
MOVING FORWARD ‘DARKNET’ ISN’T GOING AWAY & EMPHASIS ON 2 CREDENTIAL HARVESTING PERSISTS
RANSOMWARE & CRYPTO - CURRENCY ARE IMPORTANT 3 REVENUE STREAMS
BOTNET CAPABILITIES AND BULLETPROOF HOSTING 4 PROVIDERS INCREASE
INCREASED ADOPTION OF ENCRYPTION WILL BRING 5 MORE COMPLEXITY TO DEFENDING NETWORKS @RSASecurity
THANK YOU