TRENDING THE CRIMEWARE ECOSYSTEM

Kevin Stear Threat Analysis Lead RSA FirstWatch @w1mp1 THE ABSTRACT CRIMEWARE ECOSYSTEM Capitalism and open market forces currently drive the evolution of today’s Crimeware environment, where a close-knit ecosystem of goods and services is thriving based on demand from ongoing malicious campaigns. THE CRIMEWARE ECOSYSTEM

UNDERGROUND FORUMS AND EXCHANGES . Underground forums currently occupy several regional network and market segments

. Emerging W. Africa marketplace − Real Nigerians?

. Forums act as key exchanges for Crimeware goods and services − Traffic/Delivery − Hacking-as-a-Service (HaaS) − Development − Infrastructure-as-a-Service (IaaS)

Graphic courtesy of Trend Micro: https://documents.trendmicro.com/assets/wp/wp-cybercrime-and-the-deep-web.pdf https://documents.trendmicro.com/assets/wp/wp-cybercrime-in-west-africa.pdf THE CRIMEWARE ECOSYSTEM GOODS & SERVICES . Traffic . Malware/Payloads − Compromised Site − − Malvertising − Info-stealer − Spam Provider − Miner − Traffic Distribution System (TDS) − Remote Access Trojan (RAT) − Exploit Development . Delivery − Exploit Kit . Infrastructure − Drive by Download − Bulletproof Hosting − Droppers/Clickbait − Shadow Domains − . Hacking − Denial of Service − Credential Harvesting − Reconnaissance − Bug Hunting THE CRIMEWARE ECOSYSTEM

HOW IT WORKS T O G E T H E R

Botnets Domain Shadowing Bulletproof Hosting INFRASTRUCTURE HACKING-as-a-SERVICE Reconnaissance Bug Hunting Denial/Destruct TRAFFIC DELIVERY of EXPLOIT Exploit Kits Malvertising PAYLOADS Compromised Sites Drive-by Download Ransomware Traffic Distribution System (TDS) Clickbait Info-Stealer Miner RAT

Credentials Cash Money New Bots SUSTAINABILITY THE CRIMEWARE ECOSYSTEM

HOW IT WORKS T O G E T H E R – CRIMINAL VIEW

Traffic intersects operational infrastructure Exploits target vulnerable INFRASTRUCTURE client devices

TRAFFIC DELIVERY PAYLOADS HACKING-as-a-SERVICE

Legitimate traffic is herded into designed bottlenecks

Bad stuff lands on the victim machine

Successful payloads and hacking services provide sustainability SUSTAINABILITY THE CRIMEWARE ECOSYSTEM

HOW IT WORKS T O G E T H E R – VICTIM VIEW ( A K A M Y G R A N D M A )

A friendly delivers… *DING* ‘you have mail!’ “Oooh,Pictures of my grandkids!” INFRASTRUCTURE *CLICK* (or facepalm)

TRAFFIC DELIVERY PAYLOADS HACKING-as-a-SERVICE

Grandma’s email address is harvested or purchased from a list service Panicked phone call: “Kevin, my computer just all locked up…”

Kevin re-images her machine… SUSTAINABILITY CRIMEWARE TRENDS REALLY … BUT WHY ARE TRENDS IMPORTANT?

Hello all!!! Today we opened our service, into which we invested a lot of time and effort. Right now, we have bruteforced RDP-servers for sale at very low prices, as well as SOCKS. Soon, we’ll be offering SSH-tunnels, VPN, and Shells for sale. We hope you will like us, and that you will find everything you are looking for!!!! We will always be happy to listen to your suggestions regarding the functionality and design of the service, as well as suggestions for improvements, etc. Write using our ticket system…

P.S. Before using our service we strongly recommend that you familiarize yourself with our rules and pricing. Just like in the real world, ignorance of the law does not absolve you of responsibility, same here, not knowing our rules does not excuse you from responsibility if you break them.

“Ultimate Anonymity Services” Shop Offers Cybercriminals International RDPs: https://www.flashpoint-intel.com/blog/uas-shop-international-rdp-servers/ CRIMEWARE TRENDS

THE DECLINE OF EXPLOIT KITS . Shadowfall, a joint RSA and GoDaddy takedown − Disrupts more than 40,000 active shadow domains supporting RIG Exploit Kit (EK) and other malicious campaigns . Decline in Exploit Kits? − Perceived shift away from compromised sites as a traffic source for EK delivery due to increased scarcity of necessary credentials − Industry research support* . Impact − Malspam takes over primary delivery − Malvertising becomes primary traffer

MARKET FORCES AT WORK?

Decline in RIG Exploit Kit: https://researchcenter.paloaltonetworks.com/2017/06/unit42-decline-rig-exploit-kit/ Fluctuation in the Exploit Kit Market – Temporary Blip or Long-term Trend?: https://www.digitalshadows.com/blog-and-research/fluctuation-in-the-exploit-kit-market-temporary-blip-or-long-term-trend/ THE CRIMEWARE ECOSYSTEM

RIG EXPLOIT KIT

RAMNIT Ransomware Domain Shadowing Crypto Currency Miners Bulletproof Hosting CHTHONIC Banking Trojan

Malvertising Exploit Kit Compromised Sites Traffic Distribution System (TDS)

Credentials Cash Money CRIMEWARE TRENDS 2017 SUMMER OF MALSPAM

From Jun-Sep 2017, RSA FirstWatch saw the increased use of Malspam as a delivery vector: . Crimeware: . Targeted: − JACKSBOT − MOONWIND − CVE-2017-8759 − COBALT STRIKE − XMRIG (Miner) − CVE-2017-0262 − ZBOT − DIMNIE − CVE-2017-0199 − CHTHONIC/DIMNIE − NANOBOT − XTREME − HANCITOR/PONY − MONSOON − LOCKY − TRICKBOT − GLOBEIMPOSTER − BEBLOH − CERBER − TRICKBOT − AGENTTESLA − HAWKEYE − − LOCKY − LOKIBOT − ZYKLON − CERBER − DRIDEX

Graphic courtesy of @james_inthe_box THE CRIMEWARE ECOSYSTEM CUSTOMER SERVICE! Thanks CERBER… so thoughtful ;) LOCKY AND CERBER

LOCKY Ransomware Botnets Bulletproof Hosting CERBER Ransomware

Malspam Drive-by Download Malvertising

Ransomware remains a RELIABLE REVENEUE STREAM Credentials Cash Money

Backup routinely & use DMARC people! CRIMEWARE TRENDS THE DESTABILIZATION OF UKRAINE … BULLETPROOF HOSTING?

Hey, they’re not enforcing many laws… let’s host our Crimeware campaign over here!?

Graphic courtesy of wikipedia CRIMEWARE TRENDS CREDENTIAL & INFRASTRUCTURE HARVESTING . Continued trend for heightened rate of scanning and brute force attacks . One of many conveniently available and botnet enabled hacking services

Indicative of increased DEMAND for scarce goods?

SSH attacks are on the rise! (HACKING-as-a-SERVICE)

Why is port 22 open???

Chart credit: @bad_packets THE CRIMEWARE ECOSYSTEM

TRICKBOT AND HANCITOR Also indicative of increased DEMAND for scarce goods?

Botnets TRICKBOT Banking Trojan Bulletproof Hosting HANCITOR Info-stealers

Malspam Clickbait

Weird, that PNG file is really an EXE…

Credentials

HEY, THANKS FOR THE BANK ACCOUNT INFORMATION! CRIMEWARE TRENDS BOTNETS . Current Threats − NECURS • Mixed personal computers, servers, other devices… − MIRAI/PERSAI • Internet of Things (IoT) devices − REAPER • IoT devices − SCHOOLBELL • Schools, Libraries, and more

. Just who controls these capabilities?

. How are they being weaponized? − Malspam (e.g., Locky) − Malvertising (e.g., Methbot) − Hacking services (e.g., DDoS) − Operational Relay Botnet (ORB) CRIMEWARE TRENDS

T H E D D O S THREAT INFRASTRUCTURE INVESTMENT: DDoS now comes with pulse wave attacks to to increase your attack surface!! . Distributed Denial of Service (DDoS)

. DDoS Extortion DDoS Protection & Fallback Comms Plan

Arbor Networks 12th Worldwide Infrastructure Security Report: https://pages.arbornetworks.com/rs/082-KNA-087/images/12th_Worldwide_Infrastructure_Security_Report.pdf Help Net Security: https://www.helpnetsecurity.com/2017/09/25/large-ddos-attacks/ CRIMEWARE TRENDS RISE OF THE MINERS . The idea of a mathematically secure chain of blocks began in 1991 and was first conceptualized as digital currency in 1998 as ‘Bit Gold’. Bitcoin was the first decentralized digital currency and was implemented in 2009.

. Blockchain - a chronological series of transactions/records that reference previous blocks to create a immutable and distributed digital ledger.

. RSA FirstWatch tracks actors use of Monero mining and drive-by-mining via coin-hive THE CRIMEWARE ECOSYSTEM

TERROR EXPLOIT KIT NEW REVENUE STREAM: Mining malware and Drive-by-mining represent CAPITAL innovation by threat actors

Domain Shadowing Ransomware Bulletproof Hosting Coinminer

Malvertising TERROR Exploit Kit Traffic Distribution System (TDS)

Cash Money

Threat Intelligence & Domain Reputation Services CRIMEWARE TRENDS PREVALENCE OF SSL AND CODE - SIGNING CERTS . This trend speaks to the growing complexity of not just advanced persistent threat (APT) but also crimeware actors, and directly adds to the mounting challenges faced by defenders, who now increasingly encounter signed malware and encrypted malicious traffic.

What can you do? • Certificate whitelisting/blacklisting • Care about SSL cert meta data • Know what’s in your root store!

‘Borrowing Microsoft Code Signing Certificates’: https://blog.conscioushacker.io/index.php/2017/09/27/borrowing-microsoft-code-signing-certificates/ ‘Subverting Trust in Windows – A Case Study of the “How” and “Why” of Engaging in Security Research’: https://pages.arbornetworks.com/rs/082-KNA- 087/images/12th_Worldwide_Infrastructure_Security_Report.pdf CRIMEWARE TRENDS MALVERTISING AND MALSPAM REMAIN PRIMARY DELIVERY 1 V E C T O R S

MOVING FORWARD ‘DARKNET’ ISN’T GOING AWAY & EMPHASIS ON 2 CREDENTIAL HARVESTING PERSISTS

RANSOMWARE & CRYPTO - CURRENCY ARE IMPORTANT 3 REVENUE STREAMS

BOTNET CAPABILITIES AND BULLETPROOF HOSTING 4 PROVIDERS INCREASE

INCREASED ADOPTION OF WILL BRING 5 MORE COMPLEXITY TO DEFENDING NETWORKS @RSASecurity

THANK YOU