APRICOT 2015, Fukuoka APCERT Security Track
Tracking cyber datakidnappers
Dr Andrew Clark Senior Technical Advisor, CERT Australia data Tracking cyber kidnappers
Presenta on overview • About CERT Australia • Ransomware campaign targe ng Australia – Characteris cs – Response – Analysis • Related campaigns • Conclusion
APRICOT 2015 – Fukuoka - APCERT Security Track 2 data Tracking cyber kidnappers
About CERT Australia • Provides major Australian businesses with informa on about cyber threats and support in responding to cyber security incidents • Focus on systems of na onal interest, including cri cal infrastructure
APRICOT 2015 – Fukuoka - APCERT Security Track 3 data Tracking cyber kidnappers
About CERT Australia • Trusted source of informa on for partners (over 500 Australian businesses) • Par cipant in a global network of na onal CERTs, including APCERT
APRICOT 2015 – Fukuoka - APCERT Security Track 4 data Tracking cyber kidnappers
CERT Australia services
Publica ons Assistance / support to v Advisories v ACSC agency partners v Good prac ce guides v Hotline
Proac ve v Protect products Ac vi es Informa on exchanges v Onsite assistance v Regional (e.g. major ISPs, v Na onal technology companies) v CND advice Training and Exercises v Offsite malware, log and
v ICS / domes c training other analysis Reac ve v Eg. Cyber Storm v Regional exercises v Custom exercises
APRICOT 2015 – Fukuoka - APCERT Security Track 5 data Tracking cyber kidnappers
Background • In late 2013, CERT Australia began tracking an interna onal ransomware campaign targe ng Australia • The a ack was prolonged – persis ng throughout 2014 (and into 2015) – affected a large range of partners, across all sectors • The email lures used localised themes • The infrastructure shi ed rapidly to confound detec on
APRICOT 2015 – Fukuoka - APCERT Security Track 6 data Tracking cyber kidnappers
Background – targe ng*
APRICOT 2015 – Fukuoka - APCERT Security Track * Source: “TorrentLocker: Ransomware in a country near you”, M-E.M. Léveillé, December 2014. 7 data Tracking cyber kidnappers
The ‘business’ model (a.k.a. TorrentLocker) 1. Send themed spam containing website link to vic m (official looking domain names, e.g. aus-post.info) 2. Vic m visits website and downloads ‘bill’ or ‘viewer’ (malware) and runs it 3. Malware encrypts files (including those on network shares) and asks for ransom to decrypt them 4. Vic m pays ransom (BitCoins) via TOR-protected site 5. Vic m downloads decryp on program to decrypt files
APRICOT 2015 – Fukuoka - APCERT Security Track 8 data Tracking cyber kidnappers
Campaign characteris cs • Keep ‘consumers’ (vic ms) confident – Re-used previous campaign branding (CryptoLocker) – Won’t pay if they’re not going to get their files back • Constantly evolving – New domains registered almost daily • to keep ahead of takedowns – Malware binary changed almost daily • to keep ahead of an -virus updates
APRICOT 2015 – Fukuoka - APCERT Security Track 9 APRICOT 2015 – Fukuoka - APCERT Security Track 10 AV resistant for 24-48 hrs
APRICOT 2015 – Fukuoka - APCERT Security Track 11 data Tracking cyber kidnappers
Campaign characteris cs • Constantly evolving (cont.) – New infrastructure (IP addresses) – Regular theme updates • Australia Post (parcel to collect) • Energy Australia (electricity bill) • Telstra (telephone bill) • NSW Government (traffic speeding fine) • Various other interna onal flavours
APRICOT 2015 – Fukuoka - APCERT Security Track 12 postaut.com/
APRICOT 2015 – Fukuoka - APCERT Security Track 13 energy-objec ve.com/
Examples energy-australia.org energyaaa.com energyai.net energymar.com
APRICOT 2015 – Fukuoka - APCERT Security Track 14 telstraa.biz/
Examples telstra-info.com teltsra.net tesltra.org tesltraa.org
APRICOT 2015 – Fukuoka - APCERT Security Track 15 details-nsw1-gov.net/
Examples nsw-gov.net osr-nsw-gov.net state-nsw-gov.com penalty-nsw-gov.org
APRICOT 2015 – Fukuoka - APCERT Security Track 16 csposta24.org/ (Czech Post)
Examples cs-post24.org cz-posta.net cz-post.net
APRICOT 2015 – Fukuoka - APCERT Security Track 17 mysda24.org/ (Italian Post)
Examples sda-expresso24.com sda-express24.org mysda24.com
APRICOT 2015 – Fukuoka - APCERT Security Track 18 auspost-home.com ??
Examples royalmail-service.co.uk royalmail-groupltd.net royalmail-service.org royalmail-tracking24.net
APRICOT 2015 – Fukuoka - APCERT Security Track 19 data Tracking cyber kidnappers
Campaign characteris cs • Constantly evolving (cont.) – Infec on vector a. vic m downloads exe/rar/zip b. a achment (Word) with malicious macro – macro downloads encryp on malware
APRICOT 2015 – Fukuoka - APCERT Security Track 20 MACROS
Examples:
royalmail-service.co.uk
royalmail-groupltd.net
royalmail-service.org
royalmail- tracking24.net
Now with social engineering
APRICOT 2015 – Fukuoka - APCERT Security Track 21 data Tracking cyber kidnappers
The CERT’s incident response role
Vic ms Partners Samples Advice Advisories and indicators CERT
Analysis Theme Law Samples Vic ms Enforcement
APRICOT 2015 – Fukuoka - APCERT Security Track 22 data Tracking cyber kidnappers
Defending against ransomware • Staff educa on and awareness training • Applica on whitelis ng – Not just EXE’s – DLL’s, SCRIPTS and MACROS ! • Restrict admin privileges (to reduce impact) • Regular back-ups or snapshots (and store offline) • Block indicators of compromise (IOCs)
APRICOT 2015 – Fukuoka - APCERT Security Track 23 data Tracking cyber kidnappers
Analysis - indicators • Pre-infec on – Email messages • sender, subject, links (URLs) – ‘Fake’ domains (mimicking valid sites) • Post-infec on – C2 domains & IP addresses – File names and hashes
APRICOT 2015 – Fukuoka - APCERT Security Track 24 data Tracking cyber kidnappers
Analysis – indicator sharing • Express indicators in STIX format • STIX: Structured Threat Informa on eXpression – highly descrip ve • indicators, observables, TTPs, CoA, Kill Chain – machine readable • supported by growing number of tools – automated sharing via TAXII service
APRICOT 2015 – Fukuoka - APCERT Security Track 25 data Tracking cyber kidnappers
Analysis - links to other campaigns • Links between this ransomware campaign and banking trojans have been iden fied – Hesperbot – Dridex
APRICOT 2015 – Fukuoka - APCERT Security Track 26 Info.doc “Invoice Theme” Macro Order.doc “Invoice Theme” Macro
Metadata linked
Australia Post Phishing Nsw-gov Speeding Fine Phishing aupostalservice24[.]org track_309280983902001.EXE penalty_id_879847922.exe (MD5: 381e3c5e57431ecbeb072463cacd2056) (MD5: D0533A17312C65B5C5560696E4CA994C) C2 = casinoroyal7[.]ru (TorrentLocker) C2 = allwayshappy[.]ru (TorrentLocker)
C2 linked C2 linked
MACRO > h[ ]p://officeimage[.]ru/au.png MACRO > h[ ]p://109.105.193[.]99/a.png C2 = casinoroyal7[.]ru (TorrentLocker) C2 = allwayshappy[.]ru (Dridex) Same IP
APRICOT 2015 – Fukuoka - APCERT Security Track 27 data Tracking cyber kidnappers
Analysis – Word Macro observa ons • As before, actors are con nually tweaking techniques, also modernising old techniques – Early word macro code > URL’s were in clear text – Newer variants are increasingly more obfuscated – Password protected macro’s appearing – SANDBOXES having some trouble scanning these files – Advanced variants u lizing Powershell – Latest variant using embedded EXE’s, smaller footprint
APRICOT 2015 – Fukuoka - APCERT Security Track 28 data Tracking cyber kidnappers
Energy NSW-Gov Australia Australia “RTA Speeding Fine” Post Theme Theme Theme May 2014 Oct 2014 Oct 2013 CryptoLocker Hesperbot /CryptoWall TorrentLocker
Australia Telstra “Invoice” Post Theme Theme .DOC Macros Theme Sep 2014 Oct 2014 Nov 2013 TorrentLocker Dridex / CryptoLocker TorrentLocker
APRICOT 2015 – Fukuoka - APCERT Security Track 29 data Tracking cyber kidnappers
Conclusion
• Organised, well funded and VERY persistent • Prolific - affec ng government, individuals, small and large businesses • Mul ple countries targeted, with localised themes • Actors are nimble and con nually tweaking techniques – TorrentLocker updated within a week to patch a “XOR” bug allowing decryp on. (September 2014) – Phishing websites filtering source IP address via country – Freshly compromised WordPress websites used in phishing emails as redirector links, complica ng detec on and filtering – Con nual wave of new IP addresses used to host phishing sites. Clean reputa on, IP addresses mostly not seen before.
APRICOT 2015 – Fukuoka - APCERT Security Track 30