Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2014, FireEye, Inc. All rights reserved. 1 Tobin Sears, FireEye Zero-Days, Ghost Malware, and Other Current Trends.

Published byIsabel Wright Modified over 9 years ago

Similar presentations

Presentation on theme: "© 2014, FireEye, Inc. All rights reserved. 1 Tobin Sears, FireEye Zero-Days, Ghost Malware, and Other Current Trends."— Presentation transcript:

1 © 2014, FireEye, Inc. All rights reserved. 1 Tobin Sears, FireEye Zero-Days, Ghost Malware, and Other Current Trends

2 © 2014, FireEye, Inc. All rights reserved. 2 FROM THE FRONT LINES: M-TRENDS ® 2015

3 © 2014, FireEye, Inc. All rights reserved. 3 Agenda  By the Numbers  Trend 1: Struggling with Disclosure  Trend 2: Retail in the Crosshairs  Trend 3: The Evolving Attack Lifecycle  Trend 4: Blurred Lines – Criminal and APT Actors Take a Page from Each Others’ Playbook  Ghost Malware and Zero-Days Note: Some information has been sanitized to protect our clients’ interests.

4 © 2014, FireEye, Inc. All rights reserved. 4 BY THE NUMBERS

5 © 2014, FireEye, Inc. All rights reserved. 5 Who’s a Target?

6 © 2014, FireEye, Inc. All rights reserved. 6 How Compromises Are Being Detected

7 © 2014, FireEye, Inc. All rights reserved. 7 Dwell Time 24 days less than 2013 Longest Presence: 2,982 days

8 © 2014, FireEye, Inc. All rights reserved. 8 APT Phishing

9 © 2014, FireEye, Inc. All rights reserved. 9 TREND 1 Struggling with Disclosure

10 © 2014, FireEye, Inc. All rights reserved. 10 Trend 1: Struggling with Disclosure  Mandiant worked with over 30 companies that publicly disclosed a compromise  Public is asking more informed questions -Attribution -Malware -Attacker TTPs  Public speculation starting to affect investigations

11 © 2014, FireEye, Inc. All rights reserved. 11 Why the Increase in Notifications?  Mandiant worked an increased number of cases where protected data was lost -Cardholder data, Personally identifiable information (PII), and Protected Health Information (PHI) -Contractual and legal obligation to notify  69% of victims did not self-detect -Increased pressure to notify  More companies willing to notify -Companies feel like it’s the right thing to do -Being a breach victim is less taboo than in the past

12 © 2014, FireEye, Inc. All rights reserved. 12 Critical Investigation Questions  Questions you should have answers to during the investigation -How did the attacker gain initial access to the environment? -How did the attacker maintain access to the environment? -What is the storyline of the attack? -What data was stolen from the environment? -Have you contained the incident?

13 © 2014, FireEye, Inc. All rights reserved. 13 The Takeaways  Breaches are inevitable -Have an effective communication strategy available  Consistent communication is key -Based on factual investigative findings  Public speculation will happen -Avoid distracting the investigation CAUTION Investigation Hazard

14 © 2014, FireEye, Inc. All rights reserved. 14 © 2014, FireEye, Inc. All rights reserved. TREND 2 Retail in the Crosshairs

15 © 2014, FireEye, Inc. All rights reserved. 15 Trend 2: Retail in the Crosshairs  Retailers thrust into the spotlight in 2014 -Mandiant responded to many headlines  New groups getting into the game  Small misconfigurations led to greater compromise

16 © 2014, FireEye, Inc. All rights reserved. 16 Themes of Financial-Motivated Attackers in 2014  Application virtualization servers used as an entry point -Valid credentials used to authenticate -Misconfigurations / lack of network segmentation allowed greater access  New tools, tactics, and procedures -Highly sophisticated malware -Publically available tools  Increased number of attacks against e-commerce in locations that deployed chip-and-PIN technology -Attackers shifting focus to lowest hanging fruit

17 © 2014, FireEye, Inc. All rights reserved. 17 Initial Access To Environment  Attacker authenticated to a virtual application server -Already had legitimate credentials, no failed logons  Escaped from “jailed” environment to gain additional control over the system  Misconfiguration in virtual application server resulted in greater access to environment -No segmentation  Same local administrator password on all systems -Allowed attacker privileged access to systems

18 © 2014, FireEye, Inc. All rights reserved. 18 Lateral Movement - Forensic Artifacts  Attacker used the “psexec_command” Metasploit module to execute commands on remote systems -Mimics command execution capability of the SysInternals PsExec utility  Windows 7/Server 2008 System event logs tracked installation of service

19 © 2014, FireEye, Inc. All rights reserved. 19 Persistence - Sophisticated Malware  Backdoor targeted Windows XP systems  Used a sophisticated packer  Backdoor gets capabilities from shellcode  Ability to download additional shellcode -Makes for a versatile backdoor

20 © 2014, FireEye, Inc. All rights reserved. 20 Data Theft  Attacker used domain controller as pivot point into retail environment -The retail domain had a two-way trust with the corporate domain -The store registers ran Microsoft Windows XP -The store registers were joined to the retail domain  Deployed card harvesting malware to registers throughout the environment  Malware wrote stolen track data to temporary MSSQL database  Attacker queried database to collect stolen track data  Transferred files off of network using FTP

21 © 2014, FireEye, Inc. All rights reserved. 21 A Retailer Case Study

22 © 2014, FireEye, Inc. All rights reserved. 22 Protect Yourself  Secure remote access -Two-factor authentication required  Secure access to the PCI environment -Segment the PCI environment -Require access through internal jump server  Deploy application-whitelisting on critical assets -Protect the POS servers and registers  Managed privileged accounts -Control access

23 © 2014, FireEye, Inc. All rights reserved. 23 © 2014, FireEye, Inc. All rights reserved. TREND 3 The Evolving Attack Lifecycle

24 © 2014, FireEye, Inc. All rights reserved. 24 Trend 3: The Evolving Attack Lifecycle  Threat actors have used stealthy new tactics to move laterally and maintain persistence in victim environments.

25 © 2014, FireEye, Inc. All rights reserved. 25 Attack Lifecycle

26 © 2014, FireEye, Inc. All rights reserved. 26 Hijacking the VPN  Heartbleed vulnerability  Single-factor authentication & credential theft  Bypassing two-factor authentication Dumping certificates with Mimikatz (Image Source: www.darkoperator.com)

27 © 2014, FireEye, Inc. All rights reserved. 27 Password Harvesting  Clear-text passwords in memory  “Golden Ticket” Kerberos attack  Malicious security packages “Victims quickly learned that the path from a few infected systems to complete compromise of an Active Directory domain could be incredibly short.”

28 © 2014, FireEye, Inc. All rights reserved. 28 Persisting with WMI

29 © 2014, FireEye, Inc. All rights reserved. 29 Persisting with WMI

30 © 2014, FireEye, Inc. All rights reserved. 30 Persisting with WMI

31 © 2014, FireEye, Inc. All rights reserved. 31 © 2014, FireEye, Inc. All rights reserved. TREND 4 Blurred Lines – Criminal and APT Actors Take a Page from Each Others’ Playbook

32 © 2014, FireEye, Inc. All rights reserved. 32 Trend 4: Blurred Lines – Criminal and APT Actors Take a Page from Each Others’ Playbook  As actors' tactics merge, discerning their goals becomes critical to gauging the impact of incidents.

33 © 2014, FireEye, Inc. All rights reserved. 33 Tactical Overlaps between Cybercriminals and APT Groups  Interactive social engineering & social media presence  Custom malware and tools, development on the fly  Effective lateral movement and long-term persistence  Repeated, wide scale data theft

34 © 2014, FireEye, Inc. All rights reserved. 34 From Russia with Ambiguity: Intent Matters  Russia-based cyber activity -Nation state espionage -Cybercrime -Gray area...  APT28 and “Sandworm” -Use of BlackEnergy (traditionally crimeware) to target Industrial Control Systems  Intent & motive matters

35 © 2014, FireEye, Inc. All rights reserved. 35 Conclusion  Organizations are under increasing pressure to disclosure details on breaches and provide attribution  Retail remains a top target as attackers found more victims  Threat actors have adopted stealthy new tactics to hide in compromised environments  Attribution is becoming harder as the lines blur between tactics used by cyber criminals and nation- state actors

36 © 2014, FireEye, Inc. All rights reserved. 36 © 2014, FireEye, Inc. All rights reserved. GHOST MALWARE AND ZERO-DAYS Interesting Data Points and Trends

37 © 2014, FireEye, Inc. All rights reserved. 37 Malware Lifespan Analysis Total pool of malware samples versus lifespan (in hours)

38 © 2014, FireEye, Inc. All rights reserved. 38 Ghost Hunting with Antivirus Source - http://www.fireeye.com/blog/corporate/2014/05/ghost-hunting-with-anti-virus.html of Malware Exists Only Once of Malware Disappears After One Hour

39 © 2014, FireEye, Inc. All rights reserved. 39 Malware Lifecycle Development – Supply Chain Comparison Source - http://www.fireeye.com/blog/corporate/2014/05/ghost-hunting-with-anti-virus.html Lifecycle – Days to Weeks Lifecycle – Days

40 © 2014, FireEye, Inc. All rights reserved. 40 Document Exploit Kits  Effective document exploit kits emerging in underground forums  New version of Microsoft Word Intruder (MWI) includes ability to track the effectiveness of the campaign -Marketed as an APT tool. Author limits user base and forbids use as part of spam campaigns. -Allows the operators to track multiple campaigns, conversion rates (i.e. successful exploitations), and information about their victims using MWISTAT package -The latest version of MWI 4.0 has been advertised as containing multiple exploits, including: CVE-2010-3333 CVE-2012-0158 CVE-2013-3906 CVE-2014-1761 Payload – Chthonic (Zeus variant with Andromeda packaging characteristics)  Huge increase in macros versus exploits

41 © 2014, FireEye, Inc. All rights reserved. 41 Flash Exploits in 2015  Web exploit targets in the last few years -Java – packed in 2013 but dropped in January 2014 when Oracle blocked the execution of unsigned applets -Internet Explorer – Decreased in June 2014 when MSFT introduced multiple heap corruption mitigations -Adobe Flash – shift to Flash exploitation starting at the end of 2014 Existing ASLR bypass mechanisms continue to allow for bug exploitation Advanced obfuscation techniques used to avoid detection -Environmental checks (debugger, software version, OS language, browser type, …) -Encryption, compression, FlashVars, data in external resource, … -Multiple commercial Flash obfuscation tools available: DoSWF and SecureSWF »Slows down automated analysis

42 © 2014, FireEye, Inc. All rights reserved. 42 Flash Campaign to Payload Mappings

43 © 2014, FireEye, Inc. All rights reserved. 43 VirusTotal (VT) Detection Rates vs Time for earliest samples utilizing high-profile Flash and IE/Flash exploits

44 © 2014, FireEye, Inc. All rights reserved. 44 © 2014, FireEye, Inc. All rights reserved. THANK YOU

45 © 2014, FireEye, Inc. All rights reserved. 45 Free Resources  Available on www.mandiant.comwww.mandiant.com ‒ Redline ‒ IOC Editor ‒ IOC Finder ‒ Memoryze ‒ Memoryze for Mac ‒ Highlighter ‒ ApateDNS ‒ Heap Inspector ‒ PdbXtract

Download ppt "© 2014, FireEye, Inc. All rights reserved. 1 Tobin Sears, FireEye Zero-Days, Ghost Malware, and Other Current Trends."

Similar presentations

and Mitigations Brady Bloxham

and Mitigations Brady Bloxham
1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.

1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.
Jeffrey Bernardino Nikko Tamaña Stealth by Legitimacy: Malware’s Use of Legitimate Services 2012 年 5 月 2 日.

Jeffrey Bernardino Nikko Tamaña Stealth by Legitimacy: Malware’s Use of Legitimate Services 2012 年 5 月 2 日.
By Hiranmayi Pai Neeraj Jain

By Hiranmayi Pai Neeraj Jain
© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.

© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Security for Today’s Threat Landscape Kat Pelak 1.

Security for Today’s Threat Landscape Kat Pelak 1.
1.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.

©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.
Web Defacement Anh Nguyen May 6 th, 2010. Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.

Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia

Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia
Microsoft Ignite /16/2017 4:54 PM

Microsoft Ignite /16/2017 4:54 PM
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
INFORMATION SECURITY UPDATE Al Arboleda Chief Information Security Officer.

INFORMATION SECURITY UPDATE Al Arboleda Chief Information Security Officer.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.

Internet Relay Chat Chandrea Dungy Derek Garrett #29.
RFC6520 defines SSL Heartbeats - What are they? 1. SSL Heartbeats are used to keep a connection alive without the need to constantly renegotiate the SSL.

RFC6520 defines SSL Heartbeats - What are they? 1. SSL Heartbeats are used to keep a connection alive without the need to constantly renegotiate the SSL.
Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.

Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.
Forensic Artifacts From A Pass The Hash (PtH) Attack

Forensic Artifacts From A Pass The Hash (PtH) Attack
NUAGA May 22, 2014.  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.

NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.
Chapter 15: Security (Part 1). The Security Problem Security must consider external environment of the system, and protect the system resources Intruders.

Chapter 15: Security (Part 1). The Security Problem Security must consider external environment of the system, and protect the system resources Intruders.

Similar presentations

Ads by Google