RSA Conference Europe 2012 – They’re inside… Now what?

Eddie Schwartz – CISO, RSA and Uri Rivner – Head of cyber strategy, Biocatch

Talk started with some discussion around general Trojan attacks against companies, rather than long term high tech APTs, with the tagline; If these are random attacks.. We’re screwed!

Worth checking the pitch, but there was a series of examples from the RSA lab in Israel of usernames and passwords and other data that Trojans had sent to C&C servers in Russia.  These included banks, space agencies, science agencies, nuclear material handling companies etc.

So what to the controllers of these Trojans do with the data?  Remember these are random attacks collecting whatever personal data they can get, not specific targeted attacks.  A common example is to sell the data, you can find examples of the criminals on message boards etc. offering banking, government and military credentials for sale.

Moving onto examples of specifically targeted attacks and APTs..  Examples of targeted attacks include; Ghostnet, Aurora, Night Dragon, Nitro and Shady RAT.  These have attacked everything from large private companies, to critical infrastructures to the UN.  All of the given examples had one thing in common – Social Engineering.  Every one used Spear Phishing as their entry vector.

From this I think you need to consider – Do you still think security awareness training shouldn’t be high on your organisations to-do list?

The talk went onto discuss Stuxnet and Duqu, along with their similarities and differences, largely what was captured in my last post.  The interesting observation here was their likely different plaes in the attack process.  Stuxnet was at the end and the actual attack, Duqu likely much earlier in the process as it was primarily for information gathering.

A whole lot more targeted malware examples were given including Jimmy, Munch, Snack, Headache etc.  Feel free to look these up if you want to do some further research.

A very recent example of a targeted attach that was only discovered in July of this year is VOHO.  This campaign was heavily targeted on Geopolitical and defence targets in Boston, Washington and New York.  It was a multistage campaign heavily reliant on Javascript.  While focused on specific target types the attack was very broad, hitting over 32000 unique hosts and successfully infections nearly 4000.  This is actually a very good success rate, with the campaign no doubt considered a success by those instigating it..

In light of this evidence it is clear we need a new security doctrine.  You will get hacked despite your hard work, if it has not yet happened, it will..  Learn from the event, an honest evaluation of faults and gaps should result in implements.

Things to consider as part of this new doctrine;

–          Resist – Threat resistant virtualisation, Zero day defences

–          Detect – Malware traces, Big data analytics, behavioural profiling

–          Investigate – Threat analysis, Forensics and reverse engineering

–          Cyber Intelligence – Threat and Adversary intelligence

Cyber Intelligence was covered in some more specific details around how we can improve this;

–          External visibility – Industry / sector working groups, Government, trusted friends and colleges, vendor intelligence;

  • Can this information be quickly accessed?  For speed should be in machine readable format, but use whatever works!

–          Internal visibility – Do you have visibility in every place it it needed, HTTP, email, DNS, sensitive data etc.

  • Do you have the tools in place to make use of and analyse all of these disparate data sources

–          Can you identify when commands like NET.. and schedulers etc. are being used?

–          Do you have visibility of data exfiltration, scripts running, PowerShell, WMIC (Windows Management Instrumentation Command-line) etc?

–          Do you have the long term log management and correlation in place to put all the pieces of these attacks together?

Summary recommendations and call to action..

–          Assume you are breached on a daily basis and focus on adversaries, TTPs and their targets

–          Develop architecture and tools for internal and external intelligence for real-time and post-facto visibility into threats

–          Understand current state of malware, attack trends, scenarios, and communications

–          Adjust security team skills and incident management work flow

–          Learn from this and repeat the cycle..

Next steps (call to action!);

–          Evaluate your defence posture against APTs, and take the advice from the rest of this post

–          Evaluate your exposure to random intrusions (e.g. data stealing Trojans), and take the advice from the rest of this post

Useful presentation from a technical and security team standpoint, but completely missed the human and security awareness training aspect – despite highlighting that all the example APTs used spear phishing to get in the door.  I’d recommend following all the advice of this talk and then adding a solid security awareness program for all employees and really embedding this into the company philosophy / culture.

K

RSA Conference Europe 2012 – Duqu, Flame, Gauss: Followers of Stuxnet

Boldizsar Bencsath, CrySys Lab

Stuxnet – 2010 – modified PLCs (Programmable Logic Controllers) in uranium enrichment facilities.  Most likely government backed and dubbed ‘the most menacing malware in history’ by wired magazine.

Duqu – discovered by CrySys Lab in the wild when responding to an incident.  Stuxnet destroyed Iranian centrifuges, Duqu is for information gathering.

However they are very similar in terms of design philosophy, internal structure and mechanisms, implementation details and the effort that would have been required to create them.  Additionally Duqu also used a digitally signed driver as with Stuxnet.

Duqu named as it creates temp files starting with the string ~DQ.

Actual relationship between the two and who created Duqu is not known, but suspected that Stuxnet creators at least had some involvement in creating Duqu.

Duqu is a very clean design that automatically downloaded only the modules it required from Command and Control (C&C) servers.  Thus investigators do not know the full extent of its capabilities as they can only see the modules that were downloaded to the targets they investigated.  The Duqu C&C servers may have hosted the Stuxnet PLC code for example.

The components of Duqu that were discovered included;

–          Registry data to point to components

–          Keyloggers

–          Multiple encrypted payloads

–          Pointers to how to decrypt the payloads

–          Of note different payloads were encrypted with different methods

From a CrySys Lab viewpoint they;

–          Discovered and named Duqu

–          Freely shared thei knowledge with AV vendors and Microsoft

–          Identified the dropper

–          Developed the Duqu detector toolkit

  • Focusing on heuristic anomaly detection
    • AV tools already have basic signature detection so no reason to duplicate this
  • Detects live Duqu instances and remnants of old ones
  • Also detects Stuxnet
  • Open source for anyone to use

Moving into 2012 another variant / descendant of Stuxnet / Duqu has been discovered.  This is known as Flame / Flamer / sKyWIper.  Flame has been described as the ‘most complex malware ever found’, its core component is 6MB in size.

Flame appears to follow the same main requirements / specifications to Duqu and Stuxnet, but has been developed in a very different way, using different programming languages etc.  Flame is another information stealer malways with functionality such as;

–          activating microphones and web cameras

–          logging key strokes

–          taking screen shots / screen scraping

–          extracting geolocation data from images

–          sending and receiving commands and data through Bluetooth, including enabling bluetooth when it is turned off

Flame infects computers my masquerading as a proxy for windows and has infected 1000s of victims mostly across Iran and the Middle East.

Gauss is another information stealing malware example that is based on the Flame platform.  This was also discovered in 2012, but infections date back to September 2011, again 1000s of victims, mainly in Lebanon, Israel and the Palestinian Territory.

Gauss have been further developed with the Gauss Godel module.  This has an advanced encrypted warhead using RC4 and the decryption key is not available in the malware itself.  This is in contrast to Stuxnet, Duqu and Flame that used simple XOR masking or byte substitution. This encrypted warhead can only be decrypted on the target system making the malware resistant to detailed analysis. The Gauss module is big enough to contain Stuxnet lake SCADA targeted attacks as well as the currently found information stealing attacks.

The talk also had some great graphics highlighting the structure of the various forms of malware discussed.

Lessons learnt from this research;

–          Current approaches for defending systems from targeted attacks as ineffective

  • Code signing is not bullet proof
  • Virus scanners should have improved heuristics and anomaly detection

–          Coordinating international / global threat mitigation and forensic analysis are challenging problems

  • How do we better share information quickly and while preserving evidence?
  • How do we identify and capture C&C servers quickly?
  • How do we track along the C&C proxy chain?

–          Attackers are using ever more advanced techniques

  • MD5 collision attack in Flame
  • Encrypted payload in Gauss

What can you do to better protect your organisation from similar attacks?

–          Extend protection beyond signature based techniques

  • Anomaly detection – Understand normal use patterns
  • Heuristics
  • Baits, traps, honeypots (I’d say these ones are pretty advanced and likely used by only the most security conscious and savvy organisations)

–          Educate your IT teams to spot and raise anomalies

–          Use Forensics – every organisation should have some forensic capabilities

–          Have an incident response plan, with methods to contact external professionals / experts if required

–          Look into ways to better share information!

It is well worth checking the CrySyS Lab blog for further information on the malware mentioned in this talk, plus many related topics;

Blog.crysys.hu

This talk did a great job of highlighting how one advanced attack inspires many new variants, and how attacks and attackers are becoming ever more advanced and sophisticated.  What is in an advanced, state sponsored attack one day will be used in point and shoot hacking toolkits the next day..

K

USAF Predator control systems compromised by malware

Following on from the very high profile targeted attacks such as the Stuxnet worm that was used to target Siemens supervisory control and data acquisition (SCADA) systems such as those used in Iranian nuclear facilities;

http://www.google.co.uk/search?aq=f&gcx=c&sourceid=chrome&ie=UTF-8&q=stuxnet

 

 

and the RSA security breach that impacted many businesses earlier this year;

http://blogs.rsa.com/rivner/anatomy-of-an-attack/

It has emerged that some USAF (United States Air Force) computer systems have been infected by malware.

While the reports of this state that is it likely to just be a keylogger and not something that is co-opting control of armed military drones, this should be seen as yet another wake up call – any network attached systems or any systems that allow storage devices (e.g. USB drives) to be connected are vulnerable to attack by malware.  I am sure from reading the previous section you have realised that this means pretty much every computer system..

Details can be found here;

http://nakedsecurity.sophos.com/2011/10/10/malware-compromises-usaf-predator-drone-computer-systems/

One particularly worrying comment from the story is around the fact that they are not sure if the malware has been wiped from the systems properly and that it keeps coming back.  Best practice is always to do a clean rebuild of any infected machines, especially something as critical as this!

In short, if high profile security vendors and supposedly secure military computers can be successfully attacked and gaps exploited this should be a wake up call to anyone who does not yet take the security of their systems and data seriously.

Oh, and if in any doubt – reinstall, don’t keep trying to clean the malware from the system!

K

Code war era

I’m sure it is not a new turn of phrase, but I came across the term ‘Code war’ as in code war era in a recent Businessweek article titled ‘Cyber Weapons: The New Arms Race’ that can be found here;

http://www.businessweek.com/printer/magazine/cyber-weapons-the-new-arms-race-07212011.html

From Google accusing the Chinese government of trying to hack it’s systems and threaten it’s employees to the Stuxnet worm causing massive damage to Iran’s nuclear program cyber warfare is clearly real and here to stay – This is truly the era of the code war..

One of the big differences between cyber warfare and traditional warfare are the levels of secrecy involved.  Traditional weapons such as guns, fighter planes or even nuclear missiles still work both in use and as a deterrent even when many details about how they work.  In the cyber world once an exploit is known about and understood countermeasures can quickly render it useless.

To highlight just how real this threat is, in 2009 the US created the US Cyber Command, and the US military has been given the all clear to us ‘cyber’ weapons.

Various firms, such as Endgame and Appin Technologies that provide various security services including creating exploit code are reporting ever increasing profits due to the demand for this kind of service.  These companies while shrouded in secrecy are the public face of this industry; there are many more ‘black’ companies whose activities and work for governments is considerably more hidden and less visible.

Definitely interesting times in the world of IT security..

K