Monthly Cyber Threat Briefing April 2016
855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
1
© 2016 HITRUST Alliance. All Rights Reserved.
Presenters • Charity Willhoite: Intelligence Analyst, Armor • Aaron Shelmire: Sr. Threat Researcher, Anomali (ThreatStream) • Jon Clay: Sr. Manager – Global Threat Communications, Trend Micro • Dennis Palmer: Senior Security Analyst, HITRUST
855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
2
© 2016 HITRUST Alliance. All Rights Reserved.
ARMOR: TOP THREAT ACTORS AND COMMAND AND CONTROL ACTIVITY 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
3
© 2016 HITRUST Alliance. All Rights Reserved.
Top Vulnerability Exploits NAME
HITS
CVE-2016-1019 CVE-2016-1010 CVE-2016-1743 CVE-2016-0846 Stagefright Vulnerability CVE-2016-1001 CVE-2014-4113 CVE-2016-0051 CVE-2016-0984 CVE-2016-0998 CVE-2015-2419 CVE-2015-3873 CVE-2015-0057 MS14-058 APSA16-01 CVE-2014-6271 (Shellshock) CVE-2015-2413 CVE-2015-3864
326 46 29 19 17 9 5 5 5 5 4 2 2 2 2 2 2 1
RELATED TECHS/MALWARE Adobe, Adobe Flash Player, Magnitude Exploit Kit, Microsoft Windows, MS Windows XP Adobe, Angler Exploit Kit, Adobe Flash Player, Kaspersky Lab, Microsoft Windows Apple, Graphics Drivers, Mac OS X, Null Corp. Android, Google, Smartphone, Zimperium, T-Mobile Angler Exploit Kit, Adobe, Adobe Flash Player, Nuclear Pack Exploit Kit, Magnitude Exploit Kit Microsoft Windows, Windows 8, Nuclear Pack Exploit Kit, Microsoft Excel, Microsoft Windows 7, MS-016, Microsoft Windows, Microsoft, GitHub Adobe, Adobe Flash Player, SDK, Microsoft Windows, Linux Adobe, Adobe Flash Player, Microsoft Windows, Flash Player Esr, SDK Microsoft IE, Angler Exploit Kit, Adobe Flash Player, RIG RENTSCH INDUSTRIE-HOLDING AG, Adobe Android, Nexus Security Bulletin, Google, CWE Windows 8, Microsoft Windows, Dyreza, Windows 10, Microsoft Microsoft Windows, Microsoft, Microsoft Excel, Windows 8.0/8.1, Operating system Adobe, Adobe Flash Player, Microsoft Windows, Linux, Google Chrome OS Bash, Yahoo, Linux, Unix, Mac OS X Microsoft IE, Microsoft, Microsoft Internet Explorer Information Disclosure Vulnerability, CWE Google, Android, M7, Exodus, Exodus Intelligence
Action Item: Avoid utilizing Adobe Flash inside your infrastructure. Focus endpoint introspection to alert on unpatched Adobe Flash Player. 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
4
© 2016 HITRUST Alliance. All Rights Reserved.
Top Emerging Malware Entities NAME
HITS
rokku
14
TinyPOS Recon Exploit OneLocker NewExt GSLFbot
8 6 3 2 2
RELATED TECHS/MALWARE Bitcoin, Encryption, Microsoft Windows, Advanced Encryption Standard, uncommon encryption algorithm Point of Sale, Foregenix, iSIGHT Partners Password manager, Universal, Windows 10, Microsoft Windows, Windows Phone 10 Googlebot, TwitterBot, Google, GoogleMobile, Googlebot-Mobile
Action Item: Educate everyone on spearphishing. Rokku and other ransomwares utilize phishing for initial entry. Their ransomware success shows just how effective spearphising can be. https://blog.avira.com/rokku-ransomware-made-professional/ 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
5
© 2016 HITRUST Alliance. All Rights Reserved.
Top Corporate Targets NAME
HITS
Apple Federal Bureau of Investigation Mossack Fonseca & Co SA Hacking Team U.S. government Syrian Government National Childbirth Trust Spotify France Islamic State in Iraq and the Levant
200 183 134 113 108 83 65 59 57 56
NAME NASA Netflix Commission on Elections Sony Corp Verizon Georgetown University Knesset MedStar Health Mattel Google
HITS 51 46 40 34 33 31 28 28 23 21
Action Item: If you’re running Jboss, take a look at JexBoss. Dissect it’s code, and be sure if it was pointed at your infrastructure if would fail to profile you. https://github.com/joaomatosf/jexboss http://www.medstarhealth.org/blog/2016/04/05/april-4-2-p-m-medstar-health-update/ https://www.nct.org.uk/press-release/nct-data-breach 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
6
© 2016 HITRUST Alliance. All Rights Reserved.
Top Corporate Targets IP ADDRESS
HITS
IP ADDRESS
HITS
223.234.142.127 107.180.64.84 188.118.2.26 118.170.130.207 46.109.168.179 81.183.56.217 185.117.75.227 93.174.93.94 183.60.48.25 134.96.217.62
47 36 26 25 20 19 17 10 9 7
103.242.190.57 87.222.67.194 47.89.36.68 223.25.233.46 195.191.158.226 125.88.177.94 123.168.123.28 91.236.75.4 58.218.205.69 21.0.0.182
7 6 6 6 6 6 6 5 5 5
Action Item: Block malicious IP’s at your edge. Prevent Reconnaissance, and increase the cost to the actors by subscribing to IP Reputation Lists. Bi-directional edge filtering can help prevent payloads from detonating in your environment. 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
7
© 2016 HITRUST Alliance. All Rights Reserved.
Ransomware Evolved
LOCKY http://www.symantec.com/connect/blogs/lockyransomware-aggressive-hunt-victims
855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
SAMSAM http://www.symantec.com/connect/blogs/
samsam-may-signal-new-trend-targetedransomware
8
ROKKU https://blog.avira.com/rokku-ransomwaremade-professional/
© 2016 HITRUST Alliance. All Rights Reserved.
ANOMALI: SAMSAM RANSOMWARE OVERVIEW 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
9
© 2016 HITRUST Alliance. All Rights Reserved.
Overview Ransomware • Large uptick since 2013 • Largely driven by: – TOR: Hidden services – Bitcoin
855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
10
© 2016 HITRUST Alliance. All Rights Reserved.
SamSam Overview • Targeted Ransomware • Actors leverage server side exploitation, including JBOSS Vulnerabilities • Encrypts files based upon extension • Current Ransom pages on Tor Hidden Services • Request payment in Bitcoin
855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
11
© 2016 HITRUST Alliance. All Rights Reserved.
SamSam Ransom Tor Page
855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
12
© 2016 HITRUST Alliance. All Rights Reserved.
SamSam Timeline
855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
13
© 2016 HITRUST Alliance. All Rights Reserved.
SamSam Activity
855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
14
© 2016 HITRUST Alliance. All Rights Reserved.
Relation to C0d0s0 / Peace Activity Reported Claims by: • Cisco TALOS • Dell SecureWorks • Palo Alto Networks
855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
Appear to Rely Upon: • SamSam + McAltLib.dll on one server • Both Targeting JBOSS vulns
15
© 2016 HITRUST Alliance. All Rights Reserved.
Relation to C0d0s0 / Peace Activity
855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
16
© 2016 HITRUST Alliance. All Rights Reserved.
Relation to C0d0s0 / Peace Activity
855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
17
© 2016 HITRUST Alliance. All Rights Reserved.
SamSam Mitigations • Actors Targeting Server Infrastructure • Regular offline Backups • Regular Vulnerability Scans • Server Patching
855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
18
© 2016 HITRUST Alliance. All Rights Reserved.
Thank you! Any questions?
855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
19
© 2016 HITRUST Alliance. All Rights Reserved.
TREND MICRO: BUSINESS E-MAIL COMPROMISE 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
20
© 2016 HITRUST Alliance. All Rights Reserved.
Business E-mail Compromise (BEC) • It is a global scam and BEC was renamed to focus on the “business angle” of this scam. • Sophisticated scam targeting businesses – Working with foreign suppliers and/or businesses that regularly perform wire transfer payments.
• Victims will increase – The FBI assesses with high confidence the number of victims and the total dollar loss will continue to increase.
855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
21
© 2016 HITRUST Alliance. All Rights Reserved.
CEO Fraud E-mail Characteristic 1. The email of high-level business executives (CEO, CTO, etc.) are spoofed 2. Target recipients usually responsible for processing or have authority to grant financial requests (Ex: CFO) 3. The email subject & content attempt to request for a wire transfer
855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
22
© 2016 HITRUST Alliance. All Rights Reserved.
The Scenario of CEO Fraud’s Victim Financial related employee
Fraudster forge CXO' mail box try to request urgent wire transfer
Real CXO may go business Trip 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
23
© 2016 HITRUST Alliance. All Rights Reserved.
The Artifice of CEO Fraud E-mail Fraudster/Spammer knew: • E-mail client usually uses Reply-To address as default recipient when user click “Reply”
[email protected]
John
[email protected]
John
[email protected]
Nick Name: CEO Name 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
Scam Address
24
© 2016 HITRUST Alliance. All Rights Reserved.
1st Type of CEO Fraud: General Type The scam e-mail address is named generically • For using to scam different enterprises • Usually contains “CEO” or “executive” terms • For example: – Reply-To: “Company A CEO” – Reply-To: “Company B CEO”
[email protected]
• Register in many free email services –
[email protected],
[email protected],
[email protected],
[email protected],
[email protected]
855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
25
© 2016 HITRUST Alliance. All Rights Reserved.
2nd Type of CEO Fraud: Customized Type The scam e-mail address is customized for specific target business • Spammer will register domain which is similar with target company domain • Register domain usually newly register or recently update • For example: – “Eva_Chen” – “Eva_Chen”
855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
26
© 2016 HITRUST Alliance. All Rights Reserved.
Fraudster Does Investigation and Then Attacks • Company CXO name (company webpage & public information) • Company employee role & name (LinkedIn) • E-mail account format (e-mail harvest tool)
Is it possible that they also collect CXO business trip information?
855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
27
© 2016 HITRUST Alliance. All Rights Reserved.
Best Practices • Financial Employee Education: Recommend immediate training about this threat with any employee who manages financial transactions and include executives who have authority to authorize transactions • 2-step Verification: Employees who receive emails purportedly from executives should contact the sender for verification (authenticate that they in fact sent the email). • The FBI recommended using the “Forward” function instead of “Reply”: So you can type the email address of your contact and ensure that the correct address is being used. • If defrauded: Contact your bank and Law Enforcement and report to IC3.gov
855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
28
© 2016 HITRUST Alliance. All Rights Reserved.
HITRUST
855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
29
© 2016 HITRUST Alliance. All Rights Reserved.
CSF Controls Related to Threats CSF Control for Suspicious IP Addresses • Control Reference: 01.i Policy on the Use of Network Services – Control Text: Users shall only be provided access to internal and external network services that they have been specifically authorized to use. Authentication and authorization mechanisms shall be applied to users and equipment. – Implementation Requirement: The organization shall specify the networks and network services to which users are authorized access. 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
30
© 2016 HITRUST Alliance. All Rights Reserved.
CSF Controls Related to Threats CSF Control for malicious code • Control Reference: 09.j Controls Against Malicious Code – Control Text: Detection, prevention, and recovery controls shall be implemented to protect against malicious code, and appropriate user awareness procedures on malicious code shall be provided. – Implementation Requirement: Protection against malicious code shall be based on malicious code detection and repair software, security awareness, and appropriate system access and change management controls.
855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
31
© 2016 HITRUST Alliance. All Rights Reserved.
CSF Controls Related to Threats CSF Control for Crypto-Ransomware • Control Reference: 09.l Backup – Control Text: Back-up copies of information and software shall be taken and tested regularly. – Implementation Requirement: Back-up copies of information and software shall be made, and tested at appropriate intervals. Complete restoration procedures shall be defined and documented for each system. 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
32
© 2016 HITRUST Alliance. All Rights Reserved.
CSF Controls Related to Threats CSF Control for Ransomware (unauthorized software) • Control Reference: *10.h Control of operational software – Control Text: There shall be procedures in place to control the installation of software on operational systems – Implementation Requirement: The organization shall maintain information systems according to a current baseline configuration and configure system security parameters to prevent misuse. 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
33
© 2016 HITRUST Alliance. All Rights Reserved.
CSF Controls Related to Threats CSF Control for Vulnerability Patching • Control Reference: *10.m Control of technical vulnerabilities – Control Text: Timely information about technical vulnerabilities of systems being used shall be obtained; the organization's exposure to such vulnerabilities evaluated; and appropriate measures taken to address the associated risk – Implementation Requirement: Specific information needed to support technical vulnerability management includes the software vendor, version numbers, current state of deployment (e.g. what software is installed on what systems) and the person(s) within Appropriate, timely action shall be taken in response to the identification of potential technical vulnerabilities. Once a potential technical vulnerability has been identified, the organization shall identify the associated risks and the actions to be taken. Such action shall involve patching of vulnerable systems and/or applying other controls. 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
34
© 2016 HITRUST Alliance. All Rights Reserved.
QUESTIONS?
855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
35
© 2016 HITRUST Alliance. All Rights Reserved.
Visit www.HITRUSTAlliance.net for more information To view our latest documents, visit the Content Spotlight
855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
36
© 2016 HITRUST Alliance. All Rights Reserved.