Upcoming AISA Sydney events Speaker/Topic
Date/Time
Venue
Ajay Unni - CEO @ Stickman Patrick Fair - partner at Baker& McKenzie
Wed 15 Feb 5:15pm
TBA
Kayne Naughton- Managing Director @ Cosive Leon Manson - lead security architect @ Unisys
Mon 13 Mar 5:15pm
TBA
Murray Goldschmidt @ Sense of Security - DevSecOps
Tue 11 Apr 7:30am
TBA
*note: Dates and times subject to change, please visit the website for the latest information
Corporate Partners
News and special announcements • Call for papers
Corporate Partners
Tim Wellsmore Director Threat Intelligence and Consulting
Mandiant, a FireEye Company
Corporate Partners
Agenda • Dyn DDOS • SWIFT attacks • ATM Compromises • Insider Threat
• Targeting of Australian banks 2016 • Mule Accounts (inc. view on Aust. banks) • Wrap of from the region
Corporate Partners
DDOS October 21, 2016 DYN vs MIRAI
Corporate Partners
Timeline • Oct. 21 at 7:10 a.m. EST – – –
Dyn Managed DNS Infrastructure. Resolved as of 9:20 a.m. EST. Users impacted on the East Coast of the U.S.
• Oct 21 at 11:52 a.m. EST. – –
Dyn Managed DNS Infrastructure and advanced services Users in Europe and the West Coast and East Coast of the U.S. were all impacted
• 3rd attack - Dyn confirmed attack, but unknown time –
This attack was successfully mitigated and had no customer impact
Corporate Partners
Background: Mirai • • •
Mirai Internet of things (IoT) based botnet That is a variant of Gafgyt, the multi-architecture Linux DDoS bot. –
•
(aka Remaiten)
Used in the September 2016 attacks against – – –
KrebsOnSecurity.com, French hosting provider OVH, Blizzard
•
Mirai source was released on Sept. 29, 2016, by Anna Senpai
•
Reported Mirai used against Liberia in Nov 2016
•
FireEye-iSight wont confirm Mirai was only botnet used against Dyn
•
Mirai flourished due to improved credential list capabilities over predecessors – e.g. Gafgyt in July 2016 held 20 passwords; Mirai in October 2016 held 60.
•
1,000,000 devices estimated to be infected by Mirai
Corporate Partners
Dyn Attribution •
New World Hackers – claimed "Just having a little fun. Annual power test! #NwHackers." – – – – – – – –
•
•
We assess with moderate confidence that New World Hackers is not involved in this attack. moderately technically sophisticated group Active in #OpNimr in Sept 2016 Regular users of for-hire DDoS service BangStresser Falsely claimed attacks against HSBC UK and BBC NWH is motivated by anti-ISIS, anti-establishment and antiviolence ideologies and notoriety; but some financial motivation Started with Indian Hacker group Hell Shield Hackers until they went solo But, some members are showing financial motivations
New World Hackers claimed to be using a "supercomputer botnet" and that their attack was "actually against Russia." Not consistent with Dyn DNS attack
Corporate Partners
IOT… DDOS… Can’t be all that bad? • • •
•
IOT is either the hero or villain – depending on which helps the speaker In our world, IOT is not new DDOS threats continue to evolve – appears the new norm Misattribution of DDOS effects – –
•
•
FireEye-iSight could find no link between heating outages in Finland in 2 apartment buildings and DDOS Australian census…. Um... Well... (#censusfail)
DDOS mitigation strategies available in market (except for Krebs….) Size and scale is becoming concerning – – – – – –
OVH reported multiple DDoS simultaneously with each attack exceeding 100 gigabits per second. OVH founder Octave Klaba claimed total simultaneous traffic often exceeded 1 terabit per second (Tbps) and sometimes even 1.5 Tbps. The attack on KrebsOnSecurity.com saw approximately 620 Gbps of traffic largest DDoS attack ever seen by Akamai. this volume of data against this many victims is without precedent. Krebs in the market if anyone is interested in a non-paying global DDOS target
Corporate Partners
Rise in IoT botnet DDoS attack methodology in 2016 •
In 2016, significant rise in volume and severity (strength) of DDoS attacks from IoT botnets:
–
February to August, Blizzard targeted by Lizard Squad and Poodlecorp
–
September, security researcher Krebs attributed to vDOS (600 gbps at peak)
–
September and October, OVH and Dyn (1 tbps at peak)
– Resulted in outages to Twitter, Amazon, Netflix, and GitHub users on east coast US –
November, Singaporean ISP StarHub affected (currently unattributed)
Corporate Partners
Bank Intrusions facilitated through SWIFT: ASIA
Corporate Partners
Background: SWIFT • •
•
Primary international financial transaction messaging system While SWIFT is the messaging system – underlying bank settlement exchanges are real target Cybercrime market demand for SWIFT is for: – – –
•
Actors providing or seeking access to accounts to monetize or launder funds Actors providing or seeking outrig ht ownership of accounts to monetize or launder funds Actors who want to breach or otherwise exploit SWIFT-connected systems directly
How are the recent large intrusions different from usual SWIFT illicit activity? »
Large-scale heists vs. constant, dispersed thefts
»
Perceived threat to integrity of financial system
»
Sophisticated capabilities required
Corporate Partners
Summary: Known and Unknown Cases
Corporate Partners
•
FireEye observes multiple Asian financials to be impacted by related SWIFT fraud attempts, 2014-2016
•
Public reports of attempted SWIFT fraud –
Bangladesh Bank
–
Vietnam's Tiet Phong Bank
•
Potential for undetected incidents given malware aspects, incident characteristics
•
Compromises of banks is more common than community think
Network Compromise Tactics – Backdoors (NESTEGG) and stolen credentials used for access – SWIFT release stated “…..malicious insiders or external attackers...” – Original source of compromise unidentified; multiple sources possible – Record manipulation malware deployed to wipe SWIFT records (DYEPACK or malware with very similar characteristics ) – Reported deficiencies in victim environment lateral movement relatively simple
Corporate Partners
SWIFT wiping tool – Used DYEPACK suite: designed to intercept and modify local SWIFT records at the customer-managed interface level through modification of local Oracle database to hide evidence of fraudulent messages – Customized for victim environment to enable success, including cover-up of transfers – In Vietnam compromise, malware very similar to DYEPACK had 8 BIC codes hard coded which enabled these transfers into the bank to be wiped, one of which was ANZ
Corporate Partners
Attribution: North Korean Espionage Operators
•
FireEye assesses the Asian financial institution compromises is linked to North Korean actors, better known for their role in cyber espionage activity.
– NESTEGG malware – MACKTRUCK/PEACHPIT malware – DYEPACK/SWIFT wipe malware (identical code) – Multiple code similarities to previouslyobserved tools used in espionage and destructive attacks – Only uncertainty is if tools were used by others – but the use of these tools is rare
Corporate Partners
Bank Intrusions facilitated through SWIFT: Eastern Europe
Corporate Partners
Summary – – –
At least 4 Ukraine organizations targeted no later than November 2015 FireEye do not attribute this activity to any group or previously detected activity Tools and tactics:
– Networks compromised via spear phishing – GOLDMINE custom tool used to steal SWIFT-related data – Cobalt Strike, Mimikatz i.e.open-source/ general-purpose tools used for lateral movement and remote access – Some we had not seen before –
Most threats mitigated – but one was successful
Corporate Partners
Goldmine • • • • •
–
Each variant parses custom directories for custom strings Identified data copied to configured output folder Data exfiltrated using other capabilities Customised for each environment Purpose to copy SWIFT-related data, but exact benefits unclear –
Directory structures match SWIFT software
–
Strings include IBAN numbers
–
Leveraged in context of intrusions
–
Not designed to remove/cover-up transactions – no wiping
Could be same actors using completely tactics - unlikely
Corporate Partners
No identified link to Asia Compromise Actors • Multiple significant tactical differences
• But still same mission focus Corporate Partners
Summary • Diverse criminals have persistent interest in access to SWIFT-enabled accounts –
Monetize and laundering funds is a fundamental requirement of illicit activity
• Cybercrime marketplace demand continues • Media coverage of the compromises drives the conversation, and demand • Financially motivated cyber threat activity will not stop • Security around the institutions who perform financial transactions as a core business will continue to be critical
Corporate Partners
Examples of recent marketplace actor interest in SWIFT capabilities
Corporate Partners
ATM Compromises: An Increasing Trend
Corporate Partners
ATM Compromise Trends 2016 Skyrocketing ATM activity Europol Deputy Director Operations – “major increase” NCR – issued multiple alerts • Jan 2016, Romania – 8 people arrest for infecting NCR-made ATMs with Padpin malware • July 2016, Taiwan – 8 banks suspend 900 ATMS following theft of $2.2m USD • August 2016, Belarus – 110 ATMS across 16 cities suspended, following scheme similar to Taiwan • August 2016, Prague – 3 Russians arrested $73,500 USD (responsible for Slovakia, Germany, Poland Corporate Partners
ATM Compromise Trends 2016 Numerous high-profile incidents that stole money or consumer data from ATMs: • August 2016, Thailand – 3330 ATMs closed due to $355k USD theft • October 2016, India – millions of debit cards cancelled following compromise via Hitachi Payment systems (third-party) • November 2016 – FireEye iSIGHT noted on Russian-speaking forum actors seeking access to ATM or ATMs networks
Corporate Partners
ATM Compromise Characteristics: Taiwan and Thailand Multiple ATM compromises indicate we have progressed to the ‘next level’ compared to those of individual ATMs – Malware was introduced into Thailand and Taiwan ATM networks weeks or months before activation – 41 ATM’s in Taiwan (Wincor/Nixdorf) – 21 ATMS in Thailand (NCR) – Perpetrators fled Taiwan immediately following the heist $83 million stolen, nearly all recovered – Organised crime group involved in Thailand heist, with at least one Russian member who escaped the country prior to warrant issued for arrest $355,000 USD stolen
Corporate Partners
ATM Compromise Characteristics: Taiwan and Thailand • Details are too scarce to look at attributing this activity to similar group • Early introduction of malware to network is sophisticated • Have detected new ATM malware sample, RIPPER since the incident from Thailand • Thai officials have expressed belief of link to events in Taiwan – "as of now the evidence we have found makes us confident that this group is linked to the gang who committed a similar robbery in Taiwan."
• FireEye iSIGHT has monitored threat actors seeking partners to exploit and target NCR, Diebold, and Wincor ATM brands over past 18 months
Corporate Partners
Insider Threat
Corporate Partners
Recent collection: Trusted Insider Threats •
In November 2016, FireEye iSIGHT observed an English speaking threat actor seeking to leverage trusted insiders within several of the largest UK banks
•
Actor sought a partner who had access to log data from
compromised bank accounts to assist in monetising the trusted insider access •
Similar requests were observed in relation to Mexican, Brazilian and Russian banks throughout 2016
•
Trusted insiders can be leveraged in several ways: •
Facilitated effective money laundering
•
Receive or initiate fraudulent transactions that avoid fraud detection measures using protected information
•
Facilitate theft of corporate or customer data for targeting of other campaigns
Corporate Partners
Targeting of Australian Banks 2016
Corporate Partners
Targeting of Australian Banks in 2016 Gozi/Ursnif targeting continues: – August 2016 – Geo checking for non-North America (nor internet security companies!) – September 2016, Geo checking for OCEANIA – Multiple groups – different distribution, campaign ID’s – Gozi lures were specifically targeted at banking executives, using recon data for authenticity – Webinjects developed for all 4 major banks + UK major financials – Recent injects hosted on a malicious url co-opting the Australian Open – Targeted several verticals – banking, telecommunications, HR, insurance, mining and government Tinba continues: – Webinjects developed for all 4 major banks + assorted subsidiaries with multiple domains to sweep clientele
Corporate Partners
Marketplace offerings re: Australian Banks Recent reporting indicates a suite of well regarded threat actors active in various marketplaces offering several levels of service and costs: – Medicare number and card as per Australian citizen details provided by client ($15 USD) – Advice/guides on how to open an Australia bank account anonymously ($15 USD) – Account information, including cards and SIM for activation, for a range of smaller Australian banks and credit unions ($190 USD) – Bank account + debit card for one of the Top 4, activated SIM, ID (scans), associated email address, Windows 7 VHD with login set to VPN in Australia. VPN enabled 3G or 4G Android phone for SIM also available, with account details already pre-set. Debit card requires Australian drop address (physical). (Full package = $500 USD).
Corporate Partners
Mule Accounts - observations
Corporate Partners
Observations of mule networks 2012 - 2016 • Sophisticated mule networks offer numerous services: – Years of experience, including vetting of mules (background and criminal checks) – Quick turnaround times (24 - 48hrs) with 24/7 online support and visibility of transaction accounts – Ability to wash money through at least two (2) different accounts for efficient laundering – Availability of mules across continents for immediate use – Customised laundering options, including establishment of fake companies to open business accounts – Support tools and services such as software to manage mules and operations, and identification and hire of mules – Use Gumtree! Corporate Partners
Observations of mule networks 2012 - 2016
• Networks charge between 40-60% of money laundered (2014), with services additional. • Vendor makes 10% profit. • Claims of guaranteed security and delivery are seen, but likely exaggerated
Corporate Partners
Observations of mule networks 2012 - 2016
•
Japan hosts significant proportion of Chinese-operated mule networks to help facilitate fraudulent activities in China, Vietnam and Asia
•
Use combination of social engineering and banking Trojans to capture credentials, then transfer proceeds to Japanese bank accounts controlled by Chinese mules
Corporate Partners
Around the grounds…..
Corporate Partners
Return of hacker ‘Cyberzeist’ •
Cyberzeist was an Anonymous-affiliated member of hacker group UGNazi who ceased activity in 2012
•
In October 2016, an actor claiming to be the original user of Cyberzeist re-surfaced. They claimed or threatened: –
Defacement and disruption of US government elections
–
PII dump of high-profile energy company
–
Defacement of Barclays domain
–
Identify LFI vulnerabilities for sale for UK, US, Indian and Australian banks. Used Twitter to call out banks.
•
Unknown whether actor is the same RL individual, however is assessed as of low-sophistication and unlikely to represent a credible threat.
Corporate Partners
Increase in targeting of Indian government by TEMP.Lapis Increase in targeting of India and Indian government: •
In second half of 2016, Pakistan-based CE group TEMP.Lapis started targeting Indian defence/military personnel
•
Move away from previous targets – European, US and Turkish entities Primarily uses SEEDOOR: – Credential harvest, key-logging, screenshots, audio/visual grabs, folder/driver enumeration, file system metadata, steal emails and attachments from Outlook
–
Coincided with period of high-conflict on the Line of Control, but no information to suggest direct link
–
November 2016 - unattributed targeting of Indian government using STILLSHOT
Corporate Partners
Threats against Japan 2016 –
Menupass Team (APT 10) – likely China-based team conducting a sustained campaign against Japan and US since 2009: •
November 2016, used defence-related lure against large Japanese media organisation
•
June 2016, targeted Japanese researchers using modified Destroy RAT (aka SOGU)
• –
Followed operational lull at end-2015 – early 2016
In November 2016, Fallout Team (South Korean nexus) targeted Japanese nuclear energy research centre as part of overall targeting against critical verticals
–
Japan-Korea Military Intelligence Sharing Pact assessed as being a medium risk for use within lures throughout December 2016
Corporate Partners
Russian hacktivist personas •
Throughout 2016, various hacktivist personas have identified as being falsefronts for Russian state-sponsored actors to support Russian interests: –
Bozkurt Hackers: in early 2016 leaked PII from numerous Asian and Arabic banks
–
DC Leaks: White House staffer’s person emails re: US election (linked to Tsar Team)
–
Guccifer 2.0: leak of DNC documents
–
@pravsector: leaked data Polish telco and MinDef (linked to Bozkurt Hackers)
–
@anpoland: defaced US Olympic and International Paralympic Committees, WADA
–
Fancy Bears' Hack Team: WADA leaks, claimed Anonymous affiliation (linked to Tsar Team)
Corporate Partners
THANK YOU
Tim Wellsmore
[email protected] Australia: +61 417 243 554
Corporate Partners
Meeting sponsor
Corporate Partners
Nina Juliadotter Principal Application Security Consultant at Westpac
Corporate Partners
http://prezi.com/ubshgglw4f6b
Corporate Partners
Thank you Don’t forget to provide us with feedback on today’s event
Corporate Partners
