Lessons Learned from Investigating Disruptive Data Breaches · #RSAC SESSION ID: Vivek Chudgar....
-
Upload
trinhkhuong -
Category
Documents
-
view
222 -
download
3
Transcript of Lessons Learned from Investigating Disruptive Data Breaches · #RSAC SESSION ID: Vivek Chudgar....
![Page 1: Lessons Learned from Investigating Disruptive Data Breaches · #RSAC SESSION ID: Vivek Chudgar. Lessons Learned from Investigating Disruptive Data Breaches. FLE-F01. Senior Director.](https://reader034.fdocuments.net/reader034/viewer/2022051509/5ae7c3817f8b9acc268f1d12/html5/thumbnails/1.jpg)
#RSAC
SESSION ID:SESSION ID:
Vivek Chudgar
Lessons Learned from Investigating Disruptive Data Breaches
FLE-F01
Senior DirectorMandiant@VChudgar
Bart InglotPrincipal ConsultantMandiant@BartInglot
![Page 2: Lessons Learned from Investigating Disruptive Data Breaches · #RSAC SESSION ID: Vivek Chudgar. Lessons Learned from Investigating Disruptive Data Breaches. FLE-F01. Senior Director.](https://reader034.fdocuments.net/reader034/viewer/2022051509/5ae7c3817f8b9acc268f1d12/html5/thumbnails/2.jpg)
#RSAC
Agenda
2
Perception of Destructive Breaches
War StoriesDestructive North KoreaTroubles in the Persian GulfRussia vs UkraineFalse Flag Attack
Lessons Learned
![Page 3: Lessons Learned from Investigating Disruptive Data Breaches · #RSAC SESSION ID: Vivek Chudgar. Lessons Learned from Investigating Disruptive Data Breaches. FLE-F01. Senior Director.](https://reader034.fdocuments.net/reader034/viewer/2022051509/5ae7c3817f8b9acc268f1d12/html5/thumbnails/3.jpg)
#RSAC
Myth-Busting
“IT’S FASCINATING, BUT IT DOESN’T CONCERN ME”
3
![Page 4: Lessons Learned from Investigating Disruptive Data Breaches · #RSAC SESSION ID: Vivek Chudgar. Lessons Learned from Investigating Disruptive Data Breaches. FLE-F01. Senior Director.](https://reader034.fdocuments.net/reader034/viewer/2022051509/5ae7c3817f8b9acc268f1d12/html5/thumbnails/4.jpg)
#RSAC
Myth-Busting “Breaches Don’t Happen in All Verticals”
4
TOTAL INDUSTRIES INVESTIGATED
![Page 5: Lessons Learned from Investigating Disruptive Data Breaches · #RSAC SESSION ID: Vivek Chudgar. Lessons Learned from Investigating Disruptive Data Breaches. FLE-F01. Senior Director.](https://reader034.fdocuments.net/reader034/viewer/2022051509/5ae7c3817f8b9acc268f1d12/html5/thumbnails/5.jpg)
#RSAC
Myth-Busting “Breaches Don’t Happen in Asia Pacific”
5
![Page 6: Lessons Learned from Investigating Disruptive Data Breaches · #RSAC SESSION ID: Vivek Chudgar. Lessons Learned from Investigating Disruptive Data Breaches. FLE-F01. Senior Director.](https://reader034.fdocuments.net/reader034/viewer/2022051509/5ae7c3817f8b9acc268f1d12/html5/thumbnails/6.jpg)
#RSAC
Myth-Busting “No Disruptive Breaches in Asia Pacific”
6
• Ransomware attacks wreak havoc on IT systems around the world
• Notably WannaCry (May 2017) and NotPetya (June 2017)
• Very creative – worm, reuse of cached credentials, WMI and PsExec, bootkit, supply chain attack, etc.
• Was it targeted?
Image by bleepstatic.com
![Page 7: Lessons Learned from Investigating Disruptive Data Breaches · #RSAC SESSION ID: Vivek Chudgar. Lessons Learned from Investigating Disruptive Data Breaches. FLE-F01. Senior Director.](https://reader034.fdocuments.net/reader034/viewer/2022051509/5ae7c3817f8b9acc268f1d12/html5/thumbnails/7.jpg)
#RSAC
Myth-Busting “Formatting infected systems does the job”
7
Phishing Campaigns
Compromised HostsCorporate Network
![Page 8: Lessons Learned from Investigating Disruptive Data Breaches · #RSAC SESSION ID: Vivek Chudgar. Lessons Learned from Investigating Disruptive Data Breaches. FLE-F01. Senior Director.](https://reader034.fdocuments.net/reader034/viewer/2022051509/5ae7c3817f8b9acc268f1d12/html5/thumbnails/8.jpg)
#RSAC
Myth-Busting “Formatting infected systems does the job”
8
Phishing Campaigns
Compromised Hosts
? ? ?
Corporate Network
Accessed Hosts
![Page 9: Lessons Learned from Investigating Disruptive Data Breaches · #RSAC SESSION ID: Vivek Chudgar. Lessons Learned from Investigating Disruptive Data Breaches. FLE-F01. Senior Director.](https://reader034.fdocuments.net/reader034/viewer/2022051509/5ae7c3817f8b9acc268f1d12/html5/thumbnails/9.jpg)
#RSAC
Myth-Busting “Formatting infected systems does the job”
9
Unique Malware
B:5 / A:229Stolen Passwords
B:0 / A:51Infected Systems
B:3 / A:154Attacker CnC
B:12 / A:98
• The statistics before and after the enterprise-wide investigation
![Page 10: Lessons Learned from Investigating Disruptive Data Breaches · #RSAC SESSION ID: Vivek Chudgar. Lessons Learned from Investigating Disruptive Data Breaches. FLE-F01. Senior Director.](https://reader034.fdocuments.net/reader034/viewer/2022051509/5ae7c3817f8b9acc268f1d12/html5/thumbnails/10.jpg)
#RSAC
Myth-Busting “Formatting infected systems does the job”
10
• The attackers were present in the environment for 7 years
• Multiple attacker groups with possibly different missions
• The initial infection vector was unknown, gigabytes left the network
• Public and custom tools• Backdoors: ZXShell, Gh0stRAT, Metasploit, Zegost, GRILLMARK, etc.
• Web shells: China Chopper, JspSpy, jFolder, etc.
• Key loggers, email miners, credential dumpers, tunnelers, etc.
• Compromised VPN credentials
![Page 11: Lessons Learned from Investigating Disruptive Data Breaches · #RSAC SESSION ID: Vivek Chudgar. Lessons Learned from Investigating Disruptive Data Breaches. FLE-F01. Senior Director.](https://reader034.fdocuments.net/reader034/viewer/2022051509/5ae7c3817f8b9acc268f1d12/html5/thumbnails/11.jpg)
#RSAC
Myth-Busting “Formatting infected systems does the job”
11
• Unable to perform the routine work for few months
• Several planned IT and transformational projects put on hold
• Service impact – e.g. MSSP’s access was restricted
• Overall, disruptions to “the Business as Usual”
![Page 12: Lessons Learned from Investigating Disruptive Data Breaches · #RSAC SESSION ID: Vivek Chudgar. Lessons Learned from Investigating Disruptive Data Breaches. FLE-F01. Senior Director.](https://reader034.fdocuments.net/reader034/viewer/2022051509/5ae7c3817f8b9acc268f1d12/html5/thumbnails/12.jpg)
#RSAC
Disruptive Data Breaches
DESTRUCTION / EXTORTION / RANSOM / PWNAGE
12
![Page 13: Lessons Learned from Investigating Disruptive Data Breaches · #RSAC SESSION ID: Vivek Chudgar. Lessons Learned from Investigating Disruptive Data Breaches. FLE-F01. Senior Director.](https://reader034.fdocuments.net/reader034/viewer/2022051509/5ae7c3817f8b9acc268f1d12/html5/thumbnails/13.jpg)
#RSAC
Disruptive Data Breaches
DESTRUCTION / EXTORTION / RANSOM / PWNAGE
13
Destructive
![Page 14: Lessons Learned from Investigating Disruptive Data Breaches · #RSAC SESSION ID: Vivek Chudgar. Lessons Learned from Investigating Disruptive Data Breaches. FLE-F01. Senior Director.](https://reader034.fdocuments.net/reader034/viewer/2022051509/5ae7c3817f8b9acc268f1d12/html5/thumbnails/14.jpg)
#RSAC
North Korea Background
14
• Students chosen from top universities in DPRK• Well paid in US dollars, free access to the Internet, and have the opportunity
to travel outside of DPRK
• Known for causing disruptive attacks• DDoS, website defacement, Master Boot Record (MBR) wiping, and publishing
stolen data
• Attacks against victims are targeted and deliberate• Major attacks against organizations in Asia and North America• Ongoing attacks against South Korean media and financial services
organizations since 2009
![Page 15: Lessons Learned from Investigating Disruptive Data Breaches · #RSAC SESSION ID: Vivek Chudgar. Lessons Learned from Investigating Disruptive Data Breaches. FLE-F01. Senior Director.](https://reader034.fdocuments.net/reader034/viewer/2022051509/5ae7c3817f8b9acc268f1d12/html5/thumbnails/15.jpg)
#RSAC
North Korea Destructive Operations
• Multiple variants of malware designed to wipe Windows systems
• Malware was manually deployed by the attackers, but designed to automatically spread
• Malware operated differently depending on the type of system:1. Workstation – stopped antivirus and wrote a custom MBR to the disk
2. Server – disabled Terminal Services
3. Mail Server – stopped the mail service and disabled terminal services.
4. Domain Controllers – disabled terminal services and executed the wiper code after a period of time to allow the malware to continue spreading.
15
![Page 16: Lessons Learned from Investigating Disruptive Data Breaches · #RSAC SESSION ID: Vivek Chudgar. Lessons Learned from Investigating Disruptive Data Breaches. FLE-F01. Senior Director.](https://reader034.fdocuments.net/reader034/viewer/2022051509/5ae7c3817f8b9acc268f1d12/html5/thumbnails/16.jpg)
#RSAC
North Korea Destructive Operations (continued)
• Created script to wipe virtual machines on ESX servers
• The company’s backups were also erased
find / -type f -name “*.*” | grep -v “disks” | grep -v “\/dev” | awk‘{print “ls -l \”” $0 “\”” }’ |sh | awk ‘{if ($5>524288000) print “ddif=/dev/zero of=\”” $9 “\” bs=512k count=400 seek=400conv=notrunc,noerror > /dev/null 2>&1 &”}’ | sh
sleep 1 rm -r -f /boot/* & rm -r -f /vmfs/* & rm -r -f /* & rm -f /bin/* /sbin/* &exit
16
![Page 17: Lessons Learned from Investigating Disruptive Data Breaches · #RSAC SESSION ID: Vivek Chudgar. Lessons Learned from Investigating Disruptive Data Breaches. FLE-F01. Senior Director.](https://reader034.fdocuments.net/reader034/viewer/2022051509/5ae7c3817f8b9acc268f1d12/html5/thumbnails/17.jpg)
#RSAC
North Korea Lessons learned
17
• The level of access obtained by DPRK threat actors is no different than what’s obtained by China and Russia-based threat actors
• DPRK motivations are very different
• Ensure the backup environment is segmented from corporate network
![Page 18: Lessons Learned from Investigating Disruptive Data Breaches · #RSAC SESSION ID: Vivek Chudgar. Lessons Learned from Investigating Disruptive Data Breaches. FLE-F01. Senior Director.](https://reader034.fdocuments.net/reader034/viewer/2022051509/5ae7c3817f8b9acc268f1d12/html5/thumbnails/18.jpg)
#RSAC
Troubles in the Persian GulfMore MBR Wiping Malware
18
Image by naukriingulf.com
![Page 19: Lessons Learned from Investigating Disruptive Data Breaches · #RSAC SESSION ID: Vivek Chudgar. Lessons Learned from Investigating Disruptive Data Breaches. FLE-F01. Senior Director.](https://reader034.fdocuments.net/reader034/viewer/2022051509/5ae7c3817f8b9acc268f1d12/html5/thumbnails/19.jpg)
#RSAC
Shamoon Background
• 2012 – Widely publicised attack on Oil & Gas company in Middle East
• Designed to corrupt files and overwrite the MBR
• Nov 2016 – Recent resurgence targeting Gulf Cooperation Council (GCC) states
• Jan 2017 – Another wave of Shamoon attacks in GCC States
19
![Page 20: Lessons Learned from Investigating Disruptive Data Breaches · #RSAC SESSION ID: Vivek Chudgar. Lessons Learned from Investigating Disruptive Data Breaches. FLE-F01. Senior Director.](https://reader034.fdocuments.net/reader034/viewer/2022051509/5ae7c3817f8b9acc268f1d12/html5/thumbnails/20.jpg)
#RSAC
Shamoon November 2016
• The identified malware exhibits destructive behavior on Windows based operating systems
• The malware still uses a signed RawDisk driver from EldoS
File Name Path PE Compile Time MD5 File Size
ntssrvr64.exe %SYSTEMROOT%\System32 2009-02-15 12:32:19 8fbe990c2d493f58a2afa2b746e49c86 717,312
ntssrvr32.exe %SYSTEMROOT%\System32 N/A N/A 1,349,632
ntssrvr32.bat %SYSTEMROOT%\System32 N/A 10de241bb7028788a8f278e27a4e335f 160
gpget.exe %SYSTEMROOT%\System32 2009-02-15 12:30:41 c843046e54b755ec63ccb09d0a689674 327,680
drdisk.sys %SYSTEMROOT%\System32 2011-12-28 16:51:29 76c643ab29d497317085e5db8c799960 31,632
key8854321.pub %SYSTEMROOT%\System32 N/A b5d2a4d8ba015f3e89ade820c5840639 782
netinit.exe %SYSTEMROOT%\System32 N/A b9bc61194bfb520c551817904a945840 183,808
netimm173.pnf %SYSTEMROOT%\INF N/A 93b885adfe0da089cdf634904fd59f71 Varies
20
![Page 21: Lessons Learned from Investigating Disruptive Data Breaches · #RSAC SESSION ID: Vivek Chudgar. Lessons Learned from Investigating Disruptive Data Breaches. FLE-F01. Senior Director.](https://reader034.fdocuments.net/reader034/viewer/2022051509/5ae7c3817f8b9acc268f1d12/html5/thumbnails/21.jpg)
#RSAC
Shamoon Lessons Learned
• Old-tricks can work even years after – the RawDisk driver
• Do not upload to VirusTotal if you suspect a targeted attack• Hard-coded credentials• Information specific to your business• Tip-off the attackers
![Page 22: Lessons Learned from Investigating Disruptive Data Breaches · #RSAC SESSION ID: Vivek Chudgar. Lessons Learned from Investigating Disruptive Data Breaches. FLE-F01. Senior Director.](https://reader034.fdocuments.net/reader034/viewer/2022051509/5ae7c3817f8b9acc268f1d12/html5/thumbnails/22.jpg)
#RSAC
Russia vs UkraineThe Sandworm Team and War
22
![Page 23: Lessons Learned from Investigating Disruptive Data Breaches · #RSAC SESSION ID: Vivek Chudgar. Lessons Learned from Investigating Disruptive Data Breaches. FLE-F01. Senior Director.](https://reader034.fdocuments.net/reader034/viewer/2022051509/5ae7c3817f8b9acc268f1d12/html5/thumbnails/23.jpg)
#RSAC
Sandworm Team Background
• Destructive malware impacting Ukrainian Financial Sector (Dec 2016)
• Spearphishing lures w/ a Ministry of Finance theme
• The lure docs similar to prior campaigns that targeted Borispyl Airport, the Ukrainian Media, and the disrupted Ukrainian utilities.
23
![Page 24: Lessons Learned from Investigating Disruptive Data Breaches · #RSAC SESSION ID: Vivek Chudgar. Lessons Learned from Investigating Disruptive Data Breaches. FLE-F01. Senior Director.](https://reader034.fdocuments.net/reader034/viewer/2022051509/5ae7c3817f8b9acc268f1d12/html5/thumbnails/24.jpg)
#RSAC
Sandworm Team Destructive Operations
• At least one document was previously used as a Sandworm Team lure.
• Filename: • Додаток №2.xls
• MD5:• b75c869561e014f4d384773427c879a6
24
![Page 25: Lessons Learned from Investigating Disruptive Data Breaches · #RSAC SESSION ID: Vivek Chudgar. Lessons Learned from Investigating Disruptive Data Breaches. FLE-F01. Senior Director.](https://reader034.fdocuments.net/reader034/viewer/2022051509/5ae7c3817f8b9acc268f1d12/html5/thumbnails/25.jpg)
#RSAC
• The campaign from Dec 2016 leveraged STRAYKEY backdoor
• STRAYKEY uses Telegram API for CnC
• Capabilities:• Running remote commands• Uploading and exfiltrating files• Downloading additional files
Sandworm Team Destructive Operations
25
![Page 26: Lessons Learned from Investigating Disruptive Data Breaches · #RSAC SESSION ID: Vivek Chudgar. Lessons Learned from Investigating Disruptive Data Breaches. FLE-F01. Senior Director.](https://reader034.fdocuments.net/reader034/viewer/2022051509/5ae7c3817f8b9acc268f1d12/html5/thumbnails/26.jpg)
#RSAC
Sandworm Team Destructive Operations
• Deployed WHITEROSE – destructive malware, a variant of "KillDisk”
• Ukrainian Government financial agencies affected • Mr. Robot Themed• Two samples recovered:
ffb1e8babaecc4a8cb3d763412294469b75c869561e014f4d384773427c879a6
26
![Page 27: Lessons Learned from Investigating Disruptive Data Breaches · #RSAC SESSION ID: Vivek Chudgar. Lessons Learned from Investigating Disruptive Data Breaches. FLE-F01. Senior Director.](https://reader034.fdocuments.net/reader034/viewer/2022051509/5ae7c3817f8b9acc268f1d12/html5/thumbnails/27.jpg)
#RSAC
False Flag AttackExtortion by the Fake Telsa Team
27
Image by studyabroad.com
![Page 28: Lessons Learned from Investigating Disruptive Data Breaches · #RSAC SESSION ID: Vivek Chudgar. Lessons Learned from Investigating Disruptive Data Breaches. FLE-F01. Senior Director.](https://reader034.fdocuments.net/reader034/viewer/2022051509/5ae7c3817f8b9acc268f1d12/html5/thumbnails/28.jpg)
#RSAC
Fake Tesla Team Background
• Relatively unsophisticated threat, but very disruptive and destructive
• Compromised multiple natural resources and casino organizations in Canada
• Earliest known hacking activity dates back to 2013
28
![Page 29: Lessons Learned from Investigating Disruptive Data Breaches · #RSAC SESSION ID: Vivek Chudgar. Lessons Learned from Investigating Disruptive Data Breaches. FLE-F01. Senior Director.](https://reader034.fdocuments.net/reader034/viewer/2022051509/5ae7c3817f8b9acc268f1d12/html5/thumbnails/29.jpg)
#RSAC
Fake Tesla Team Background
• Stole several gigabytes of sensitive data and published it on the Internet (The Pirate Bay, Pastebin.com, Photobucket.com, Justpaste.it, and others)
• Created scheduled tasks to destroy production systems across the enterprise
• Victims endured system outages for multiple days as they recovered data from backups
• Extorted victims to pay ransoms between $50K and $500K (BTC)
29
![Page 30: Lessons Learned from Investigating Disruptive Data Breaches · #RSAC SESSION ID: Vivek Chudgar. Lessons Learned from Investigating Disruptive Data Breaches. FLE-F01. Senior Director.](https://reader034.fdocuments.net/reader034/viewer/2022051509/5ae7c3817f8b9acc268f1d12/html5/thumbnails/30.jpg)
#RSAC
Fake Tesla Team False Flags
• The real Tesla Team is believed to be a Serbian hacking group known for DDoS and defacement
• They are unlikely to be targeting Canadian organizations
• The threat actor previously claimed to be a Russian hacking group – “Angels of Truth”
• Likely use of Google Translate to write in Russian• Claimed to be both “Anonymous Threat Agent” and
“Tesla Team” with one victim
30
![Page 31: Lessons Learned from Investigating Disruptive Data Breaches · #RSAC SESSION ID: Vivek Chudgar. Lessons Learned from Investigating Disruptive Data Breaches. FLE-F01. Senior Director.](https://reader034.fdocuments.net/reader034/viewer/2022051509/5ae7c3817f8b9acc268f1d12/html5/thumbnails/31.jpg)
#RSAC
Fake Tesla Team Tool, Tactics, Procedures (TTPs)
• Leveraged publicly available tools like Metasploit and SplinterRAT
• PowerShell used to load simple stagers that connect to CnC
• Custom malware has not been observed
• Multi-year campaigns – observed in one environment for nearly 1.5 years
• Leveraged single factor VPN solutions for remote access
31
![Page 32: Lessons Learned from Investigating Disruptive Data Breaches · #RSAC SESSION ID: Vivek Chudgar. Lessons Learned from Investigating Disruptive Data Breaches. FLE-F01. Senior Director.](https://reader034.fdocuments.net/reader034/viewer/2022051509/5ae7c3817f8b9acc268f1d12/html5/thumbnails/32.jpg)
#RSAC
Fake Tesla Team Tool, Tactics, Procedures (TTPs)
• Backdoors and VPN solution accessed over TOR or compromised IPs
• Known to engage journalists to advertise certain breaches
• Simple, yet effective technique to wipe systems:
mkdir "C:\emptydir"robocopy "C:\emptydir" "C:\windows\system32" /MIR | shutdown /s /t 1800
32
![Page 33: Lessons Learned from Investigating Disruptive Data Breaches · #RSAC SESSION ID: Vivek Chudgar. Lessons Learned from Investigating Disruptive Data Breaches. FLE-F01. Senior Director.](https://reader034.fdocuments.net/reader034/viewer/2022051509/5ae7c3817f8b9acc268f1d12/html5/thumbnails/33.jpg)
#RSAC
Fake Tesla Team Lessons Learned
33
• If you don’t pay, your data will likely be dumped
• They exaggerate their technical skills and ability to access environments
• Partial payments may be able to buy time
Understand that paying the extortion may be the right option in some scenarios, but there are no guarantees the attackers won’t come back for
more money or simply leak the data anyway.
![Page 34: Lessons Learned from Investigating Disruptive Data Breaches · #RSAC SESSION ID: Vivek Chudgar. Lessons Learned from Investigating Disruptive Data Breaches. FLE-F01. Senior Director.](https://reader034.fdocuments.net/reader034/viewer/2022051509/5ae7c3817f8b9acc268f1d12/html5/thumbnails/34.jpg)
#RSAC
Lessons Learned
Responding to disruptive breaches is challenging, and not easy to plan for given the dynamic nature of these attacks and the attackers.
34
Image by fourseasons.com
![Page 35: Lessons Learned from Investigating Disruptive Data Breaches · #RSAC SESSION ID: Vivek Chudgar. Lessons Learned from Investigating Disruptive Data Breaches. FLE-F01. Senior Director.](https://reader034.fdocuments.net/reader034/viewer/2022051509/5ae7c3817f8b9acc268f1d12/html5/thumbnails/35.jpg)
#RSAC
35
Apply - Lessons Learned (1)
1. Engage experts before a breach (forensic, legal, public relations)
2. Confirm there actually is a breach
3. Establish if you are dealing with a human adversary
4. Remember that timing is critical
5. Keep focused on the incident
6. Consider all options when asked to pay ransom/extortion
7. Think of the ways your network could be accessed
![Page 36: Lessons Learned from Investigating Disruptive Data Breaches · #RSAC SESSION ID: Vivek Chudgar. Lessons Learned from Investigating Disruptive Data Breaches. FLE-F01. Senior Director.](https://reader034.fdocuments.net/reader034/viewer/2022051509/5ae7c3817f8b9acc268f1d12/html5/thumbnails/36.jpg)
#RSAC
36
Apply - Lessons Learned (2)
8. Ensure strong segmentation and control over backups
Schrödinger’s Backup
The condition of any backup is unknown until a restore is attempted
Image by fatcat.ninja
![Page 37: Lessons Learned from Investigating Disruptive Data Breaches · #RSAC SESSION ID: Vivek Chudgar. Lessons Learned from Investigating Disruptive Data Breaches. FLE-F01. Senior Director.](https://reader034.fdocuments.net/reader034/viewer/2022051509/5ae7c3817f8b9acc268f1d12/html5/thumbnails/37.jpg)
#RSAC
37
Apply - Lessons Learned (3)
9. After the incident has been handled, immediately focus on broader security improvements
10. If you kick them out, they will return
For additional information, see Mandiant M-Trends 2017 Report:
https://www.fireeye.com/current-threats/annual-threat-report/mtrends.html