Ransomware Overview

• Take consumer and enterprise digital assets hostage using high-strength encryption

• Demand payment from victims for decryption key

• Use high pressure techniques to get victims to pay• Make data unrecoverable after a certain time

• Threaten to post captured (potentially sensitive) data publicly

• Threaten to erase all data and render all enterprise computers inoperable

• Increase ransom payment amount as time goes on

• Extensive use of obfuscation to hide location/ownership of C2 servers, payment infrastructure

• Tor, Bitcoin commonly used

• Individual host ransoms range between $100s and $1000s (currently)

• May increase likelihood of payment

• May decrease involvement of law enforcement or takedown activities

Ransomware – Mechanics and money

Victim infrastructure

5. Decryption key promised upon receipt of funds

4. Victim sends ransom

payment

1. Target infected by ransomware

2. Files Encrypted

3. Payment

demand shown

Ransomware Scope of impact

Individual Host/User – commodity malware• Requires user/host attack (e.g. spam emails /

drive-by downloads)• Neutralizes local backup/restore capabilities

010101010101010101010101010101

0101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101

Organization-Wide – targeted attack• Requires successful multi-stage attack

• User/host/webserver attack• Privileged access compromise• Neutralizes backup/restore capabilities

Single Stage Ransomware Attacks

Individual Host/User Impact

Plan Enter

0101010101001010101010010101010100101010101001010101010

Key Attack Characteristics

•

•

•

Organization-Wide Ransomware Attacks

010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101

Individual Host/User Impact Enterprise Impact

Plan Enter Traverse Encrypt

Command and Control

• •

Enter Traverse

•

Encrypt

Credential Theft Demonstration

http://aka.ms/credtheftdemo

DC

Client

Domain.

Local

Attack

Operator

DomainAdmin

Ransomware Italia

Word

38,5%

JavaScript

30,6%

EXE

18,6%

Excel

5,1%

URL

2,1% Other

5,2%

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

January February March April May June

Perc

en

t o

f all m

alici

ou

s fi

les

Word JavaScript EXE Excel URL Other

Ransomware Mitigazioni

•

• Secure operational practices for IT admins (http://aka.ms/securestandards)

• Advanced Threat Detection and Response Processes

• Identify and protect high value assets

• Apply security updates on all operating systems and applications

• Upgrade OS and Apps when unsupported

• Evaluate data criticality and protections

• Remove users from local admins group

• Application whitelisting

•

•

http://aka.ms/ransomware

Note: Preventing future attacks will require

addressing all of these issues in time

Microsoft Active Protection Service (MAPS) Defender ATP

Everyone

Full Control

Modify

http://aka.ms/sparoadmap

Detect Respond Recover

Data backup in case of emergency

• Backups must include all critical business data

• Backups should be validated

• Offline backup

or

• Prevent delete/overwrite of online archives by your administrator accounts (which can be stolen by adversaries)

• Basic natural resistance to ransomware (subscription must also be secured appropriately)

Capability Resources

Mail and Application

Content Protections

• Office 365 Exchange Online Advanced Threat Protection

https://technet.microsoft.com/en-us/library/exchange-online-advanced-threat-protection-service-description.aspx

• Office 2016 Internet Macro Blocking

https://blogs.technet.microsoft.com/mmpc/2016/03/22/new-feature-in-office-2016-can-block-macros-and-help-prevent-infection/

• Office 2013 VBA Macro Blocking (blocks ALL macros)

https://technet.microsoft.com/en-us/library/ee857085.aspx#changevba

• System Center Endpoint Protection / Windows Defender with Microsoft Active Protection Service (MAPS)

https://blogs.technet.microsoft.com/mmpc/2015/01/14/maps-in-the-cloud-how-can-it-help-your-enterprise/

Securing Privileged Access http://aka.ms/sparoadmap

Apply Security Updates Windows Server Update Services - https://technet.microsoft.com/en-us/windowsserver/bb332157.aspx

3rd Party application update – <varies by vendor>

Backups Offline or otherwise attacker-inaccessible backups

Application Whitelisting AppLocker - https://github.com/iadgov/AppLocker-Guidance

Windows 10 Device Guard - https://technet.microsoft.com/en-us/itpro/windows/whats-new/device-guard-overview

Application Reputation SmartScreen - http://windows.microsoft.com/en-US/internet-explorer/use-smartscreen-filter#ie=ie-11

Windows Defender with Microsoft Active Protection Service (MAPS)

Exploit Mitigations Windows 10 Control Flow Guard - https://technet.microsoft.com/itpro/windows/keep-secure/windows-10-security-guide#secure-the-

windows-core

Enhanced Mitigation Experience Toolkit – http://www.microsoft.com/emet

Security Development

Lifecycle (SDL)

Follow these practices for your applications and require or encourage vendors/suppliers to follow them

http://www.microsoft.com/sdl

User Education https://www.microsoft.com/en-us/security/online-privacy/phishing-symptoms.aspx

1

32

User

Resource Portal

Infrastructure

Brute Force

Password reset

Impersonation

Buffer overflow

SQL Injection

Privilege escalation

Certificate spoofing

Phishing

Drive-By-Download

Side channel

DDoS

Data integrity

N

1

4

2

3

Fase della Cyber Kill Chain On-premises Public cloud

Active reconnaissance HUMINT, OSINT (utenti) Foot printing (servizi)

Delivery Browser, mail, USB (interazione

utenti)

Hacking (no interazione utente)

Exploitation Vulnerabilità lato Client Vulnerabilità lato Server

Installation and Persistence Basata su File system Memory based

Actions: Internal reconnaissance Strumenti Custom Strumenti di amministrazione Built-in

Actions: Lateral movement Machine pivot Resource pivot

Communication with

malicious IP

41,0%

RDP brute force

25,5%

Spam

20,5%

DDoS

7,6%SSH brute force

2,2%

Port sweeping

1,7%Other

1,5%

Suspicious RDP VM activity; 37%

Network communication with a malicious machine detected; 15%

Suspicious incoming RDP network activity; 11%

Suspicious incoming SQL activity; 10%

DDOS; 8%

Spam; 7%

Suspicious outgoing port scanning activity detected; 4%

Successful RDP brute force attack; 2%

Numero di attacchi su clienti italiani

Suspicious RDP VM activity

Network communication with a malicious machine detected

Suspicious incoming RDP network activity

Suspicious incoming SQL activity

DDOS

Spam

Suspicious outgoing port scanning activity detected

Successful RDP brute force attack

Kill chain Fusion security incident

Suspicious outgoing SSH network activity to multiple destinations

Suspicious outgoing port scanning activity detected

Suspicious incoming SSH network activity

Suspicious outgoing RDP network activity to multiple destinations

Fusion security incident cross VM

Suspicious outgoing RDP network activity

Suspicious process executed

Suspicious outgoing SSH network activity

Suspicious command execution

Cross VM Kill Chain Fusion Incident

Possible compromised machine detected

Alert Numero di alert

su clienti italiani

Suspicious RDP VM activity (failed brute force) 3567

Network communication with a malicious machine detected 1479

Suspicious incoming RDP network activity (brute force) 1095

Suspicious incoming SQL activity 928

DDOS 814

Spam 650

Suspicious outgoing port scanning activity detected 341

Successful RDP brute force attack 157

Kill chain Fusion security incident 130

Suspicious outgoing SSH network activity to multiple destinations 105

Suspicious outgoing port scanning activity detected 83

Suspicious incoming SSH network activity 55

Suspicious outgoing RDP network activity to multiple destinations 44

Fusion security incident cross VM 39

Suspicious outgoing RDP network activity 34

Suspicious process executed 24

Suspicious outgoing SSH network activity 21

Suspicious command execution 18

Cross VM Kill Chain Fusion Incident 16

Possible compromised machine detected 16

Suspicious disguised file was executed 15

Suspicious logon 10

Suspicious activity 3

Suspicious Powershell Activity Detected 1

Suspicious incoming SSH network activity from multiple sources 1

Registry persistence 1

• Una mole considerevole di attacchi si concentra sul

tentato brute force di protocolli di amministrazione

(RDP ed SSH)

• Il numero di alert generati da meccanismi di Threat

Intelligence è intorno al 15%

• Una fetta significativa di incidenti (10%) è legata ad

attività su SQL.

• Il numero di attacchi brute force aventi successo è

intorno al 5% dei tentativi.

1. Discover and Manage SaaS risk

2. Secure Administration of Critical SaaS Tenants

3. Secure Administration of IaaS/PaaS Tenants

?

Shadow IT

Sanctioned

App Security

Visibility and

control

Compliance and

regulations

Integration with

existing systems and

workflows

Cloud security

expertise

Cloud Discovery

Discover Investigate Control Alerts

CASB

http://aka.ms/cyberpaw

Block primary entry pointsa. Internet Browsing and Email

• Block internet access

b. USB attacks• Block GPO Devices

c. Attacks from enterprise environment• Host Firewall

• Credential Isolation (local and domain)

• Remove/Harden Management Agents

Apply defense in deptha. Software Exploits

• Rapid patching

• Windows 10 Control Flow Guard

b. Malware Infection• Windows Defender

• Windows Defender ATP

• AppLocker and Device Guard

c. Disabling of security controls

d. …and more

101010101101010101101010101101010101101010101

9872521

Multi-Factor AuthenticationConfigure Office 365 MFA

Privileged Access

Workstations (PAWs)http://aka.ms/cyberpaw

Separate Admin

vs. User Accounts

Protect critical elements that enable administrative access

Security and Compliance CenterRecord and Monitor admin activity Your Office 365 Tenant

Baseline & Monitor key tenant configurationshttps://securescore.office.com

9872521

Multi-Factor

Authenticationhttp://aka.ms/AzureMFA

Privileged Access

Workstationshttp://aka.ms/cyberpaw

Time-bound privileges

(no permanent admins)http://aka.ms/AzurePIM

Tenant Subscription

PaaSIaaS

Enable and Configure Azure Security Center

Separate Admin

vs. User Accounts

Protect all elements that enable administrative access

Detection throughout the kill chain

under attack

One small mistake can

lead to attacker control

Attackers Can

• Steal any data

• Encrypt any data

• Modify

documents

• Impersonate

users

• Disrupt business

operations

Active Directory and Administrators control all the assets

More than 200 days (varies by industry)

First Host Compromised Domain Admin Compromised

Attack Discovered

Research & Preparation Attacker Undetected (Data Exfiltration)

24-48 Hours

Tier 2 Workstation &

Device Admins

Tier 0Domain &

Enterprise Admins

Tier 1Server Admins

1. Beachhead (Phishing Attack, etc.)

2. Lateral Movementa. Steal Credentials

b. Compromise more hosts &

credentials

3. Privilege Escalationa. Compromise unpatched servers

b. Get Domain Admin credentials

4. Execute Attacker Missiona. Steal data, destroy systems, etc.

b. Persist Presence

24-48 Hours

• Operating since 2007 and possibly earlier

• Regularly develops and uses zero-day exploits against victims (5 zero-day vulnerabilities were first used by Strontium in H1 2015)

• Mature set of implants and tools

• Focus on government, military, finance verticals

• Victims are primarily in the EU and Central Asia

STRONTIUM:

How does one become a target?

How is one attacked?

What happens once the compromise has taken place?

RECON

•Fingerprint

•Observation

•OSINT

WEAPONIZE

•Lures

•zero-day / EK

•Social

engineering

DELIVERY

•Waterhole

•Spear-phish

•MITM

EXPLOIT

• Installation

•Dropper

•Downloader

INSTALL

• Installation

•EOP/Gain

privilege

•Persistence

C&C

•Exploration

• Info

gathering

•Lateral

Movements

ACTIONS

•Exfiltration

•Destruction

•Compromise

RECON

•Fingerprint

•Observation

•OSINT

WEAPONIZE

•Lure

•zero-day / EK

•Social

engineering

DELIVERY

•Waterhole

•Spear-phish

•MITM

EXPLOIT

• Installation

•Dropper

•Downloader

INSTALL

• Installation

•EOP/Gain

privilege

•Persistence

C&C

•Exploration

• Info

gathering

•Lateral

Movements

ACTIONS

•Exfiltration

•Destruction

•Compromise

STRONTIUM:

Strontium

Spear-phishing

attachments lures

Office CVEs

Spear-phishing

drive-by URLs

IE/Flash/Java CVEs

Social-engineered

code-exec

Firefox XPI

Social-engineer

drive-by login

OWA, Yahoo, Gmail

STRONTIUM:

Remote code execution through browser drive-

by

JavaCVE-2015-2590

(0-day)

FlashCVE-2015-3043CVE-2015-5119CVE-2015-7645

(0-day)

Internet ExplorerCVE-2014-1776CVE-2014-6332CVE-2014-3897

Remote code execution through malicious

attachment

Microsoft WordCVE-2015-1641

(0-day)

Microsoft WordCVE-2015-2424

(0-day)

Privilege escalation or sandbox escape

Win32kCVE-2015-1701

(0-day)

ATMFDCVE-2015-2387

(0-day)

Security feature bypass

JavaCVE-2015-4902

(0-day)

Social engineering-based attack

FirefoxBootstrapped Add-

on (XPI)

STRONTIUM: • Lure through privacy alerts from

email addresses such as Privacy-alert@outlook.com

• Very effective

• Target hundreds of victims mined from public sources and probably successfully phished victims

• Persistent; repeated spear phishing attempts on victims with different lures

STRONTIUM:

defence.adviser.smith@gmail.com

http://eurasiaglobalnews.com/XXXXXXXX-spains-armed-forces-conclude-mission-in-central-african-republic/

STRONTIUM:

STRONTIUM: KillchainRECON

•Fingerprint

•Observation

•OSINT

WEAPONIZE

•Lure

•zero-day / EK

•Social

engineering

DELIVERY

•Waterhole

•Spear-phish

•MITM

EXPLOIT

• Installation

•Dropper

•Downloader

INSTALL

• Installation

•EOP/Gain

privilege

•Persistence

C&C

•Exploration

• Info

gathering

•Lateral

Movements

ACTIONS

•Exfiltration

•Destruction

•Compromise

Strontium

(latest campaign)

KEYLOGGER /

INJECTOR

SSL/PROXY

TUNNEL

PTH /

MIMIKATZ

AIRGAPPED

EXFILMAIL EXFIL

• Very active threat actor

• Utilizes 0-days on a variety of software products

• TTP (Tactics, Techniques and Procedures) seem crude

Protecting Active Directory and Admin privileges

1. Separate Admin account for admin tasks

3. Unique Local Admin Passwords

for Workstationshttp://Aka.ms/LAPS

2. Privileged Access Workstations (PAWs) Phase 1 - Active Directory adminshttp://Aka.ms/CyberPAW

4. Unique Local Admin

Passwords for Servershttp://Aka.ms/LAPS

2-4 weeks 1-3 months 6+ months

First response to the most frequently used attack techniques

Protecting Active Directory and Admin privileges

2. Time-bound privileges (no permanent admins)http://aka.ms/PAM http://aka.ms/AzurePIM

1. Privileged Access Workstations (PAWs) Phases 2 and 3 –All Admins and additional hardening

(Credential Guard, RDP Restricted Admin, etc.)http://aka.ms/CyberPAW

4. Just Enough

Administrationhttp://aka.ms/JEA

987252

1

6. Attack Detectionhttp://aka.ms/ata

5. Lower attack surface

of Domain and DCs http://aka.ms/HardenAD

2-4 weeks 1-3 months 6+ months

Build visibility and control of administrator activity, increase protection against typical follow-up attacks

3. Multi-factor for elevation

Protecting Active Directory and Admin privileges

2. Smartcard or Passport

Authentication for all

adminshttp://aka.ms/Passport

1. Modernize Roles

and Delegation Model

3. Admin Forest for Active

Directory administratorshttp://aka.ms/ESAE

5. Shielded VMs for

virtual DCs (Server 2016

Hyper-V Fabric)http://aka.ms/shieldedvms

4. Code Integrity

Policy for DCs

(Server 2016)

2-4 weeks 1-3 months 6+ months

Move to proactive security posture