© TechTarget

The Other Advanced Attacks

Mike Chapple, CISSP, Ph.D.Senior Director, IT Service DeliveryUniversity of Notre Dame

@mchapple mchapple@nd.edu

2© TechTarget

Agenda

• The Threat is Changing

• DNS Threats

• NTP DDoS Amplification

• Unmasking Careto

3© TechTarget

The Threat is Changing

4

Script Kiddies

Are So Nineties

5© TechTarget

The New Threats

• Governments

• Terrorist Organizations

• Organized Crime

6

Cyberwarfare

Is Real

The Participants Are Well-Funded

Inside an Iranian Nuclear Facility

8

Source: Vitaly Shmatikov

And The Targets Are High

Stakes

9

10

“We're glad they are having trouble with their

centrifuge machine and (we) are doing

everything we can to make sure that we

complicate matters for them.”

Gary Samore

Special Assistant to the President and White House

Coordinator

for Arms Control and WMD

11© TechTarget

Zero Day Vulnerabilities

12© TechTarget

NEED VIGILANCEWe Must Remain

Vigilant

13© TechTarget

DNS Threats

14© TechTarget

Denial of Service Attacks

• Send huge number of requests to a targeted server, seeking to overwhelm it

• Difficult to distinguish legitimate requests from attack traffic

• Several limitations for the attacker– Requires massive bandwidth

– Easy for victims to block based upon IP

15© TechTarget

Distributed Denial of Service Attacks

• Leverage botnets to exhaust all resources on a targeted system

• Difficult to distinguish legitimate requests from attack traffic

16© TechTarget

Amplified DDoS Attacks

• Traditional DDoS still limited by bandwidth of zombie PCs

• Amplification attacks leverage the bandwidth of non-compromised intermediaries

• Requires a service that sends responses that are much larger than the queries

17© TechTarget

Amplification Factor

• Amplification factor is the degree to which the attack is increased in size

• 64 byte query resulting in a 512 byte response is an amplification factor of 8

18© TechTarget

Characteristics of an Amplification Attack

• Use botnets

• Leverage misconfigured services

• Spoof source addresses

• Require connectionless protocol

19© TechTarget

How DNS Should Work

• DNS servers should provide domain name resolution services:

1. To the systems on an organization’s network (for all addresses)

2. To the general Internet (for public names owned by the organization)

• Most DNS communications take place over UDP

• Some systems are configured as “open resolvers”, answering any question from the Internet at large

20© TechTarget

DNS Amplification Attack

Source: Microsoft

Amplification Factor of

60X

21© TechTarget

Don’t Be a Relay

• Ensure that you’re not an open resolver

• Open Resolver Projectopenresolverproject.org

• DNS Inspectdnsinspect.com

22© TechTarget

Be a Good Internet Citizen

23© TechTarget

NTP DDoS Amplification

24© TechTarget

How Dangerous Can a

Clock Be?

25© TechTarget

NTP

• Network Time Protocol used for clock synchronization

• Almost three decades of operation

• Relies upon UDP for sync traffic

26© TechTarget

MON_GETLIST

• System monitoring command

• Retrieves the list of the last 600 systems that interacted with the server

• Ideal for an amplification attack when used with forged source addresses

27© TechTarget

Exploring MON_GETLIST

Source: CloudFlare

Amplification Factor up

to 206X

28© TechTarget

Be a Good Citizen

• Upgrade NTP servers to v4.2.7p26 or later

• Perform egress filtering at the firewall

• Disable MONLIST and related features (see CERT VU#348126)

29© TechTarget

Unmasking

Careto

30© TechTarget

What is Careto?

• Spanish for “The Mask”

• Not a single piece of code, but an advanced threat

• Engaged in espionage activities since at least 2007, undetected until February 2014

• Victimized over 1,000 IPs in 31 countries

• Definite Spanish flavor

31© TechTarget

Naming the Beast

Source: Kaspersky

32© TechTarget

Who is Targeted?

• Government Agencies

• Energy Companies

• Researchers

• Private Equity Firms

• Activists

33© TechTarget

Initial Infection

• Spear phishing messages direct users to a website– linkconf.net

– redirserver.net

– swupdt.com

• Malware hosted in non-indexed folders on those sites

34© TechTarget

Malware Bears a Digital Signature

Source: Kaspersky

35© TechTarget

Variety of Targets

36© TechTarget

Diverse Objectives

• Intercept network traffic

• Perform keylogging

• Monitor Skype conversations

• Steal PGP keys

• Analyze WiFi traffic

• Perform screen captures

37© TechTarget

Stolen File Types

Source: Kaspersky

38© TechTarget

Hides from Kaspersky AV

• Exploits a 2008 vulnerability in Kaspersky

• Attempts to whitelist itself to avoid detection

• Vulnerability patched long ago; relying upon old copies with expired update subscriptions

39© TechTarget

Protecting Against APTs

• Update, update, update

• Filter at the gateway and defend at the endpoint

• Maintain a defense-in-depth approach that does not rely upon any single layer of control

• Monitor rigorously

40© TechTarget

Questions?

mchapple@nd.edu

@mchapple