1 | © 2016, Palo Alto Networks. Confidential and Proprietary.
THREAT LANDSCAPE
Mikko KuljukkaSystems EngineerPalo Alto Networks
Bitcoin USD rates
How big of a problem?
• $1 billion in 2016
• >6 million unique samples
• >55 million sessions
• >100 families.
• Typical payment is 1 BTC;; tailored for organizations.
• Targeted attacks seen, butlargely victim agnostic.
3 | © 2017, Palo Alto Networks.
AutoFocus: Ransomware Total
Why ransomware?
• Value of stolen records has declined
• Monitored by financial authorities and law enforcement
• PoS systems form a sub-set of the total target
• Motivation to pay
• Anonymity - Bitcoin and Tor
• MaaS / RaaS lowers cost-of-entry, fuels ecosystem
4 | © 2017, Palo Alto Networks.
KeRanger
• First discoveredransomware forMac OS.
• Authors back-doored a popular BitTorrent clientfor OSX in early 2016.
• It attempted to encrypt about 300 types of files after 72 hours.
5 | © 2017, Palo Alto Networks
Samsa / SamSam
• Targeted campaign from 2016.
• Leveraged unpatched instancesof JBoss to spread.
• Ransom reached around45 BTC (approximately $20,000).
• Almost 100 distinct samples.
• Diversifying in target verticals & attack/spread techniques.
• Profits over $500k6 | © 2017, Palo Alto Networks.
7 | © 2017, Palo Alto Networks.
Cerber Armenia, Azerbaijan, Belarus, Georgia, Kyrgyzstan, Kazakhstan, Moldova, Russia, Turkmenistan, Tajikistan, Ukraine, Uzbekistan
• Jaff ransomware
• Distributed through similar channels as Locky and Dridex
• Using different key derivation format from Locky
• Capable of offline decryption.
• DOCM file embedded in PDF
• PDF uses JavaScript to load DOCM
9 | © 2015, Palo Alto Networks. Confidential and Proprietary.
LOCKY -> JAFF (DOCM -> PDF(DOCM))
• Friday May 12th, 2017
• v2.0 of WanaCrypt0r, spreading using SMB protocol exploit
• Kill switch
• 17th May: 36 BTCs (~$63k) in multiple wallets• Ransom of ~$300 infers ~210 victims
10 | © 2015, Palo Alto Networks. Confidential and Proprietary.
WanaCrypt0r (Wanacry, Wcry)
WanaCrypt0r
• Initial attack vector indications (theories):• Spam and/or phishing email.• Direct attack against MS17-010• RDP
• Port 445 scans on local networks and random external IP ranges.• Checks all IPs on the class-C network of each given vulnerable host
• No C2 per se
• Uses TOR network to communicate encryption keys
• DOUBLEPULSAR backdoor reportedly used to execute the malware after successful ETERNALBLUE exploitation
11 | © 2015, Palo Alto Networks. Confidential and Proprietary.
WanaCrypt0r Exploit
• EternalBlue vulnerability (CVE-2017-0144) on Windows • SYSTEM-level remote code execution (RCE) in the handling of the Server Message Block (SMB) protocol
• Publicly disclosed in Equation Group dump by Shadow Brokers in their 5thleak, April 14th 2017
• Microsoft patch available in March 2017 (MS17-010)
12 | © 2015, Palo Alto Networks. Confidential and Proprietary.
EternalRocks
• Wannacry exploits + 5 more
• Sleeps for 24h and downloads Tor for C2
• No apparent kill switch
• Does not contain any malicious payload yet
13 | © 2016, Palo Alto Networks. Confidential and Proprietary.
Ransomware trends
• Indiscriminate high-volume / low-ransom attacks continue to be popular
• Social engineering is heavily used
• Targeted, high-value ransom is on the rise.
• Database attacks:
• NoSQL: MongoDB’s default security settings
• SQL: MySQL, bruteforce passwords
• RaaS
• IOT on the horizon
14 | © 2017, Palo Alto Networks.
Ransomware trends and oddities
• Non-financial (coercion) ransom
• Pop-corn time
• Jigsaw
• Doxware / When backups don’t matter3
“Dox: search for and publish private or identifying information about (a particular individual) on the Internet, typically with malicious intent.”
15 | © 2017, Palo Alto Networks.
In order to have relationship with us, and pay the ransom;must go the following steps.1. Launch a subdomain named:
killxxxxxx.xxxxxx.xxx.xx2. Make a txt file named:
Ransomware.txt including:
Banking Trojans
• User gets infected the normal way
• Trojan starts to monitor when user visits supported sites
• Trojan captures PINs and/or uses webinjects to change or add to user’s input
• Trojan mimics the real site and “proxies” user’s input to them
17 | © 2016, Palo Alto Networks. Confidential and Proprietary.
Banking Trojans
• Less money than ransomware
• Stealthier
• Needs more sophistication and customization than ransomware
• Very old strains still alive too• Zeus (2007)• Dridex (2014)• Ursnif/Gozi (2007)• Xbot (Android)
18 | © 2016, Palo Alto Networks. Confidential and Proprietary.
Why IOT?
• Lifecycle of a thermostat is longer than that of a laptop
• In some cases they are impossible to patch
• In most cases, no endpoint protection
• Unless the attack is destructive or impairing, users might not notice
• Owners don’t care, don’t realize the threat
• Vendors don’t care, don’t realize the threat
• Lots of default passwords because of 2 above
20 | © 2016, Palo Alto Networks. Confidential and Proprietary.
Botnet platforms
• Leet• 650Gbps and 150 Mpps
• Mirai• 280 Gbps and 130 Mpps
• Easy money for the herders
21 | © 2016, Palo Alto Networks. Confidential and Proprietary.
Delivery methods
• Filename.pdf_______________.exe still a good choise
• Regular purchase_order.exe :s work well too
• Malicious scripts in documents that rely on user approval
• Phishing
• Exploits and exploit kits valid for real actors due to the cost
• Shadow Brokers 0-day subscription service• $21k/month
24 | © 2016, Palo Alto Networks. Confidential and Proprietary.
26 | © 2016, Palo Alto Networks. Confidential and Proprietary.
The three threat vectors by D. Rumsfeld
• IPS
• AV
• URLF
• Threat feeds
• Sandboxing
• User Education
• Technique blocking
• Automated defences
• Layered defence
• Segmentation
• Surface reduction
• Behavioral analysis
Known Knowns Known Unknowns Unknown Unknowns
COMPLETEVISIBILITY
REDUCEATTACKSURFACE
PREVENTKNOWNTHREATS
PREVENTUNKNOWNTHREATS
27 | © 2017, Palo Alto Networks. Confidential and Proprietary.
PREVENTING SUCCESSFUL ATTACKS
Top Related