Rocke'in the NetFlow TTPs to Detection

[Music]

there's how do organizations actually do in the cloud right so first what is X we call system 10 rods king huge pages what they are is they're a Chinese cyber crime group and with this team what this does they focus primarily on 100% so later on all they're gonna follow me you're following targets into the cloud all right so who here is using cloud be that right good Midori and using languages like Python goes and they operate part of she province and then there's some Shanghai registration that holster so this first part is going to be going through is a lot of threat Intel what is this group how they work where they came from what is the methodology and all

that energy could be kind of surprised I was surprised so first of all what's it a name email address from a registry that was associated with another email address being jxc AI and bi p TQ comm GX is the short prophets name like Colorado is C go over California CA Youngjae she is so great you're cooler on that new information that we found as soon as we started looking at this is there's a couple other domain registration email said that come through on this 459 two two four one occurs both in the Gmail and YouTube comm any time we've seen this I think there are this being used for registration of domains you'll always find it a part of the

bubble new ways domains a lot of domains but they certainly used his domains very frequent domains that are used so first night out in 2016 I'm targeting Windows have been opportunist across the board are using on Windows Linux Android we didn't even really go to cloud visit this moment they really weren't carrying so much they were using solely Python as the full language of choice and old library soldier being BMP textual core library actually looking at the actual function calls of systems so they basically they went they also stole a lot of rust repair I'm sorry

and they probably primarily used other reflexive loading abilities of beaconing and then also they have a basement repo values usage fun this is where actually how to actually use but as you can tell they were all script kids they didn't have to detail but really what they were doing they're just saying hey I want to be able to I do some bad stuff that makes money and tell me these things to do it's kind of funny a little bit interesting is they were actually very security conscious about what it isn't they were attacking when they approached the system with the intruder system and they found that it had maybe Chinese basically security system on it primarily the 36 safeguard

36 in an insecurity of thunder 36 Q software company they would just immediately just stop the attack at this point they were 20 percent focused on joining somewhere and they used I heard ransomware which wasn't very sophisticated wasn't very hard still feed a lot of aspects even though their back door was higher self you know you don't had some aspects in it they made some money kind of got their feet we got a lot of there there plenty of actually Krypton lighting so they were using a lot narrow internal is the choice with the into the direction compromising Chrome extensions and ie expansions I specifically with vulnerably and we had mark plus you know compromise that by plus and then they

would actually have that system in Chrome or ie would actually turn off for whatever reason they strictly and continuously running in once a minute and check this to make sure that that was running through the browser is running if not get we just silently turn it back on it was around 20 16 2015 4 sure percent of systems and like servers were actually messed up so they learn well maybe we should use or 15 or 30 and try to keep that little bit pointers we you know they did learn on how to do that you know the software or car to these systems was exceeded the JBoss minor

primarily so again using very commodity processes special

[Music] and this is when idea 42 perspective mom and we actually converted the name from iron group to X factually they've been a pretty cool graphic right now they're actually important and that's why I be his little variable planes they were actually now starting to actually basically home in their target on a specific aspect they're actually now focusing solely on outlying areas can be okay why help are numerous would call it be important in our game age today you know you know living say my systems in AWS you're looking at Gucci systems that are [Music]

binaries are not an easy way to cross all your different to other units at this point they were actually considered a botnet they actually started dabbling in to something they've been compared to non touch users you know eternal blue like we're great what you're saying earlier however they were because we're eternal blue was actually using has to propagate from system to system assisting us using smb1 they actually use weak passwords and unpatched vulnerabilities you know it's not really a sure way of like firing

because systems systems that may be holding some sort of but it's gonna use ransomware because because they would actually first optimize the system and then they would go into specific database and then actually just start deleting tables they're just weak the maintain this as they wanted they put a fake table in there with the ransom message they say however they still got forty days a week payments out of them they need about eight thousand US dollars during that time so it's still worth people paid well I guess that chunk of changing that eight random is allowed to so that was for me and then in August they came out around the same time to run beetle they actually started a new

type of venture and it's where they focus like solely solely solely on class catalyst is actually a thirstily which we found this bug be a honeypot these types of malware systems that they were working with they involved their work was used within their their PE - and also XM entirely on our they were using on their blog conversions between those black but they really started using really leveraged without infrastructure or without the sale in this case git repositories and paceman we throw some very expensive start filling their their initial infection cc2 and and also this is that this is China's equivalent of a good level okay so I think you for the United States nice any communication

going to or whatever unassuming also started actually perfecting and isolating a very specific type of downloader they would use this worker Alliance comes into it comes into the mix I will get into its functionality and I would actually wear TTP's that pieces in the next little section they kind of change their tactics a little bit and now they're focusing solely on web servers or start focusing on you'll most likely find within the cloud and the fennel knows within apache struts building focus in oracle weblogic just general web servers they're out there running operating you know these are the primary targets typically what they would do in a brief overall summary is where the crypto mining it's very common if you go to a

system you want Hillary processes better keep it with you a little bit different when you get that system in it but I keep tables on so you can kill that process and if they've got some sort of person come back on it persistence that bring that system back online they also add I ain't able to that particular system and we're just like stop all communication so that's their boxing this the interesting thing this was really this is where we really started getting really because they would actually go into the woods but now we're actually seeing these actors actually starting to you know sink themselves deeper into the system more information on the process either which is a cool process

there's processes so now rocks getting they've kind of gone from script kiddies now they're actually horses cursive and now they're actually moving into new traders and this new layer Lou so God Lulu was actually coined the term God because it actually switched we asked a character of Lua for the ASCII character of God once it was deep in Copiah

we got so another thing they actually do is now they are starting to alter their malware itself right so now that they're using Lua they actually now change their little friend on the system so now the Xbox forget to version Illuma the god python won't work so there's a nice little trigger that we

started giving some more on infrastructure and development that we can go on we have paid up TK or using the subdomains of CD that we also have found config I'm sorry app config you have the same so supplementing with see me and BP but they also have other words like affronti in the image which we'll see in a second both of these days domains coincidentally enough only and have never only resolved to call it because it's interesting and I threw this up because anybody ever seen Darren Aronofsky's PI amazing I think it's amazing movie but within that they're actually talking about the god number because this mathematician feasibility is holding a computer chip that's actually gonna find this most improbable

it number it's like characters long those are this whole process but there's a whole bunch of

film noir my psychosis problem that's happening what this application really did is if this is actually shows that the actors have now they from being script kiddies to having themselves in the systems to actually building and generating a tool and an agent that actually can be on a cloud system that actually now has any capabilities so it has particular these Heartland capabilities Lua scripting capabilities two different kinds of shells great tool you quit it turn it off proxy through it so you know it's actually like it's actually becoming an actual proxy that you can actually use it was been reported that it has been perfect you guys can now actually do these descriptive DDoS actually could do it

right and then sure I couldn't find that happens but this reporter shell Turner kind of shells on and then this practice knowing a range of communication they can change by communication so again now we need the sophisticated this is how this links to to rock we found that by the Kerberos downloader the respect now the city note I've commuted communicated back from the agents of the CSU system or we found two main crossovers these are four little beans that Locke has been known to use all of these were registered by Lu weddings there's a good connection there and then the c2 specifically calls to these two particular domains which are also rough doing so also have a now we're at selfie

face they both writing a file for the temp directory disguise ourselves as PNG so

that talk is so what is the car how does the tub work on there was a good entry I'm so try to just you know there are three types

systems and servers running in racks these are all on location they're all traditional networking there are newer application is running on your systems in your data center right private cloud changes a little bit there are your operating systems are there your applications they're still running in your systems but it's not running in a system running a shared hierarchy system so like say being spear for a be spear some sort of like Senator burger or something of that nature so they kind of want to see they can be sharing resources resources of that particular application to fit the needs of so you know whether it be our public cloud now changes its before we some reckoning wxg see people as you're above

a suitable ocean whatever there are no more applications running at someone else's hardware you don't know what they are where they're located I mean you could probably specify when this would be run in this region and they have to agree to that if that's part of your ISO w-whatever but you really don't know and quite frankly probably wouldn't care what the system that here's this in pictures or on-premises situation everything's on our system right over here and our buildings there's a firewall there's our Internet inside that pyro we drove over here to the private cloud we have all of our systems we have our own cloud that's serving all of our particular applications that all of our users to

connect to look at when you get to the internet we have to go through quite pretty straightforward what the public cloud is we have our systems with more users and all of our laptops we have to go through the firewall first to get to the cloud which has all the replications again pretty straightforward impetus on step one this one helps now we're gonna make things a little bit different containers try to make that regular and bring them down to a small level so a docker is a is a virtual machine for a single application in and of itself doesn't do anything else that VM the container VM has the resources we have the essential resources of the OS for

that application to run so if you don't need to have network connectivity to it you will not have an app for that system if you don't need a library for whatever process that you need to have for Adobe you're not running getting Adobe you're running something else completely you're not gonna use any of those libraries right so you're only going to use what it is this allows for doctors to be speeding they're quick to stand up instead of being an operating system you know for Vince to stand up you can have a doctor stand up within 30 seconds maybe 15 seconds depending about how powerful or you know how much it has to start running you can make changes to

the doctors to figuration template you can turn that dollar system off turn it back on again completely updated for whatever that is the BiPAP so when it comes to patching systems YF do is attach the template turn that system on turn the system back on again nice read for developers great for pen testers and research people because you have the exact same environment every single time attorneys types it like for and you have to manage all those systems do Bernays does that for you kubernetes full manage dr instances little Locker it will manage a lot of different types of instances it will manage multiple containers it ensures that that system has a stability and the

application crashes for whatever reason there may be some turn it back on so on and so on it's modular architectural and it creates a redundant application oh good server we're gonna talk about just a stack real fast on our left I'm sorry you're right we have here the virtual machine as we know it I'm just going to say this is the America's answer you have a bare metal system so you're running an operating system on top of that system you have your hypervisor which in this case would be like you know beyond attention or station or whatever then inside of that you've got each individual guests go out of the lesson these boxes are fully encapsulated

operating systems right that is everything that entire up the operating system has and you can run applications on top of them containers on the other hand there are metal systems you have an operating system and you'll have docker container engine running right here or meso certificate application itself so what you've done is you've essentially eliminated your guest OS there's an issue between this and this and this and this we have a strong legislation in a week isolation I'm gonna bust three of those go fasters between there escapes that go through this uses OS this application is more secure for the file then this system is to a host operating system right all right so it's container escapes that go

through this so now how the organization actually do with the cloud taking this new type of product or ministration might t9 be created a report it's called it up the title chance of entropy and we go through we start looking at what is the state of cloud right now right okay what is the call that we live in horrible isn't water misconfigurations within 2018 opportunity current day we found 65 percent of all reported incidences are due to miss configuration in Excel this is s3 buckets being this configured exposed user authentication interminably no elastic searches systems a lot of different things that go into this we also have a 39% of all organizations that RDP exposed to the I know just just

offered you ready for that number ready for this number 56% fssh exposed to okay you could have these under authentication that could be safe they could be secure time you'll see in a second that maybe not but 56 are still just exposed okay this is just the cloud 61% of organizations are using TLS version 1.1 which is in the white from 2008 because of insecurity of all these things vulnerabilities in the cloud these numbers are the same 34 million expose owner abilities just in the cloud huge caveat this is not Amazon this is not Google this these are not because service provider boner abilities these are these are your applications 29 million read on the

website breakdown of those particular systems 4 million indecent feet 1.7 million immature so users actually using scissors these are forced a great today 22 million of the 34 million our CBP 18 or older pay four million our CP 14 or more so these are old CDs these are the top one er abilities that we found within CDs we have a patchy HTTP caching speed we have OpenSSH number three and number four so 56% of systems having SSH open number three number four are the top corner buildings so humidity that makes attackers go all right which is what we found so now we're going back to rock this is the cyber operations TTP steps that work there's a 12-step process

where they upload their their information or paste them they entice their victim to download that somehow they exploit that vulnerability on their system using whatever the victim downloads that connects back to a Cicinho that they control Delta the the c2 environment now is the payload the game administrative access to that particular container whatever that is so now we have root access on that particular system because most users run their containers of root establish persistence in the chrome job commands and now they have the assistance we go ahead and search those crypto money kill those offs at IDT people's rules to block future communications uninstall the common agents now we'll install my narrow and so pretty good so this is

what we know about rock these are the domains to do in domains that we know these are the one-on-one domains that we know there's a few other reporter that means you can see here that 33 and 9 is actually the main it actually uses you might want to trust that word have maybe 389 open to people that would be really cool more registration names so again so the ground triple commonality of this white visits if all those domains I resolved their IP addresses to what they have available I found that horrible readings results these two IP addresses these domains resulta to the debates that were actually being used and there's another IP addresses that were used so when I

did it I graph those we have a pretty little picture of it you can see that these are probably important you know probably see these are probably important because I use my love different IPS on different domains so kind of want to do some pretty little graphs and then we document it's either 42 is it's really cool there bit of a minor map we have done something called the attack template we use the miner framework and we take all of our different of it attacker groups you might notice in these things like well the rating it's of the CEO

you're all infected by 30% nearly 30% of all cloud organizations are compromised by wreck we started out as a script and have matured to the point of actually compromising that's me 22% of those are 2 percent of the total have sustained between traffic up to 6 months [Music] if you're connected to one rock domain endangering 3 percent chance you're connected to multi and then was come on courts are for 380 56:48 which is amazing and the twelve-step indications that I want to use a way to take the 12 steps context of domain you can see here that if I'd look for paste button basement domains and then any time it happened within the exact same hour connected to anything

else so you can see that you initial confirmation that assist the client is at least reaching out the basement now I'm going to English to see to see to in general on that particular system reaches out to the club in May to October and the beacons are in 15 minutes yeah this all has to be over at NetFlow so there we go on the stock rock use weak password so change your password morning news more extreme passwords abilities and patch patch please please bet your systems other findings we went over some of these what this was really interesting 50% of the short containers use passwords not keep pairs AWS and DCP main think that use a key parent center

professor it is not so 50% of people don't want firewalls or firewalls VPC traffic monitoring still buggy I'll talk to you about that they're interested only but a goodie is net flow net flow is your Savior in this because full packet capture does not an existing Club it doesn't exist so you have to use old-school technology big firewalls and net flow so you can block all this stuff get to your threat feeds Krishna codify a moment I know people I think going to get a hold of player play book download get that into your if I might stop those IDs from going through and for you so excited about

yes visibility we good stuff so here we go