Using Divergent TTPs To Inform Defensive Strategies

i'm actually quite excited about the opportunity to uh to present to everyone today here this is my eighth b sides and i've had a a pretty good run in in this part of the world i was fortunate enough to uh keynote besides comrade and tonight 2019 when they started their b-sides up and spoke at b-sides london so i'm i'm disappointed that i'm not able to uh be in dublin with with everyone because i love visiting your city but i'm grateful for the opportunity to share my knowledge with you uh anyway that i have the opportunity so i'm briefly just going to give you a little bit of background on uh some of the things i do to kind of give

you the perspective of where this information is coming from and then i'm hoping uh that this will help you to understand a little bit more of the the particulars of what some of the threat actors are doing with different um the different kinds of threat actors that we see attacking organizations these days and to help you allocate your time and money in the right places in order to best defend against those attackers and so this is sort of my my brief action plan and my role at sophos is uh interesting now because of course we have managed threat response uh and rapid response services for people both in the monitoring capacity but also from a

response when they're getting hit with ransomware attacks and things so it's allowed me to kind of gather a lot of information in a more i hate to use the word holistic because it makes like makes it sound like it's um a bit not real but you know previous to this our perspective was purely from the point of detection and going through lots and lots of malware samples doing our very best to make sure that those malware did not impact people's systems now we can kind of see the whole attack chain and how different tools are being detected at different stages and what method methodologies victims or or defenders uh are employing in order to stop different stages of those

attacks and kind of seeing where people are having success and failure in defending against those attacks and so we've kind of got more pieces of the puzzle now right because we can do in-depth analysis of the malware itself and so this information is what i've used to kind of feed into today's presentation to share with you kind of our current view uh of what's happening in that threat landscape and uh we'll start with i think it's important to know who and and each of you will have to put yourself in some perspective is to understand whether specific threat actors may be a risk to your organization or not but i think for the majority of us uh

all of them will uh if we put them in high level buckets i kind of have things in in three categories now i have sort of the the professional attacker who works in the nation state and you'll probably fall within one of two categories when it comes to nation states no matter who you are as an organization now and and this may come to a surprise to some of you but um ones that you you may work in an industry where you very much expect to be the target of a nation state you may be working in defending um a government agency or perhaps someone developing a a vaccine or you know these types of

things maybe defense traditional places you expect your nation-state adversaries to be poking around nothing really changes for you right i mean this has been going on for years and if you're in those kind of organizations you've always got nation states uh looking into your business what's more concerning is some of the nation states have seemingly shifted to if not directly attacking civilian targets um making open season on civilian targets for people to meet their ends and the two most common that we're seeing out there the reason i have the two little pictures down in the corner there is a hidden cobra and a static kitten two of the threat groups of course that are known to be involved in some of

this but because of their behavior i mean it's particularly north korea which is generally represented by cobras and snakes and things like that by some of the other security companies um they're kind of after everybody right now in essence um you know they're using ransomware to fund their nation state uh to some degree the fbi estimated that in 2020 over 10 percent of the gross domestic coast domestic product of north korea came from cryptocurrency thefts and ransoms so can you imagine 10 of your entire economy now is running on stolen digital money done through cyber attacks it's an astounding figure granted you know north korea doesn't have a very functioning economy it doesn't have a great gdp but

this is a survival skill for them at this point and they are not targeting typical nation state targets they're targeting anyone they can rob and steal from and it's gotten a bit out of control and i think most famously uh we're all aware of the wannacry attack a few years back and of course wannacry was ultimately attributed to north korea and while they didn't make any money on it i think they learned from some of the mistakes they made and they recognized the opportunity for how much money they could have made considering the gross amount of damages that were caused to just a few organizations in that attack and understood the value the monetary value in doing this

so i think you know when we look at iran they seem to be in a very similar position and they seem to be maybe marching down the same path it's a little fuzzier in iran exactly what's going on but uh we have seen an increase in crypto crypto mining attacks and an increase in ransomware coming from iran as well like north korea they have sanctions so they may be eyeing a similar model for ways to get hard currency from foreign nations to come into the iranian economy and the victims that i've investigated with the team at sofos and others that we're aware of uh have all just been regular civilian organizations they're not organizations with an affiliation with the government

with the military with the army anything like that they're they're just companies that can be attacked to make money off of them and the perpetrators seem to be i don't know if they have a seal of approval from the state but they certainly don't seem to be offending the state the state is not taking any action to stop any of this activity uh one of the people we wrote a blog post about recently that was deploying crypto miners from iran actually runs a legitimate computer business in tehran he doesn't even hide his name or address or anything we could just look him up on wikipedia look him up on github and see the source code for some of his malware on his

github that's directly tied to his business name which suggests that there's nothing to fear uh you know if it's not official government approval it's tacit government approval but it means that kind of every organization in the world now has nation states either funding or interested in coming after them um and maybe not with the same sophistication they have when they're after the secret super duper missile plans and things like that but but it certainly is stepping up the game it's also muddying the water when when you're doing an investigation of an attack it's getting less and less clear and i don't know how much time i'll have to to go into details on this but but a lot of the

tools and techniques that are being used by uh nation state attackers are the same as we're seeing in this middle bucket and that middle bucket there with the hacker stickers on the laptop i kind of call them advanced persistent thieves this is the upper echelon in the title of the presentation it said the stratification of cyber crime and and what i was referring to there is that we we are kind of getting these layers of sophistication now at the top layer clearly it's the nation states themselves not necessarily of the their endorsed citizens who may be attacking people um they have the most sophisticated tools generally that next step now i call advanced persistent thieves and

that's your riots and your reveals and your kanti's and you know these ransomware gangs that are regularly in the headlines asking for a million plus dollar ransoms we've seen upwards of 30 million dollars in some of the victims that we've helped out i saw um of course last week it was in the news that acer computers was hit and demanded 50 million dollars right the people doing those kind of crimes are in this advanced persistent thief bucket and you know to be fair most of their skills seem to be in that zone of a um a mid-level pen tester let's say i know a lot of people that do pen testing and there's a few of

them that truly and generally scare me and i worry for my own network if they were to come after me even though i i spend so much of my time and effort focusing on how to secure it uh the the mid-tier ones are the ones that i have confidence that i can block but i have to make an active effort to block them it's not easy to keep those mid-level people out i have to i have to consciously do a lot of things in order to secure my network but if i do them they're not getting in um they're not uh they're not giving talks at black hat anytime soon and these are the ones i think that are

the most dangerous i'm gonna spend the most time talking about today because that's the ones of the quantity of them out there that are starting to really take down our networks and in larger and larger numbers and they're not interested in consumers right so we've seen this real shift in the attack economy well we're not seeing the the mass drive by stuff we used to see in the days of flash and java uh causing so much disruption and that's all shifted into targeting organizations for large sums of money uh and picking them off one at a time using human-led attack skills rather than wormable exploits per se and the last category there that's a that's a little cut and paste

action that you see on the right and um and they're still out there and causing some trouble i mean the the what do you want to call them script kitties or what you want to refer to them as there is a lower tier of people trading hacking tools they don't really understand how they work and they're just kind of throwing throwing everything at the wall to see what sticks and they have plenty of success right there's two particular ransom groups still doing this one's called dharma another one's called stop ransomware um great information coverage on those if you're interested in learning more about how they work we've written some articles on our blog as well as bleeping computer always

has fantastic information on ransomware groups and and detailed write-ups uh and they're having success against the low-hanging fruit so if you do have some unprotected assets out there they may get hit by some of these groups they may hit desktop computers within your organization um for a few hundred dollars or a few thousand dollars equivalent uh you know per per victim but they don't have a lot of success right because they don't have zero days they don't have java and flash to attack anymore their social engineering skills are are weak at best in in a lot of cases so uh they're really just throwing out quantities and hoping a few things stick but you know on average some of these groups

are netting between a thousand and fifty thousand dollars per victim so it's still a pretty good day at the office if you're a criminal um to do that activity so now if we look at the the how uh how do these things change from the way they were a few years ago and we've seen this evolution coming over the past 10 or 15 years but it was rather slow moving until recently uh if you remember if you've been working for a while in this business you probably remember the the age of exploit kits uh they're still out there but largely exploit kits you know they shine from uh the late 2000s to the mid 2018s black hole exploit kit was

probably the most famous one and and that was kind of the beginning of this idea of there being specialization in jobs uh of how you provide tools to others to commit the crimes right whoever was behind the black hole explicit i can't remember the guy's name he was eventually arrested uh all he did was like write the exploits and then sell the kit he didn't deploy the malware he didn't write the malware he was just what we would now call an initial access broker somebody who gets initial access to a victim's computer and then delivers a payload on behalf of someone else and that was kind of the beginning of this sort of uh stratification of the underground

markets where they became jobs and around that same time we also saw uh there was mass credit card theft going on particularly in the united states because they had not adopted chip cards yet and it was very easy to steal credit card mag stripes from memory and in that time period we started seeing that market do the same thing where suddenly one person's job was to manage the money mules that would use the stolen cards to go get money out of cash machines and that's all that person did they didn't know anything about malware they were people people they just knew how to recruit and heard those uh mules to go out and take money out of

cash machines and somebody else's job within the criminal group was to acquire blank plastic cards and imprint the mag stripes with the stolen card information so that then they could be taken and used by those mules and somebody else's job was to write the malware to collect those mac stripes into memory so we've seen this expand out further and further as as this criminal market has gotten more and more um well endowed with cash let's call it and um there's lots of this trading going on and most of it unfortunately with the groups that we're most interested in is being done behind the scenes we're not seeing this being done in the open occasionally we do see people uh selling

for example ransomware as a service through some forums that we have access to in particular you see that with groups like revel they do have affiliates and they do sometimes recruit somewhat openly for affiliates but as far as the relationship they have with their uh money laundering groups or things like that those transactions are mostly done in private but we can tell that they're distinct groups in many cases based on code analysis based on analysis of ransom notes based on other ways we're able to analyze things we can kind of see there's repeat operators doing jobs for different groups and different people in order to get these things done most efficiently because they're very good at

them and primarily you see of course money laundering uh usually being done through cryptocurrencies of course so lots and lots of bitcoin wallets and coin tumbling and moving things from bitcoin to ethereum to and back to bitcoin and then ultimately cashing it out through um over-the-counter traded stocks in china and things like that in order to make the money disappear another specialization that you may i'm sure you've experienced in your inbox whether uh and hopefully you noticed it which is the quality of the phishing attacks is increased dramatically and they're hiring professional translators to write their emails and write their document lures so that they're incorrect english spanish french german whatever language they're targeting in particular the

english language ones the you know the quality of them is no longer such that you can spot the mistakes and again for the lure that's important you know the ransom notes are still a grammatical nightmare but they don't need to at that point they once you're the ransom note stage there's there's no reason to pretend that they're not criminals they're they're admitting their criminals in fact they're trying to use it to intimidate you so they're putting the focus and effort into the the social engineering lures but they're hiring professional people that are native speakers of those languages to help craft these phishing attacks which is leading to a much higher yield of victims that are getting drawn into those attacks and

of course professional coders of different uh um skill sets are helping write the malware and and and again there's a bit of a distinction with some of the groups i don't think it's actually that important to study the groups i think it's important to defend against all of them but we do see some groups specialize in being technically sophisticated and coming up with new ways to bypass protection technologies like networker and doppelpaymer whereas other groups like rival and maze before they retired in october last year uh seem to focus in the hype right it's all about the i'm going to dump the data publicly i'm going to try to get media attention i'm going to embarrass the company until

they pay and while their malware is sophisticated enough it it's not employing new techniques that we've never seen before to bypass technologies if you've got solid technology in place you're generally somewhat safe unless they can turn it off which is a whole other kettle of fish so uh you know anything can be for price i i just went hunting around on some dark websites that i monitor occasionally and this was just an example of what we were talking about i found vladimir and george here who are offering services of different hacking things uh what they'll do for how much uh how much money and you just get an idea of it's somewhat in the open it's almost always done in

bitcoin even though um some of the underground markets now are under heavy pressure to move from bitcoin to monero so you'll see um uh the especially the market selling drugs and guns and malware uh are are being pushed strongly toward not accepting bitcoins anymore because of the traceability and moving to monaro where they have more anonymity and i suspect you know bitcoin will probably vanish from those markets bitcoin is never going to vanish from the ransomware market because victims know what a bitcoin is they've heard of it and they can probably buy it and that's really important to the crooks but when they're buying things from each other they you know want their anonymity from

one another as well because there's been a lot of takedowns in the last few years by the international law enforcement and that's one of the ways they can ferret out who's doing business with whom and by getting bitcoin out of that it lowers their risk uh another level so we'll talk a little bit about ttps or how they're actually doing this to uh i wanted to take an example of one of the more sophisticated modern attacks that we had the opportunity to document uh and uh i found i was looking for images of what a con you know what a conte might be and it turns out it's a um a portuguese beer i don't know if

it's in portugal portuguese or if it's brazilian portuguese but i found that can of conte that i thought well that's kind of odd i don't know what the actual malware is named for but this is sort of the process that they took getting into this particular victim they they you know first they got to get that initial access and again remember this is probably a different group than conti themselves it's it's unlikely that any of the modern ransomware groups are actually hacking into your network somebody else is hacking into a computer recognizing that oh wait man i broke into this computer and look it's part of a company and this company's large enough that they

probably have some money and maybe i can sell this victim on to these ransomware guys that i have a relationship with through the underground and in this particular case that we were investigating it was an unpatched uh fortigate firewall that they broke in through uh from fortinet that uh you know the patch had been out for months but that hadn't been applied so it was kind of easy pickings for the um and and this is pretty common almost everything we see in 2020 at the beginning of these attacks starts with a hacked remote access device of some type they're either attacking the citrix um or what was called the citrix vulnerability at the end of 2019

uh they're attacking fortigate they're attacking pulse secure vpns um they're attacking sometimes uh um uh i'm trying to forget the name of it now that starts with an s uh but uh they're going after vpns and other remote access stuff and and above and beyond that rdp if there's an rdp server open they're just going to pound it guessing passwords until they get in and uh and or just fish somebody for a legitimate password from the it team especially one that might have the ability to elevate privilege to administrators so this is almost always how they're getting in at the start occasionally they start with a phishing attack or a document but most of the investigations we did in

2020 always come back to some remote access device that was either unpatched the credentials had been previously fished and there was no multi-factor authentication or was just legitimate access again without multi-factor that they were able to password guess and then uh the first thing they did was deploy cobalt strike in a very generic fashion and if you follow derby khan and many of the jokes in the infosec community you can look up trevor forget about a bug in somebody's milkshake uh they literally use that code for verbatim uh for the http stager for cobalt strike uh in in in the attack they didn't even bother modifying it uh you can see the screenshot in the

lower right uh that we discovered on the victims machine and that matches up with publicly published uh things called the trevor forget code then they did a reflective attack and loaded a a sword loader uh of interpreter into memory and again this was an entirely fileless attack and this is one of the other challenges when you're when you're in the panic of dealing with one of these incidents and you're responding to them you want to figure out what the criminal's been up to and how they got in because they're unlikely to give up if you knock them off of one server and in fact i don't have all the details here if you're interested in more details

go to our news.sophos.com blog we did an entire write-up on this attack with all of the technical detail of the malware and technical detect the detail of how the attackers pivoted around the network but the they got onto one server and eventually the uh it team was able to get control of that server recognize that they were there lock them out again but they'd already pivoted to more servers and because it was fileless it was really hard for the victim to trace where that thing had gone and where it might be in their network and so they didn't realize another server was compromised where the attackers continued their attack even though the defenders thought that they

had locked them out so it this is becoming more and more common and then they loaded another piece of cobalt strike into memory they double obfuscated it they both obfuscated it using a packer but in addition to packing it they also did what's called api by hash where instead of calling api names by the name of the api for example like get host by name to do a dns lookup you actually hash the api names and you call the hash of the api name rather than the api name which just makes it miserable to reverse engineer for folks like the people that helped me out in sofas labs and then it wormed over smb all around

the network once they had valid administrative creds they can copy it to the dollar shares all over the network to spread the malware around to position it in staging each in this case they actually embed a rsa public key into the malware itself so that they don't need to contact command and control so as soon as they infect the machine they don't need any outbound access to a command and control server because the public key is built into the malware and they just put a unique public key in per victim because it's being deployed by hand it doesn't need to be automated in any fashion because humans are actually behind the keyboard publishing it this is almost a hallmark of a lot of

ransomware attacks now which is the data gets exfiltrated to mega which is kim.com's file sharing service that he hosts depending how you feel about kim.com you may be a fan or a not fan of of mega and but that's where a lot of the data is being extra traded now they'll often bring bring along a a client that can connect directly to mega's apis and do the upload to accelerate it make it a little faster than doing it over https uh but if that doesn't work then they'll just run it through a proxy and just go to the mega website and do it that way they've got several different utilities that are commonly used and then ultimately of course publish

some of that information on the dark web in order to extort the victim into paying so that's sort of the the flow of a very typical attack and mapping this out loosely into um not very uh definitive attack framework buckets but just kind of giving an idea again you know the beginning is sometimes a fish clearly probably not emitted anymore because emma that's gone but it's the most famous example i could think of uh that was successful in in the last year or two uh and through remote access devices whether that's citrix or pulse secure or rdp proceeding on to uh living off the land and this is just pretty much every attack now right we

did not see the criminals almost never bring their own attack tools if they do they're heavily obfuscated power shell and they're doing that reflective dll loading into memory where they can do fileless attacks and nothing hits the disk to not trigger a lot of antivirus and things like that and heavy use of an abuse of tools that are already present and used by that i.t team often we've even seen them go to the point of using your software deployment uh strategy internally to deploy the malware itself and scanning your network using copies of nmap that they find laying around using pskill ps exact all the system turtles tools a lot of reliance on powershell these

days and cobalt strike an interpreter frequently used as well which is a little surprising to me because it's so well known to security tools it's bound to set off an alarm somewhere but they are still using them and disabling backups especially cloud things like veeam they'll look for s3 buckets or veeam services those types of things to kill your backups if they're online too many companies are no longer doing offline backups they're not sending the tapes in the bucket off to the warehouse to be stored and because of that they can delete them while they're online and put the company in a worse position and of course in the end they've got a gun to your

head i've got about five more limits left so i'm just going to talk about defense before we get ready um for those of you who stayed that stayed in track one it says all canadian ending to besides dublin strangely enough my my friend and colleague rob slade before me did a fantastic job talking about homomorphic encryption and i'll have the uh the great uh pleasure of being the last person to speak before dave lewis does the lock note i'm curious what a lock note is i've been meaning to ask that but dave is another well-known person in the canadian security community and i hope i hope you'll enjoy his presentation as well and on the sort of prevent detect and

respond side i mean this sounds stupid and it's i'm really getting sick of saying it to be honest but every every victim we're helping out these days just had bad hygiene um poorly configured firewalls and often no logging no sim or no edr these are really the most important parts on the front prevention side and i know firewalls sound like a very 20th century idea but you need to think about firewalls maybe differently than you used to and what i'm saying on a prevention side i'm almost talking about preventing this from growing out of control we're talking about segmentation in the network as much as we're talking about um i mean ideally you'd be moving to

space and ztna and these types of things uh so that you're not worried about firewalling but most of us aren't there so if you're not there like almost every other organization you do have firewalls and if you do have firewalls and you do have an inside network and a dmz network and all these kinds of things then you need to be segmenting more and i mean every major attack that's gotten out of control that we've been involved in and everyone i've read about the press there's been zero segmentation in those networks once the criminals are able to find one way in there's nothing to stop them from running roughshod over the entire network and all of the data

and it's it's uh it's such a cheap rudimentary thing they don't cost any you can run them in virtual machines now like this isn't you're not buying watch guard boxes and racking them like you did in the old days so you'll really look at how you might use things you already have like that better and get better at segmenting edr is absolutely essential because you when you're trying to react to a situation you need to know what's going on and you need to know quickly and you don't want to have to paste together seven different systems information in order to try to figure out what's happening and certainly our threat responders find edr to be the you

know the most useful new tool in the arsenal like most of the things we rely on are actually old things that don't cost much money just know how to need to need to know how to use them effectively it's not about buying new shiny stuff it's about being more strategic about how we use the old shiny stuff uh but in the case of edr i would say that's that's the exception and i i heard about a new um victim last night that we were helping out and again they had unpatched exchange servers despite all the information about hafnium going around they had a plan they were planning on patching the f you know against the

hefty invulnerabilities this weekend but instead they got hit with the ransomware yesterday so a little late uh for them and unfortunately that that two three week delay in patching is more than enough to make them a victim and and in so many of these cases even reasonably well managed environments we still see that 80 of the servers were protected but 10 of them weren't and that's all it takes is one of them and and then they can unlock the other ones in in in many cases most cases if they can the first thing they do is disable the security on everything else they only have to find the one unprotected machine that's a member of the domain and they

can unravel the whole thing like pulling the thread on a sweater so it's essential that it'd be ubiquitous and and if you spend all of your time on hygiene you'll be far better ahead than if you spend all your time uh trying to do far more sophisticated things if you're not that far along on the security maturity spectrum and you have to just recognize where you are in that maturity and and focus on what you can do at the maturity level you're at don't try to leap ahead because you'll you'll fail at everything as opposed to being really good at least one thing that's going to help defend and then of course threat hunting if

you're mature enough is the next step right you need to really be able to detect and respond and when the criminals break in more often than not there's a few telltale things that slow them down and there's a few telltale things that that they're often doing and more often than not within the first hour or two of them breaching the network um to me i liken it to if a burglar were to break into your house and knock over a plant uh on the way in to the house and it shatters and you hear it in the other room uh if we compare that to detecting a piece of malware say a cobalt strike or interpreter being

detected on a machine in your dmz you might say hooray my sophos antivirus or my power out strike or whatever i have detected cobalt strike fantastic close the incident because it worked but the truth is you need to open an incident because somebody's trying to get in and it's a human and they're not going to give up because sofos or cobalt or or crowdstrike detected their cobalt strike right they're just going to come back in 10 minutes with an obfuscated one or a different tool that's not going to be detected by vendor y or product x and so when you hear the plant breaking when they break in the room you need to be in the position to uh

to start an incident response and segmentation looking for things after hours and looking for data exfiltration are the primary ways you're going to see that something bad was happening so my time's up i hope you found that informative i'll hang out in the platform thing if there's questions later and anybody wants to chat and thank you very much for your time i hope that was useful thanks chad that was a very very very good talk um you raised a lot of questions around the source of conti beer um in the chat so that was a is it brazilian or is it portuguese apparently someone said kanti's from brazil and then someone said i'm from brazil i've

never heard of that beer so um you know the the question still remains thanks for your time chet um i'll hand over to auntie now who will have your fellow countrymen dave closes out with his mother thanks chad