Operation Escalation: How Commodity programs Are Evolving Into Advanced Threats

good evening everybody welcome back you are at a Florentine a for breaking ground session next we have is operation escalation how commodity programs are evolving and getting into advanced threat we have a speaker Israel Barack please put your hands together and welcome our speaker thank you but okay good afternoon guys my name is Israel it kind of gives away my country of origin you know I come from Boston and when I landed here in not in Vegas I got out of the airplane I felt a nice breeze outside it kind of get gave me a good feel of home so you know it's great to be at to be here today we're going to talk a little bit about processes in

which we see a commodity malware or low-level threats that we are usually used to thinking of as untargeted convert and convert very fast actually to highly targeted operations and we're going to discuss a little bit the question of whether or not we should classify incidents or threats that we see in to targeted versus untargeted as per our instant response methodology specifically specifically we're going to talk about how black market trafficking of compromised enterprise computing resources actually effects our instant detection and response procedures right this phenomenon is actually what supports this rapid conversion of many so-called untargeted threats into targeted ones and we'll drill down into that aspect of the industry as much as our time permits

so generally when a new incident is detected traditionally before we were used to using the term targeted typically security executives the CSO or the sock manager would try to estimate what the impact of the incident is on availability of services on data organizational data and based on this try to gauge the importance of the response to that incident now at some point generally pretty much every piece of malware in the market including click fraud and add were kind of converted into something that is a full-blown remote access tool and so the general question of what is the potential impact of the piece of malware that we're seeing here on the availability of services or potential data loss in the

organization the answer was well there's definitely a potential right the tool is capable of doing that but that answer was not something that organizations could manage their priorities asian processes was and so people kind of tended to adopt the term targeted right and the question became is this a targeted threat or an untargeted threat that we're seeing here ie trying to gauge the level of probability that the attacker actually intends right to steal data off of the organization crippled organizational capabilities as opposed to something that a user kind of quote/unquote randomly caught as they were browsing the web or reading their email but what we're going to see is and we're going to talk about is how

commodity mal were right can quickly transform into a very targeted operation which can happen based on some processes that will see here between hours and days from the moment of of infection to address this topic we would first talk about the black market machine trading industry and we'll drill down into that and get a good feel for what a black market for machine trading is how it works the exact methods of operation and what the targeted attacker can find in one of those platforms we'll look at the processes for evaluation how do seller is value eight machines and as a result of that what would be the characteristics of what they would do when they offer machines for sale we

would see what kind of tool sets these sort of marketplaces offer the sellers and buyers as they transact and we'll talk about some of the tools techniques and practices that are common to this triangle of sellers market places and buyers right as they transact will review a specific case a specific threat that we've analyzed from the attacked organizations perspective in which the commodity malware is operator actually offered it for sale and and went through the process of being sold to a targeted actor and we'll see how that looks from the attacker organizations perspective and we'll kind of summarize all that information all the data in a few maybe conclusions on how security operation centers can actually detect that these

processes are taking place within their networks

a few words about my background I originally started my career with cyber security in the Israeli Defense Forces I ahead of the Israeli Defense Forces Red Team I then went on to found a cyber security consulting group which was kind of gave me a much more interesting perspective about both nation-state type threats and organized I'm cyber crime groups we incorporated that into Citigroup at a later stage and I'm currently the chief information security officer or cyber reason let me before we kind of progress let me direct the question to you guys have if you guys had a chance any of you guys chew buy or sell compromised servers or endpoints online anyone let's go would buy you

know it's the more the less sell less less problematic position to be in so no okay so I'll devote a substantial amount of our conversation here to understand exactly how these marketplaces work and what you would see both as a buyer and as a seller when you transact with these marketplaces one of you know in my in my perspective one of the most interesting market places for for the trading of compromise compromise servers and end points today is called ecstatic have you heard the term the word the name so one thing I would suggest before we drill down deeper into this I would advise every security professional to get very acquaintance with these platforms just

like we're getting very acquaintance with attack tools and pen testing platforms going into these platforms and understand how people put servers and end points for sale and how does the toolset work how does the process of transacting between by a nurse buyer and a seller works I think it's it's fundamental to the understanding of how attackers can get a direct line into the organization without going through phishing attacks right or watering hole or malicious attachments they can just get a server in the data center with five minutes of work we'll see exactly how that works but I would advise every one of you to you know that takes to interest in this to try to platform you can also see the

URL they're ecstatic biz it's not even a tour domain it's right out there alright so the business has commoditised people like ecstatic have really commoditised the business of transacting on compromised enterprise resources and we'll see exactly how how much they've commoditised this market as we as we go in so one note here before we go in some terminology compromised machines on these platforms are typically not referred to as machines are typically referred to as our dps or SS h's i'm selling and buying our dps right typically it's because these are the most common communication protocols that you would find with these machines and we'll talk about the reasons for that ok so let's look at what we have here a

text etic I don't know how well you can see especially in the back lines there but there's a legal notice here at the bottom can you see it right here resolution is not so great but let me read it for you says warning sure company representative and one check can really kind of hear the thick Russian accent there and one check your firm IPS for existence in our database send email to provide your firm IP etc etc so what I say basically if you want to check if you're part of our database just send us an email what do you think by the way would happen if you sent them an email sorry of course you're part of the

database right there are 15,000 us machines on that platform every day of the week of course you're in their database by the way but what else would happen so let me tell you something and I think it's something interesting and you kind of get to learn this as you work with those guys there's such a thing as honor between thieves right if they say something they mean it right if they say that they're going to get you off their data set or off their database they are going to get you off their database but that doesn't mean that a second after you don't appear on one of their 12 other databases that appear under a different name and not ecstatic

that exact that actually is exactly what's happening right so they will take you off and they have this sort of creative interpretation of the legal reality of what would make them not be liable for these transactions anyway just an anecdote let's try to register an account well it says you're a worrying to get the access in the shop after registration need to load five hundred bucks and only after this you'd be able to use a site whatever so one of the things that you see here is they you know they like to use tools like jabber for for communication typically it's perceived as a relatively private or a living privacy oriented tool and here on the bottom there's a

reference part right as part of the registration process the question is how did you find us who recommends it's kind of a remnant of the old days of compromise resource training in actuality there are so many people involved in this operation it doesn't take any effort right to find someone that fits this profile of someone who recommends you it's pretty easily you can you can go in and so we're in so one of the things that we can do here is we can scroll through a list of compromised machines here and kind of pick and choose what we want to buy on an average day worldwide you'd find between thirty and forty thousand machines on this

platform on ecstatic similar number you would find on platforms like he way s like black cash so a couple of hundred machines they're pretty unique by the way and they don't interchange right they don't they don't contain the same the same machines on on multiple platforms are pretty synchronized so a few hundred machine 100,000 machines worldwide on something like this between thirty and forty thousand a day but before we and you obviously you can search for the platform of choice based on the type of provider that you're looking to gain access into region etc etc but maybe before we kind of sink our teeth into this into the actual meat that we have here that's the toolset

that they offer and the actual machines are for sale let's look at a few words of wisdom for this from this marketplace operator and the idea again is to figure out understand the State of Mind understand the TTP's the methods of operation that will help us at the end to figure out how we can detect these processes happening in an enterprise environment so let's look at a few words of wisdom code of conduct right there is such a thing even with that with a black market like this essentially what you see here is a set of simple rules but I think in an inch it's it's they basically define here the value proposition of why would you buy our dps

and why specifically would you buy our dps from ecstatic I think it's interesting to see that last line here just as a an anecdote of stolen in fro from our dps yes many our dps have a lot useful info about people and companies and can be sold at black markets at a big price again a thick Russian accent there you can kind of imagine that the writer there but but that's the first part right a value proposition so next thing when people get our dps is using rdp is legal all our dps what can be found in internet forums is not legal right but what they're saying is they give you this this sort of tips right

and they say you must be careful with an rdp using main rules is if possible Petra rdp we'll look at those tools in in a moment these marketplaces and ecstatic specifically offer a specific set of value-added built built independently built tools to increase the value of transacting through them we'll look at the these tools the patch rdp and create your own account at it and etc etc not really using your real IP when you connect to your bought our teepees

another set of interesting words of wisdom here basically saying we're not the owners of those already Peas we don't know where they came from and who they are right it will see these translate into the search processes right when you start when you search for specific targets you don't necessarily search by name of the organization because they don't want to be perceived as knowing who this asset originally belonged to right fair price trading of course you buy and sell at a fair price based on their understanding of what a fair price is interesting concept they've actually introduced this concept into the market you can be become a reseller right so if you buy a set of

our dps and you don't need them anymore you can go back to the platform and sell them is bud obviously you can see here but don't be so happy yet right there are a bunch of caveats here caveat number one eighty percent commission and there are a bunch of other ones right but it's actually a growing market reselling of purchase ID pieces is a growing market and the next etic is really pioneering that market okay next piece of code of conduct and that's what I love about this is really they've taken read the [ __ ] manual procedure into really where it should be and you can see in the middle we checked your request typically my credentials don't

work where my IP doesn't work I can't connect to the ba the RDP that I bought so if we check if we checked it and it turned out to be false and user just user is stupid or too lazy to read this right by this the FAQ right first the first strike warning second strike we deduct money off of your account third strike we take all the remaining balance in your account and you're adding here so they've really taken the read the [ __ ] manual into the the appropriate level right think what would happen if you try to implement this method in your organization's ok last piece of the code of conduct and that kind of gives us an

idea on what you actually buy from the platform what you actually buy is an IP address a port number a username and a password so that's what you buy the seller is really responsible to set up whatever is required in the background for you as a buyer to connect to this to an rdp based on these connection parameters and be able to connect your bought machines will talk about the implication of this as we model our detection strategy right because it's very now that we've seen this we can assume a lot on how the command and control infrastructure would look like whether it's going to be tasking base or it's going to be a heavyweight protocol

and we'll talk about this a little later on in more details ok let's talk a little bit about the tool sets that a platform like ecstatic there by the way that different platforms are pretty similar in the type of tools that they typically offer so a platform like ecstatic offers tools that would ease the transaction of buying an rdp and increase the value that the buyer can get out of a bought asset so this tool specifically is a tool to convert a bought RDP into an anonymous proxy a socks socks service basically wrapped up into a fairly fairly straightforward you I next one is our DP log cleaner so if you bought an rdp you want to make sure

that you cover your tracks after each session that you get this nice tool here but really the more interesting stuff are the next two tools this tool actually helps you evaluate if you're the server or endpoint that you're about to buy as blacklisted by someone all right so you want to want to buy an rdp that you wouldn't be able to use and so they run it through throb detection mechanism to see if anyone had actually blacklisted that IP whether it is for spam or financial fraud or credit card related fraud or anything else so that's obviously it's a paid service are you paper per transaction in this case at a big deal 25 cents another tool they

offer is to make the most out of end point rd peas the thing about our DP obviously where the windows endpoint machine is that you can't have concurrent connections are the same user right so when you look at you know to user is trying to login as administrator they would kick each other out and so the question is how do i buy an RDP into a Windows 10 machine and when I connect us in the administrator that I am after all I bought it I don't connect the legitimate administrator said they would notice that someone else is using that machine and would they connect they don't kick me out and so these guys as a

text etic they both a patch for rnap that's for the seller is typically to install what it does it basically patches the RDP service so multiple connections of the scene user can exist on that machine and these are the type of tools that you would find in a large in a large market place like like ecstatic any questions two okay so let's look at the a few actual server list right and see how that works the first thing you do you know the typical targeted attacker is is kind of like a kid in a candy store here right a lot of targeted attackers don't necessarily come into that store looking for a specific organization organization

next many of them come into that store because they look for intellectual property or they look for credit card information or they look for Social Security numbers or they look for health care related informations or medical insurance information and a variety of targets would fit their profile they just need to see what opportunities exist here and so they go into this platform and they start looking around so if you start looking at you know I want machines in specific organizations you know I just put in u.s. here but you can find eyes like t-mobile us you want a scene with t-mobile it's not a problem that sound their list if you keep going if you're interested in in in verizon

it's also not a problem if you're interested in a variety of bings there's a long list here when you look at kind of filter all the machines that they have worldwide into u.s. machines only well about a week ago this filtered to about 15,000 machines in the US that's a combination of servers and end points and points are about fifteen to twenty percent of that the restro servers a big mess of that would be on cloud cloud providers AWS as your IBM Rackspace other would be physical servers distributed all around the country again you can check it out i invite you to take a look at the list and see if you want to buy something

but let's look at specific examples and see how simple that is we have here a machine actually being resold by someone for three dollars in Washington Seattle University of Washington and if anyone's interested it has an added value feature here right and you can see how they build the value right in this case they tell you listen it's not only in the University of Washington so if you're looking in at stealing intellectual property that's probably a good base for you to start in we also tell you which software which software tools are deployed on this machine which websites they visit it and you can probably find credentials cached on those machines for these websites in this case they tell

you it's a point-of-sale machine in the University of Washington may be in the student registration office so you can kind of enjoy a world right you can try to take this machine for intellectual property writing for data breach or it can try to just steal credit cards off that machine and let's take a look at another example in this case a server from Phoenix sold for fourteen dollars easy sweet anyone know who's who these guys are credit card processing services if you want to buy a server in their processing service it's sold for fourteen dollars right now so here's another one bristow words Virginia have you heard about this company it's a server in their server

farm Mike Microsoft informatica so if you're interested in intellectual property from those guys if you're interested to potentially she change their product and propagate malware into the customer base it's right there for sale how much was that $14 that's not a big deal it's not a big deal for the targeted attacker a platform like this is just they just go in then they click buy buy buy buy buy an attractive machine would disappear from this platform within two to three hours and when we go back to the security operations center organization that detected an incident of an adware running on one of their machines and deprioritize that incident to the bottom of the list to be taken care of maybe

next week and you consider the fact that if that machine exists in an interesting platform and the organization that operates this adder is sophisticated enough to have a server or machinery selling operation and most of them do especially the sophisticated ones it's going to be sold for a much more targeted actor than that adware operator in less than three hours and what that buyer is going to do is it's a different question and when they're going to decide to operate

Oregon $13 intel corporation anyone interested in that in some very intellectual property may be modifying some of their security software why fish someone right when you can just buy 2008 r2 server in their data center in Oregon for thirteen dollars it's not even worth the the minute you spend thinking about it you just buy it and the list goes on and on it's an endless list right now in this case University of South Florida Pennsylvania if you're not interested in South Florida what's that here washington DC a Windows 10 machine sold by our dear seller mr. Obama here for 850 bucks that's a big number that is a big number for a machine this guy has a

reason to believe this machine is extremely valuable this platform is a very powerful social network you can communicate directly with the celery's you can book servers we reserve servers from celery's you can have the first right of purchase from a specific seller if you believe that this guy is providing quality content right or quality access so a person or a hint mr. obama here um would not price a machine would not over price the machine if they want to continue to be in that business again it's the honor between thieves type thing so washington d.c an interesting machine windows 10 being serviced in this case by comcast business anyone said maybe a machine at the DNC good question um maybe it's

actually in on the Trump side of the business

any questions on what we've seen here before we move on sorry you could pay in different currencies you can paid in bitcoins if you want but the thing is when you charge your account everything gets converted to dollars whichever currency you pay it gets converted to dollars in your wallet and then you use whatever you have in your wallet to buy those resources the question was why is the currency here dollar is a not stuff like Bitcoin interestingly enough these platforms adopt a lot of the e-commerce practices as it relates to identifying fraud so if you'd want to use anonymous proxies to pay those guys you would see that in most cases they would block you

because they're concerned as anyone else that they're the money that they've given you or the credit if they've given you is going to be rejected by the credit company so they actually take you through a lot of the traditional ecommerce payment method verification processes and the fraud analysis any other questions on what we see here okay

so a few a few statistics right just to get a feel for what the numbers are and you've you've already got a sense for what the numbers are but let's talk about what aspects of the resource that's being sold impact the price that would impact the actions that we would see the seller is doing as they prepare a machine for sale because they want to up the value as much as possible so the most basic features that would up the price by approximately fifty percent on the commodity price which is five to ten dollars per machine admin privileges that's that saves a little time public IP that means I can use that I can use

that machine for setting up proxies VPN gateways I don't have to use specialized tunnels or c2 channels to get to it I can use it from anywhere in the world and network bandwidth it has to be a significant amount of network bandwidth to actually impact that price next level which would add between fifty percent and a thousand percent to the sales price is the type of software that's installed on the machine and the applications are typically websites that had accessed actually suggesting the type of usage right if it's point of sale there's something I can grab off of it if I see access to multiple banking applications there's something I can grab off of it right so these have a

nice impact on the price the jackpot just like we've seen with our friend there mr. Obama is enterprise affiliation that would have a massive impact on the sales price and that is why you would see crime organizations like the one that operate adware or click fraud tools devote a specific part of their operation just to go over the machines that they have under their control figure out what is worth what every one of them is worth especially the enterprise associated ones and putting them out for a sail because in a typical click fraud from a typical click fraud machine across its lifetime you would make summer between five dollars and twenty dollars per machine but if you can sell

it here for a thousand dollars or $1,500 some machines are sold for 357 then it's a major difference in your revenue stream so just kind of a last anecdote on the data that we've seen off of this off of this platform the top five states in the country that host compromised machines for sale I'll give you the first four and i'll be happy to take gases for the fifth number one is a state of California twenty one percent of the US based machines offer for sale are actually based in California New Jersey continues to list New York and Texas who would you say is the fifth state sorry nope nope nope it's going to be amazing I found that amazing no

go figure go figure in it but it is what it is they have the exact same percentage as Texas in New York so I don't know why that is yeah well there you go I just thought it was kind of a sovereign approach to succeed cybersecurity okay how does that look like when this process is actually happening in an enterprise network from the attacked organization point of view so we're going to talk a little bit about a set of incidents that we've seen that happened with a specific type of click fraud organization so typically in an incident like this and we've seen multiple cases of the same of the same the same process driven by the same

actor we typically start with an untargeted in this case it was an unknown file s click fraud tool that affects several and several machines in the enterprise network typically the detection here was based on malicious use of PowerShell and malware communicating with known let's just see two domains or ip's almost instantly right when you see this drawer of characteristic it gets deprioritized by by a typical sock right there are you know there are worst types of malware there are more targeted operations this is just a quick fraud tool you can see the communication pattern there it communicates with a variety of ad ad platforms it you know it really goes to the bottom of the list

but then in the organizations that we've that we've worked with on these on these cases the saath typically continued to monitor the compromised machines automatically and they also imperil blocked access to that known see to address that they found the click fraud tool communicating with but on average about five days after that first infection one of those machines right typically the operational profile was take one and start with one of the one of the sets right one of those machines stopped it to it stopped attempting to communicate with a known situ and was detected performing domain generation to establish its next next version of command and control and after that it communicated with an unknown sea to

infrastructure now the second upgrade that we saw here as the organization here the the operator here of the click fraud tool converted that machine and prepared it for a sale process the second process was to change the profile of the sea to communication so it only occurred when the machine was apparently outside the corporate network so if before that the sea to communication would happen all the time obviously get blocked by the organizational setting of blood of blocking the sea to the sea to IP address now communication only happened when the local IP address started with 192 168 or 10 0 right typically that happened when that mobile machine was out of the corporate network

and so the c2 communication when uninterruptedly not something that you see from a broad broad completely automated operation that's typically something that you see as a result of a certain analysis that's done on the attackers side on the machine that they're working on

next stage would typically happen within the next 24 hours during which the sea to communication profile started including downloading and uploading significantly more data from the from the compromised endpoint tool and include escalated privileges to local system if beforehand the click fraud tool didn't require those privileges in this part of the operation the tool escalator that's privileges to local system so if before we saw communication profile that kind of match the average click fraud in terms of web traffic regular web traffic of hitting web pages and clicking clicking buttons or links afterwards we saw a very significant bursts in the communication profile and that could indicate obviously downloading of additional modules on to that endpoint a heavier protocol than

just a simple tasking protocol or or exfiltration of broader system information from the client side towards the towards the attacker next step that we've identified on these machines is that the tactile injected code and migrated itself into a specific process in this case msdtc we see here an example of one of these process says after being migrated into communicates with the command and continue command and control infrastructure that was established by the DGA one of the reasons by the way to migrate into a process like this is as dumping credentials in andhra certain platforms you need to operate in the context of a belt end system service to be able to extract credentials out of that

machine's that's in many cases the reason to migrate into a process like this

so let's try to summarize what we've seen into a set of let's let's call them rules or or or or characteristics of how a seller marketplace by our relationship would look like right and see how we can derive detection mechanisms based on that so in terms of the command and control most of these marketplaces would actually work with protocols like RTP and ssh for the command and control or for the transactions that take place to transfer control from the seller to the buyer their continuous you typically don't risk losing access they're very reliable there auto verifiable which is extremely important because the marketplace wants to make sure that the command and control channel works well

before they transfer the ownership to the buyer so the buyer would not go back to the marketplace and say well that doesn't work it's I've tried it it's not working that way the marketplace can always say I've tried that right before you and it worked great so at tasking based see to command and control especially proprietary ones that are built by the attackers are not necessarily a great fit for this type of offering right even the attack the threat actors that have custom Bay custom tasking see two packages typically add RDP based or SSH based functionality prior to transacting on these machines to make the transaction a lot more smooth obviously once the buyer goes in the sea to communication profile

is changes to whatever the buyer wants it to be unless they resell and then it goes back privilege escalation it's important to get through that first level of value an admin access is worth more than an unprivileged account so even if you don't require access for your ad where if you don't require admin access for you add where if you want to put it up for sale you want to maximize the value on it you should probably escalate your privileges to to local system enumeration of installed pieces of software and browsing history so you can populate your value proposition on these marketplaces saying how valuable this machine is is something that you want to go through as a seller so given these

characteristics we can put in place a few detection mechanisms that can help us surface right that these processes are taking place right obviously as security operations can prioritize everything especially not threats that are perceived to be very low risk to start with we want to have a mechanism in place that allows us to revisit ad prioritized incident and understand that what we've deprioritized a week ago is now something very different is going through a very different process and we should probably reconsider its prior is a shin for for a mediation so obviously changes of in the command control I any changes from a known infrastructure to an unknown infrastructure is definitely an indicator it means that it means that

it's worth more to the seller converting from straight IP to a domain generation any connections that are to rdp service especially on already compromised machines right and connections the RDP processes are not necessarily on port 3389 right connections to rdp processes are connections into the RDP process regardless of the port on which they work and regardless if they're coming in or if they're communicating with something that sent out that request changes in the RDP configuration the modules that are loaded by RDP services changes in privileges we talked about it in identifying enumeration processes of browser history and installed pieces of software right as an indicator again on machines that we've already seen a malicious process running on so we know

that they have the potential of going through this process and we now one identify these indicators that would tell us that something is potentially going on and something that was a little bit interesting kind of to us is we imagine that when a seller prepares a machine for sale they would stop the thing that their use of that machine so if they were using it for click fraud they would stop that click fraud prior to transacting apparently it's almost never the case the seller continues their operation and in many cases buyers by the asset when the previous operation is actually still in process so the assumption of we're going to see a cessation of the previous behavior prior

to that transaction is actually not a very good indicator any questions

okay so either it was very good or very bad either I was very clear or very unclear what do you think yeah so you focused on Windows obviously but what about it max is there a Mac marketplace or house how is that specific platform marketed and sold yeah so the Mac marketplaces are actually a lot less common than the windows marketplaces the marketplace is like ecstatic that have commoditized this this market are almost solely based on on Windows machines there are smaller niche market places for Linux machines and sometimes you would find max but they're pretty rare I would imagine it's it's it's potentially a demand perhaps an issue of demand but it's it's just what you see in the

marketplace yeah

from the point of view of a hacker it strike me that up time would be an important aspect of a machine especially given you can have it or hide behind it I didn't notice that on there I may not have seen it but I was wondering if that was a metric that was readily available yep so if you want we can take a look at it afterwards on my machine but on every every listing on the marketplace has an indication of an uptime right so you can get a clear understanding of how available this machine is yep

so I think what we're seeing right now is first and foremost a strong transition into the endpoint so traditionally these marketplaces would focus on servers and in the past couple of years you see an ever growing percentage of endpoints these would typically be windows machines but I think the more that the reason by the way was that the traditional actors in these marketplaces were people that would do server scanning IP scanning right they would find a server right and they would try to you know that brute force it and enlisted for sale and then new players came into this market which are the commodity malware players right the ad where players the click fraud players that and their assets are mostly

endpoints but they've seen that they can transact on these endpoints and make you know and monetize them significantly more than they do with regular click fraud and that's why you see an increasing percentage of endpoints I think given this situation and the more we see these types of commodity malware going into mobile the more mobile endpoints we'll see in these platforms sure any other questions isn't it cool we have to stop again so thank you you