Tracking cyber kidnappers by Andrew Clark [APRICOT 2015]
•
0 gostou•1,916 visualizações
A presentation given during the second APCERT session of APRICOT 2015 on Wednesday, 4th March 2015.
Recomendados
Recomendados
Mais conteúdo relacionado
Mais procurados
Mais procurados (20)
Semelhante a Tracking cyber kidnappers by Andrew Clark [APRICOT 2015]
Semelhante a Tracking cyber kidnappers by Andrew Clark [APRICOT 2015] (20)
Mais de APNIC
Mais de APNIC (20)
Último
Último (20)
Tracking cyber kidnappers by Andrew Clark [APRICOT 2015]
- 1. Dr Andrew Clark Senior Technical Advisor, CERT Australia Tracking cyber kidnappers APRICOT 2015, Fukuoka APCERT Security Track data
- 2. Tracking cyber kidnappers data Presenta2on overview • About CERT Australia • Ransomware campaign targeGng Australia – CharacterisGcs – Response – Analysis • Related campaigns • Conclusion 2 APRICOT 2015 – Fukuoka -‐ APCERT Security Track
- 3. Tracking cyber kidnappers data • Provides major Australian businesses with informaGon about cyber threats and support in responding to cyber security incidents • Focus on systems of naGonal interest, including criGcal infrastructure About CERT Australia 3 APRICOT 2015 – Fukuoka -‐ APCERT Security Track
- 4. Tracking cyber kidnappers data • Trusted source of informaGon for partners (over 500 Australian businesses) • ParGcipant in a global network of naGonal CERTs, including APCERT About CERT Australia 4 APRICOT 2015 – Fukuoka -‐ APCERT Security Track
- 5. Tracking cyber kidnappers data CERT Australia services APRICOT 2015 – Fukuoka -‐ APCERT Security Track 5 Proac2ve Reac2ve Publica2ons v Advisories v Good pracGce guides v Protect products Informa2on exchanges v Regional v NaGonal Training and Exercises v ICS / domesGc training v Eg. Cyber Storm v Regional exercises v Custom exercises Assistance / support to v ACSC agency partners v Hotline Ac2vi2es v Onsite assistance (e.g. major ISPs, technology companies) v CND advice v Offsite malware, log and other analysis
- 6. Tracking cyber kidnappers data Background • In late 2013, CERT Australia began tracking an internaGonal ransomware campaign targeGng Australia • The aWack was prolonged – persisGng throughout 2014 (and into 2015) – affected a large range of partners, across all sectors • The email lures used localised themes • The infrastructure shiYed rapidly to confound detecGon APRICOT 2015 – Fukuoka -‐ APCERT Security Track 6
- 7. Tracking cyber kidnappers data Background – targe2ng* APRICOT 2015 – Fukuoka -‐ APCERT Security Track 7 * Source: “TorrentLocker: Ransomware in a country near you”, M-‐E.M. Léveillé, December 2014.
- 8. Tracking cyber kidnappers data The ‘business’ model (a.k.a. TorrentLocker) 1. Send themed spam containing website link to vicGm (official looking domain names, e.g. aus-‐post.info) 2. VicGm visits website and downloads ‘bill’ or ‘viewer’ (malware) and runs it 3. Malware encrypts files (including those on network shares) and asks for ransom to decrypt them 4. VicGm pays ransom (BitCoins) via TOR-‐protected site 5. VicGm downloads decrypGon program to decrypt files APRICOT 2015 – Fukuoka -‐ APCERT Security Track 8
- 9. Tracking cyber kidnappers data Campaign characteris2cs • Keep ‘consumers’ (vicGms) confident – Re-‐used previous campaign branding (CryptoLocker) – Won’t pay if they’re not going to get their files back • Constantly evolving – New domains registered almost daily • to keep ahead of takedowns – Malware binary changed almost daily • to keep ahead of anG-‐virus updates APRICOT 2015 – Fukuoka -‐ APCERT Security Track 9
- 10. APRICOT 2015 – Fukuoka -‐ APCERT Security Track 10
- 11. AV resistant for 24-‐48 hrs 11 APRICOT 2015 – Fukuoka -‐ APCERT Security Track
- 12. Tracking cyber kidnappers data Campaign characteris2cs • Constantly evolving (cont.) – New infrastructure (IP addresses) – Regular theme updates • Australia Post (parcel to collect) • Energy Australia (electricity bill) • Telstra (telephone bill) • NSW Government (traffic speeding fine) • Various other internaGonal flavours APRICOT 2015 – Fukuoka -‐ APCERT Security Track 12
- 13. APRICOT 2015 – Fukuoka -‐ APCERT Security Track 13 postaut.com/
- 14. energy-‐objecGve.com/ Examples energy-‐australia.org energyaaa.com energyai.net energymar.com 14 APRICOT 2015 – Fukuoka -‐ APCERT Security Track
- 15. telstraa.biz/ Examples telstra-‐info.com teltsra.net tesltra.org tesltraa.org 15 APRICOT 2015 – Fukuoka -‐ APCERT Security Track
- 16. details-‐nsw1-‐gov.net/ Examples nsw-‐gov.net osr-‐nsw-‐gov.net state-‐nsw-‐gov.com penalty-‐nsw-‐gov.org 16 APRICOT 2015 – Fukuoka -‐ APCERT Security Track
- 17. csposta24.org/ Examples cs-‐post24.org cz-‐posta.net cz-‐post.net (Czech Post) 17 APRICOT 2015 – Fukuoka -‐ APCERT Security Track
- 18. mysda24.org/ Examples sda-‐expresso24.com sda-‐express24.org mysda24.com (Italian Post) 18 APRICOT 2015 – Fukuoka -‐ APCERT Security Track
- 19. auspost-‐home.com ?? Examples royalmail-‐service.co.uk royalmail-‐groupltd.net royalmail-‐service.org royalmail-‐tracking24.net 19 APRICOT 2015 – Fukuoka -‐ APCERT Security Track
- 20. Tracking cyber kidnappers data Campaign characteris2cs • Constantly evolving (cont.) – InfecGon vector a. vicGm downloads exe/rar/zip b. aWachment (Word) with malicious macro – macro downloads encrypGon malware APRICOT 2015 – Fukuoka -‐ APCERT Security Track 20
- 21. Examples: royalmail-‐service.co.uk royalmail-‐groupltd.net royalmail-‐service.org royalmail-‐ tracking24.net MACROS Now with social engineering 21 APRICOT 2015 – Fukuoka -‐ APCERT Security Track
- 22. Tracking cyber kidnappers data The CERT’s incident response role APRICOT 2015 – Fukuoka -‐ APCERT Security Track 22 Analysis CERT VicGms Theme VicGms Partners Law Enforcement Samples Advice Samples Advisories and indicators
- 23. Tracking cyber kidnappers data Defending against ransomware • Staff educaGon and awareness training • ApplicaGon whitelisGng – Not just EXE’s – DLL’s, SCRIPTS and MACROS ! • Restrict admin privileges (to reduce impact) • Regular back-‐ups or snapshots (and store offline) • Block indicators of compromise (IOCs) APRICOT 2015 – Fukuoka -‐ APCERT Security Track 23
- 24. Tracking cyber kidnappers data Analysis -‐ indicators • Pre-‐infecGon – Email messages • sender, subject, links (URLs) – ‘Fake’ domains (mimicking valid sites) • Post-‐infecGon – C2 domains & IP addresses – File names and hashes APRICOT 2015 – Fukuoka -‐ APCERT Security Track 24
- 25. Tracking cyber kidnappers data Analysis – indicator sharing • Express indicators in STIX format • STIX: Structured Threat InformaGon eXpression – highly descripGve • indicators, observables, TTPs, CoA, Kill Chain – machine readable • supported by growing number of tools – automated sharing via TAXII service APRICOT 2015 – Fukuoka -‐ APCERT Security Track 25
- 26. Tracking cyber kidnappers data Analysis -‐ links to other campaigns • Links between this ransomware campaign and banking trojans have been idenGfied – Hesperbot – Dridex APRICOT 2015 – Fukuoka -‐ APCERT Security Track 26
- 27. Info.doc “Invoice Theme” Macro MACRO > h[W]p://109.105.193[.]99/a.png C2 = allwayshappy[.]ru (Dridex) MACRO > h[W]p://officeimage[.]ru/au.png C2 = casinoroyal7[.]ru (TorrentLocker) Order.doc “Invoice Theme” Macro Australia Post Phishing aupostalservice24[.]org track_309280983902001.EXE (MD5: 381e3c5e57431ecbeb072463cacd2056) C2 = casinoroyal7[.]ru (TorrentLocker) Nsw-‐gov Speeding Fine Phishing penalty_id_879847922.exe (MD5: D0533A17312C65B5C5560696E4CA994C) C2 = allwayshappy[.]ru (TorrentLocker) Metadata linked C2 linked C2 linked Same IP 27 APRICOT 2015 – Fukuoka -‐ APCERT Security Track
- 28. Tracking cyber kidnappers data Analysis – Word Macro observa2ons • As before, actors are conGnually tweaking techniques, also modernising old techniques – Early word macro code > URL’s were in clear text – Newer variants are increasingly more obfuscated – Password protected macro’s appearing – SANDBOXES having some trouble scanning these files – Advanced variants uGlizing Powershell – Latest variant using embedded EXE’s, smaller footprint 28 APRICOT 2015 – Fukuoka -‐ APCERT Security Track
- 29. Tracking cyber kidnappers data Australia Post Theme Oct 2013 Hesperbot Australia Post Theme Nov 2013 CryptoLocker Energy Australia Theme May 2014 CryptoLocker /CryptoWall Telstra Theme Sep 2014 TorrentLocker NSW-‐Gov “RTA Speeding Fine” Theme Oct 2014 TorrentLocker “Invoice” Theme .DOC Macros Oct 2014 Dridex / TorrentLocker APRICOT 2015 – Fukuoka -‐ APCERT Security Track 29
- 30. Tracking cyber kidnappers data Conclusion • Organised, well funded and VERY persistent • Prolific -‐ affecGng government, individuals, small and large businesses • MulGple countries targeted, with localised themes • Actors are nimble and conGnually tweaking techniques – TorrentLocker updated within a week to patch a “XOR” bug allowing decrypGon. (September 2014) – Phishing websites filtering source IP address via country – Freshly compromised WordPress websites used in phishing emails as redirector links, complicaGng detecGon and filtering – ConGnual wave of new IP addresses used to host phishing sites. Clean reputaGon, IP addresses mostly not seen before. APRICOT 2015 – Fukuoka -‐ APCERT Security Track 30
Notas do Editor
- To track the activity, the CERT worked closely with Stay Smart Online and other ACSC agencies, including the Australian Federal Police and the Australian Crime Commission. In particular, when the actors shifted to a new delivery mechanism using malicious Microsoft Word documents containing macros, the CERT was able to quickly identify the change and pre-warn its partners. The CERT facilitated and led the proactive defence effort by providing timely indicators of compromise to our partners, as well as assisting with infrastructure takedowns and victim recovery. This was accomplished through our own analysis and by leveraging our national and international partnerships. Throughout the campaign the CERT also provided its partners with longer term preventative strategies.
- Notice the 22558 captcha is re-used across campaigns.
- Notice the 22558 captcha is re-used across campaigns.
- Notice the 22558 captcha is re-used across campaigns. This Australia Post domain was also incorrectly configured by attackers with a UK Royal Mail splash page.
- Application whitelisting of macro’s is becoming an important consideration
- ANIMATED SLIDE Links exist between earlier Australia Post theme phishing emails distributing CryptoLocker/TorrentLocker and recent Word Documents Early word documents distributing TorrentLocker are clearly also linked to newer variants distributing Dridex banking malware. This was further shown when an Australia Post theme email containing a Word Document was first seen, late November 2014.
- We conducted an in-depth investigation because attacks were so prolific, prolonged and involved. Found rapidly changing lures, C2 infrastructure and implants – torrentlocker, cryptolocker, hesperbot, etc CERT able to provide proactive information to our members of this kind of attack, due in part to what our international partner certs had been seeing.
- Aspects of these campaigns: - Shadow Volume copies Ransom time limit Bitcoin ransom in AUD Domains also used to drop hesperbot and other trojans – usually banking Reputational damage to large business Worked with Stay Smart Online and CSOC / ACSC to provide readily available online advice and publicise these attacks to forewarn targets and assist those affected.