I’m going to be live tweeting the #FireEyeSummit technical track chaired by @stvemillertime

First up is @HoldSecurity discussing how to harvest information from botnets

#FireEyeSummit

@HoldSecurity Harvests information periodically from various botnet information panels (that give them view into the size and systems in the botnet).

Fun fact - Gozi botnet has so many systems connected all queries on the information panel time out

#FireEyeSummit

Example personal information harvested by system infected with a botnet that are then sold on underground forums. Even takes a browser fingerprint to bypass banking controls w/fraudfox that rely on that fingerprint to challenge a user for more info or MFA

#FireEyeSummit

Cyber criminals will often infect a system they control first. This picture is from L0rdix botnet control panel showing an IP address in Romania which is likely a system controlled by the botnet operator. They didn’t bother scrubbing this info.

#FireEyeSummit

Next up is @ashley_shen_920 discussing ICEFOG (first reported by @kaspersky) - is it a malware family? Is it a threat group? No public reporting since 2014 - what happened?

#FireEyeSummit

@ashley_shen_920 identified some new ICEFOG malware. She analyzed the pdb strings (a @stvemillertime favorite) and compared differences between older samples and the new samples

#FireEyeSummit

What happened after 2014? Eight campaigns identified/clustered. First campaign targeted Mongolian targets and also leveraged Sogu/Plugx malware

#FireEyeSummit

Side personal thought.

Is it a fair comparison to describe Sogu/Plugx as the AK-47 of Chinese APT malware families? It is used by more groups than any other backdoor family I can think of.

#FireEyeSummit

Some of the campaigns with ICEFOG variants have overlaps with APT9 and APT15

I like the legend in the bottom right showing confidence levels in the assessment.

#FireEyeSummit

What’s the conclusion? ICEFOG (like SOGU) is a malware family used by multiple Chinese threat actors including APT9 and APT15 and a new group/cluster we identified targeting central Asian countries.

#FireEyeSummit

Next up is @stonepwn3000 Director of the Advanced Practices team @FireEye talking about the trends we are seeing across threat actors

#FireEyeSummit

@stonepwn3000 discussing the various ways we get data/telemetry to form conclusions including product telemetry from endpoint, email, network, & SIEM products, @Mandiant incident response engagements, managed defense customers, & monitoring criminal underground

#FireEyeSummit

Some interesting statistics of what a “typical/average” client looks like.

A typical client is seeing 500 emails on average get through their other security controls before they get to ours.

#FireEyeSummit

“One of my favorite IRs we had an Iranian threat actor and then found a Chinese threat actor (APT3) was also there”

Dwell time is considered to be time from entry into environment until they were discovered.

#FireEyeSummit

Out of 858 intrusions investigated in 2019 only 1 Mac only & 9 Linux only. Vast majority Windows only

A notable trend/statistic is that 12 intrusions involved insider (this number in the past was usually 0). Only 235 out of the 858 involved a targeted intrusion

#FireEyeSummit

Key stats from the last year.

#FireEyeSummit

How did we get to attributing and the public report on #APT41?

9 clusters of activity we kept separate until we could identify technical overlap to merge it together.

#FireEyeSummit

Overview of Cobalt Strike Beacon samples seen in last year

Numbers in blue are primarily red teams we track as clusters (e.g legitimate usage). Numbers in red are number of samples used by malicious threat actors including FIN6, FIN7, APT19, APT32, APT40, APT41

#FireEyeSummit

Next up: @benhacks and Todd Plantenga talking about Rich Headers created by compiler/linker in a PE and the types of information you can get from it

#FireEyeSummit

Todd walking through their analysis of ~8 million PE samples and showing a graph of frequency that we see those headers. He was trying to figure out whether a rich header hash would be useful for pivoting/clustering in analysis

#FireEyeSummit

How does rich header hash compare to import hash for clustering?

I’m glad you asked...rich header hashes (from the data) more useful than imphash. One difference is import table cannot be manipulated but rich header can be modified w/o affecting functionality

#FireEyeSummit

With Rich Header hash (RichHash) overlap - careful with attribution or using it to determine maliciousness of a file. There could be a shared builder or malware author copies a legitimate file (e.g bcrypt.dll in second picture) and makes modifications

#FireEyeSummit

There are different ways you can use information in Rich Headers to do hashing/pivoting/clustering - and each has tradeoffs

#FireEyeSummit

Next up @0x4steve discussing how to get “left of boom” to proactively detect or even prevent attacks before they are launched against your environment.

#FireEyeSummit

@shodanhq and @censysio query syntax to fingerprint Cobalt Strike Beacon, Metasploit, PowerShell Empire, and Responder C2 servers as they are stood up

#FireEyeSummit

Aaron’s favorite example because it is so simple. It isn’t inherently malicious - it is a weak signal looking for powershell.exe in the HTTP response body

#FireEyeSummit

We’ve been proactively hunting for C2 infrastructure for about a year now. In that time we’ve found >300k (yes that is three hundred thousand) unique C2 servers stood up.

#FireEyeSummit

Programming note: Aaron’s Twitter handle is @x04steve

#FireEyeSummit

Next up Nick Bennett and Joe Mehegan talking about defensive trends (e.g what controls work and what don’t based on intrusions we’ve worked).

#FireEyeSummit

Step 1: Identify list of accounts that are highly privileged - because virtually every attacker would need to use one of those to accomplish their mission. Can’t just focus on groups like domain admin/enterprise admin

#FireEyeSummit

Step 2: Implement a tiered architecture model which includes implementing privileged access workstations.

docs.microsoft.com/en-us/windows-…

Focus can’t just be on limiting how many privileged accounts exist - but where they can/can’t login

#FireEyeSummit

The number one thing that slows down eradication efforts from catastrophic breach is they’ve never rotated all passwords before

By proactively rotating all passwords before a breach, vastly shortens time to implement recovery efforts from a catastrophic breach

#FireEyeSummit

Joe talks gives examples of endpoint hardening techniques (e.g do you disable all macros or only allow them to run from specific location). My personal favorite is the last recommendation (e.g use host based firewalls to prevent workstation->workstation comms)

#FireEyeSummit

Last session of the day
@highviscosity
@williballenthin & @nicastronaut cover examples of targeted attacks on MacOS & the forensic artifacts you can use to investigate

#FireEyeSummit

@williballenthin walking through an example phishing email which instructs the user to run curl to run a bash script on a remote system

#FireEyeSummit

@HighViscosity discussing how attacker tried to cover tracks by deleting the unified log and unsetting bash history.

Default value of certain MacOS log files is only 2MB

#FireEyeSummit

Used savedState to help reconstruct what happened. Reverse engineered and determined that the data is encrypted with a 128 bit AES key.

When unencrypted they were able to recover the shell history

#FireEyeSummit

Attacker used Apple Remote Desktop to move laterally which creates lots of valuable forensic artifacts including every application executed. These cache files are centrally synced daily.

#FireEyeSummit

Found a new MacOS forensic artifact (filesystem.cache) which is a snapshot of file system metadata and also synced daily centrally to administrator workstation (second screenshot is “clean” output after @williballenthin figured out how to parse the cache)

#FireEyeSummit

Found another gold mine of a forensic artifact the RMDB - which gets you detailed application usage, user logins, system information and this data (unlike the previous caches discussed which roll daily) go back indefinitely (1.5 years in this investigation)

#FireEyeSummit

@FireEye will be releasing a blog shorty with technical details of these Apple Remote Desktop forensic artifacts as well as a tool to parse them

CC: @iamevltwin @HeatherMahalik

#FireEyeSummit

Entire attack involved initial phishing email, curl, ssh, Apple Remote Desktop, and JAMF and there was zero malware used in the entire incident. “The attacker lived off the land (or the orchard) the entire time”

#FireEyeSummit

And that’s a wrap for day 1 of #FireEyeSummit

@stvemillertime and I hope to catch up with you in person at tonight’s Oktoberfest reception

Picking up the live Tweeting where we left off for day two of the technical track at the #FireEyeSummit

@BarryV is covering Code Signing beyond PEs

One reason to sign malicious code - Windows Vista and above won’t load a kernel driver unless it is signed. Windows 10 version 1607 requires a certificate with extended validation.

#FireEyeSummit

Did you know you can sign Macros and/or only allow macros or scripts signed with a specific certificate?

Windows Scripting Host introduced signature enforcement in 2001...and virtually no one uses it (that I’ve ever seen)

#FireEyeSummit

Signing certificate compromise is pretty rare, but high impact. Attacker has to compromise a company, get into code signing infra, then get into build or signing process. This is why virtually/all cases of this have been with well resourced nation state groups

#FireEyeSummit

Large underground market in code signing certs, and relatively cheap as well ($400-$2000)

#FireEyeSummit

Had to step out for a few minutes and @ItsReallyNick picked up the thread for me

#FireEyeSummit

https://twitter.com/itsreallynick/status/1182349348107165698?s=21

https://twitter.com/itsreallynick/status/1182350918622334976?s=21

https://twitter.com/itsreallynick/status/1182351723773550599?s=21

Question from the audience:

Can you use the same code signing certificate to sign?

Yes - the same code signing certificate can be used to sign multiple file types including PEs, documents, macros, and JavaScript (and more)

#FireEyeSummit

Next up: Data science applied to threat hunting by Ben Ruffley and John Robenalt from P&G

#FireEyeSummit

What toolsets do they use for threat hunting?
Helix, HX, Data Lake, and UEBA platform

Example of where hunting/ML can be challenging is looking for networking beaconing because so many legitimate applications communicate out on a periodic basis.

#FireEyeSummit

What does the P&G data lake pipeline look like?

Apache Nifi + S3 + Athena + EMR + Apache Spark + Jupyter notebooks

#FireEyeSummit

They take raw log data and parse it/give it meaning on the fly via Athena SQL.

Schema on read/query FTW!

#FireEyeSummit

Interesting approach to ML in their network. They created their own “simulated” network callback and used it (starting with a pretend known bad) to do feature engineering, clustered results, and the looked at resulting clusters to prove out/refine the approach

#FireEyeSummit

Next up is about evading detection with shellcode - Casey Erikson & @evan_pena

#FireEyeSummit

The @Mandiant red team combines living off the land binaries (LOLbins) to proxy code execution to load shellcode in a DLL. Only requirement is to line up the export of the DLL to what the LOLbin is expecting/calling

#FireEyeSummit

A theme @ItsReallyNick and I have discussed a lot on #StateOfTheHack brought up by @evan_pena2003

Red team moving away from PowerShell based tooling/attacks to C# & shellcode due to improved visibility/detection/prevention by AMSI, EDR tools & better logging

#FireEyeSummit

Red team released (today) a new tool/framework called DueDLLigence and corresponding blog post to facilitate shellcode injection/execution

#FireEyeSummit

You can use DueDLLigence to inject into existing process or have it spin up arbitrary process

I think they have an interesting approach so they never had a RWX page in memory. They set RW first, load shellcode, then change permissions to RX & remove write privs

#FireEyeSummit

Next up: @Int2e_ and Anders Velby talking all things related to Exchange server malware

Side note - they are flying through slides so trying to keep up

#FireEyeSummit

Two examples of malware families that use sending/receiving emails and Exchange transport agents to enable command and control. Ridiculously stealthy/interesting way of achieving command and control

REDMAIL used by Platinum and XTRANS used by Turla

#FireEyeSummit

A few weeks ago Anders found a new malware variant used by Turla (uploaded to VT) called NetTRANS

Both NetTRANS and XTRANS store their commands in jpeg images

#FireEyeSummit

On the host you can parse the agents.config to return information about all installed exchange transport agents

Can you spot the malicious transport agent in the first screenshot?

#FireEyeSummit

Pro tip: remediating exchange transport agent infection requires restarting exchange server to take effect - even if you’ve disabled or deleted agent

Anders & Adrienne found way to use WMI event filters to persist transport agent instead of using agents.config

#FireEyeSummit

Few detection ideas (some easy some hard)

1️⃣ Look for child processes of EdgeTransport.exe
2️⃣ Monitor for modifications to agents.config file
3️⃣ Parse memory of EdgeTransport.exe and analyze all loaded DLLs (hard)

#FireEyeSummit

Note: talked with Anders and Adrienne after their talk. Exchange Transport Agents are only relevant to on prem exchange and not O365 as its not a supported feature.

#FireEyeSummit

Next up:
BECs and beyond, investigations in O365 by @madeleyjosh and @doughsec

Doug notes he has developed a love/hate relationship with O365

#FireEyeSummit

With O365 orgs need to be aware of what authentication methods are configured/enabled. Most notably legacy auth is enabled by default, doesn’t support MFA, and is used for POP, IMAP, MAPI, PowerShell, EWS, AutoDiscover

#FireEyeSummit

Real-time monitoring of unified audit log not possible because log events *may* take up to 24 hours to show up 😳😳

#FireEyeSummit

Note: message bind events (e.g what emails viewed) only enabled for admin users (which happens rarely) & not for *actual* user/owner of email account or delegate(s)

**makes investigating mail compromise hard b/c you can’t determine what emails viewed by attacker

#FireEyeSummit

If you can contact FBI within 24 hours of Business Email Compromise - high likelihood the banks can recover the money. If longer than that - unlikely to recover wired funds.

#FireEyeSummit

What happens if you use ADFS and a password spray attack occurs - failed authentications are *not* recorded in the O365 unified audit log 😱

#FireEyeSummit

In an #APT35 intrusion they used e-discovery capabilities of O365 to search for RSA seed files (we’ve seen this at over 12 incident response engagements) to register a MFA token

#FireEyeSummit

What’s a good way of stealthily accessing another users email? Delegate access for the email account. And there is very little logged when attackers use this method because only creation events and folder access events are logged in the unified audit log

#FireEyeSummit

Ewww - one of my favorite subjects. Just like we reported in 2016/2017 with Google - an attacker can create an Oauth app (an Azure app). Once user consents - the app can bypass MFA. Unless you have E5 license only choice is to either enable/disable ALL apps

#FireEyeSummit

Closing thoughts on O365

#FireEyeSummit

Last talk of the day: All things APT41
With Ray Leong and the bearded wonder @MrDanPerez

#FireEyeSummit

Programming Note: @ItsReallyNick and I had a dedicated #StateOfTheHack episode with Ray and Jackie O’Leary

https://twitter.com/cglyer/status/1161715491481800705?s=21

APT41 LOVES software supply chain compromise including
CCleaner, Netsarang, league of legends, fifa online 3...etc

Out of these CCleaner likely enabled them access to virtually any org in the world

#FireEyeSummit

.@ItsReallyNick favorite subject - execution guardrails!

APT41 encrypted payloads w/DPAPI so would only decrypt/execute on specific system of their choice. APT41 has also leveraged volume serial IDs to whitelist systems that would receive second stage payloads

#FireEyeSummit

Kind of neat - FLARE figured out they could brute force key space of ~4 billion keys (relatively small) based on the volume serial ID to decrypt the payload

This enabled us to identify two new malware families

#FireEyeSummit

APT41 compromised company behind TeamViewer - which enabled them to access *any* system with TeamViewer installed 👀👀

#FireEyeSummit

**new reveal** Recently found new APT41 malware family on a Linux system at a telecom we’ve named MESSAGETAP.

This enabled APT41 track/monitor monitor phone call and SMS records either based on specific IMSI numbers or keywords for SMS terms

#FireEyeSummit

Visual representation of how MESSAGETAP works

**note: once loaded from disk MESSAGETAP deletes the on-disk copies of itself so it is only running in memory on the Linux server

#FireEyeSummit

APT41 uses a range of passive backdoors (which are pretty rare in my experience). This enables attacker to initiate a network connection from a system on the Internet that will cause the backdoor to beacon out

#FireEyeSummit

Has #APT41 changed their tempo, TTPs, retooled since release of APT41 report in August?

Short answer: nope

#FireEyeSummit

...and that’s a wrap for @FireEye Cyber Defense Summit 2019

Hope you enjoyed the Tweet thread!

#FireEyeSummit