@HoldSecurity Harvests information periodically from various botnet information panels (that give them view into the size and systems in the botnet).
Fun fact - Gozi botnet has so many systems connected all queries on the information panel time out
#FireEyeSummit
Fun fact - Gozi botnet has so many systems connected all queries on the information panel time out
#FireEyeSummit
Example personal information harvested by system infected with a botnet that are then sold on underground forums. Even takes a browser fingerprint to bypass banking controls w/fraudfox that rely on that fingerprint to challenge a user for more info or MFA
#FireEyeSummit
#FireEyeSummit
Cyber criminals will often infect a system they control first. This picture is from L0rdix botnet control panel showing an IP address in Romania which is likely a system controlled by the botnet operator. They didn’t bother scrubbing this info.
#FireEyeSummit
#FireEyeSummit
Next up is @ashley_shen_920 discussing ICEFOG (first reported by @kaspersky) - is it a malware family? Is it a threat group? No public reporting since 2014 - what happened?
#FireEyeSummit
#FireEyeSummit
@ashley_shen_920 identified some new ICEFOG malware. She analyzed the pdb strings (a @stvemillertime favorite) and compared differences between older samples and the new samples
#FireEyeSummit
#FireEyeSummit
What happened after 2014? Eight campaigns identified/clustered. First campaign targeted Mongolian targets and also leveraged Sogu/Plugx malware
#FireEyeSummit
#FireEyeSummit
Side personal thought.
Is it a fair comparison to describe Sogu/Plugx as the AK-47 of Chinese APT malware families? It is used by more groups than any other backdoor family I can think of.
#FireEyeSummit
Is it a fair comparison to describe Sogu/Plugx as the AK-47 of Chinese APT malware families? It is used by more groups than any other backdoor family I can think of.
#FireEyeSummit
Some of the campaigns with ICEFOG variants have overlaps with APT9 and APT15
I like the legend in the bottom right showing confidence levels in the assessment.
#FireEyeSummit
I like the legend in the bottom right showing confidence levels in the assessment.
#FireEyeSummit
What’s the conclusion? ICEFOG (like SOGU) is a malware family used by multiple Chinese threat actors including APT9 and APT15 and a new group/cluster we identified targeting central Asian countries.
#FireEyeSummit
#FireEyeSummit
Next up is @stonepwn3000 Director of the Advanced Practices team @FireEye talking about the trends we are seeing across threat actors
#FireEyeSummit
#FireEyeSummit
@stonepwn3000 discussing the various ways we get data/telemetry to form conclusions including product telemetry from endpoint, email, network, & SIEM products, @Mandiant incident response engagements, managed defense customers, & monitoring criminal underground
#FireEyeSummit
#FireEyeSummit
Some interesting statistics of what a “typical/average” client looks like.
A typical client is seeing 500 emails on average get through their other security controls before they get to ours.
#FireEyeSummit
A typical client is seeing 500 emails on average get through their other security controls before they get to ours.
#FireEyeSummit
“One of my favorite IRs we had an Iranian threat actor and then found a Chinese threat actor (APT3) was also there”
Dwell time is considered to be time from entry into environment until they were discovered.
#FireEyeSummit
Dwell time is considered to be time from entry into environment until they were discovered.
#FireEyeSummit
Out of 858 intrusions investigated in 2019 only 1 Mac only & 9 Linux only. Vast majority Windows only
A notable trend/statistic is that 12 intrusions involved insider (this number in the past was usually 0). Only 235 out of the 858 involved a targeted intrusion
#FireEyeSummit
A notable trend/statistic is that 12 intrusions involved insider (this number in the past was usually 0). Only 235 out of the 858 involved a targeted intrusion
#FireEyeSummit
How did we get to attributing and the public report on #APT41?
9 clusters of activity we kept separate until we could identify technical overlap to merge it together.
#FireEyeSummit
9 clusters of activity we kept separate until we could identify technical overlap to merge it together.
#FireEyeSummit
Overview of Cobalt Strike Beacon samples seen in last year
Numbers in blue are primarily red teams we track as clusters (e.g legitimate usage). Numbers in red are number of samples used by malicious threat actors including FIN6, FIN7, APT19, APT32, APT40, APT41
#FireEyeSummit
Numbers in blue are primarily red teams we track as clusters (e.g legitimate usage). Numbers in red are number of samples used by malicious threat actors including FIN6, FIN7, APT19, APT32, APT40, APT41
#FireEyeSummit
Next up: @benhacks and Todd Plantenga talking about Rich Headers created by compiler/linker in a PE and the types of information you can get from it
#FireEyeSummit
#FireEyeSummit
Todd walking through their analysis of ~8 million PE samples and showing a graph of frequency that we see those headers. He was trying to figure out whether a rich header hash would be useful for pivoting/clustering in analysis
#FireEyeSummit
#FireEyeSummit
How does rich header hash compare to import hash for clustering?
I’m glad you asked...rich header hashes (from the data) more useful than imphash. One difference is import table cannot be manipulated but rich header can be modified w/o affecting functionality
#FireEyeSummit
I’m glad you asked...rich header hashes (from the data) more useful than imphash. One difference is import table cannot be manipulated but rich header can be modified w/o affecting functionality
#FireEyeSummit
With Rich Header hash (RichHash) overlap - careful with attribution or using it to determine maliciousness of a file. There could be a shared builder or malware author copies a legitimate file (e.g bcrypt.dll in second picture) and makes modifications
#FireEyeSummit
#FireEyeSummit
There are different ways you can use information in Rich Headers to do hashing/pivoting/clustering - and each has tradeoffs
#FireEyeSummit
#FireEyeSummit
Next up @0x4steve discussing how to get “left of boom” to proactively detect or even prevent attacks before they are launched against your environment.
#FireEyeSummit
#FireEyeSummit
@shodanhq and @censysio query syntax to fingerprint Cobalt Strike Beacon, Metasploit, PowerShell Empire, and Responder C2 servers as they are stood up
#FireEyeSummit
#FireEyeSummit
Aaron’s favorite example because it is so simple. It isn’t inherently malicious - it is a weak signal looking for powershell.exe in the HTTP response body
#FireEyeSummit
#FireEyeSummit
We’ve been proactively hunting for C2 infrastructure for about a year now. In that time we’ve found >300k (yes that is three hundred thousand) unique C2 servers stood up.
#FireEyeSummit
#FireEyeSummit
Next up Nick Bennett and Joe Mehegan talking about defensive trends (e.g what controls work and what don’t based on intrusions we’ve worked).
#FireEyeSummit
#FireEyeSummit
Step 1: Identify list of accounts that are highly privileged - because virtually every attacker would need to use one of those to accomplish their mission. Can’t just focus on groups like domain admin/enterprise admin
#FireEyeSummit
#FireEyeSummit
Step 2: Implement a tiered architecture model which includes implementing privileged access workstations.
docs.microsoft.com/en-us/windows-…
Focus can’t just be on limiting how many privileged accounts exist - but where they can/can’t login
#FireEyeSummit
docs.microsoft.com/en-us/windows-…
Focus can’t just be on limiting how many privileged accounts exist - but where they can/can’t login
#FireEyeSummit
The number one thing that slows down eradication efforts from catastrophic breach is they’ve never rotated all passwords before
By proactively rotating all passwords before a breach, vastly shortens time to implement recovery efforts from a catastrophic breach
#FireEyeSummit
By proactively rotating all passwords before a breach, vastly shortens time to implement recovery efforts from a catastrophic breach
#FireEyeSummit
Joe talks gives examples of endpoint hardening techniques (e.g do you disable all macros or only allow them to run from specific location). My personal favorite is the last recommendation (e.g use host based firewalls to prevent workstation->workstation comms)
#FireEyeSummit
#FireEyeSummit
Last session of the day
@highviscosity
@williballenthin & @nicastronaut cover examples of targeted attacks on MacOS & the forensic artifacts you can use to investigate
#FireEyeSummit
@highviscosity
@williballenthin & @nicastronaut cover examples of targeted attacks on MacOS & the forensic artifacts you can use to investigate
#FireEyeSummit
@williballenthin walking through an example phishing email which instructs the user to run curl to run a bash script on a remote system
#FireEyeSummit
#FireEyeSummit
@HighViscosity discussing how attacker tried to cover tracks by deleting the unified log and unsetting bash history.
Default value of certain MacOS log files is only 2MB
#FireEyeSummit
Default value of certain MacOS log files is only 2MB
#FireEyeSummit
Used savedState to help reconstruct what happened. Reverse engineered and determined that the data is encrypted with a 128 bit AES key.
When unencrypted they were able to recover the shell history
#FireEyeSummit
When unencrypted they were able to recover the shell history
#FireEyeSummit
Attacker used Apple Remote Desktop to move laterally which creates lots of valuable forensic artifacts including every application executed. These cache files are centrally synced daily.
#FireEyeSummit
#FireEyeSummit
Found a new MacOS forensic artifact (filesystem.cache) which is a snapshot of file system metadata and also synced daily centrally to administrator workstation (second screenshot is “clean” output after @williballenthin figured out how to parse the cache)
#FireEyeSummit
#FireEyeSummit
Found another gold mine of a forensic artifact the RMDB - which gets you detailed application usage, user logins, system information and this data (unlike the previous caches discussed which roll daily) go back indefinitely (1.5 years in this investigation)
#FireEyeSummit
#FireEyeSummit
@FireEye will be releasing a blog shorty with technical details of these Apple Remote Desktop forensic artifacts as well as a tool to parse them
CC: @iamevltwin @HeatherMahalik
#FireEyeSummit
CC: @iamevltwin @HeatherMahalik
#FireEyeSummit
Entire attack involved initial phishing email, curl, ssh, Apple Remote Desktop, and JAMF and there was zero malware used in the entire incident. “The attacker lived off the land (or the orchard) the entire time”
#FireEyeSummit
#FireEyeSummit
And that’s a wrap for day 1 of #FireEyeSummit
@stvemillertime and I hope to catch up with you in person at tonight’s Oktoberfest reception
@stvemillertime and I hope to catch up with you in person at tonight’s Oktoberfest reception
Picking up the live Tweeting where we left off for day two of the technical track at the #FireEyeSummit
@BarryV is covering Code Signing beyond PEs
@BarryV is covering Code Signing beyond PEs
One reason to sign malicious code - Windows Vista and above won’t load a kernel driver unless it is signed. Windows 10 version 1607 requires a certificate with extended validation.
#FireEyeSummit
#FireEyeSummit
Did you know you can sign Macros and/or only allow macros or scripts signed with a specific certificate?
Windows Scripting Host introduced signature enforcement in 2001...and virtually no one uses it (that I’ve ever seen)
#FireEyeSummit
Windows Scripting Host introduced signature enforcement in 2001...and virtually no one uses it (that I’ve ever seen)
#FireEyeSummit
Signing certificate compromise is pretty rare, but high impact. Attacker has to compromise a company, get into code signing infra, then get into build or signing process. This is why virtually/all cases of this have been with well resourced nation state groups
#FireEyeSummit
#FireEyeSummit
Large underground market in code signing certs, and relatively cheap as well ($400-$2000)
#FireEyeSummit
#FireEyeSummit
Question from the audience:
Can you use the same code signing certificate to sign?
Yes - the same code signing certificate can be used to sign multiple file types including PEs, documents, macros, and JavaScript (and more)
#FireEyeSummit
Can you use the same code signing certificate to sign?
Yes - the same code signing certificate can be used to sign multiple file types including PEs, documents, macros, and JavaScript (and more)
#FireEyeSummit
Next up: Data science applied to threat hunting by Ben Ruffley and John Robenalt from P&G
#FireEyeSummit
#FireEyeSummit
What toolsets do they use for threat hunting?
Helix, HX, Data Lake, and UEBA platform
Example of where hunting/ML can be challenging is looking for networking beaconing because so many legitimate applications communicate out on a periodic basis.
#FireEyeSummit
Helix, HX, Data Lake, and UEBA platform
Example of where hunting/ML can be challenging is looking for networking beaconing because so many legitimate applications communicate out on a periodic basis.
#FireEyeSummit
What does the P&G data lake pipeline look like?
Apache Nifi + S3 + Athena + EMR + Apache Spark + Jupyter notebooks
#FireEyeSummit
Apache Nifi + S3 + Athena + EMR + Apache Spark + Jupyter notebooks
#FireEyeSummit
They take raw log data and parse it/give it meaning on the fly via Athena SQL.
Schema on read/query FTW!
#FireEyeSummit
Schema on read/query FTW!
#FireEyeSummit
Interesting approach to ML in their network. They created their own “simulated” network callback and used it (starting with a pretend known bad) to do feature engineering, clustered results, and the looked at resulting clusters to prove out/refine the approach
#FireEyeSummit
#FireEyeSummit
The @Mandiant red team combines living off the land binaries (LOLbins) to proxy code execution to load shellcode in a DLL. Only requirement is to line up the export of the DLL to what the LOLbin is expecting/calling
#FireEyeSummit
#FireEyeSummit
A theme @ItsReallyNick and I have discussed a lot on #StateOfTheHack brought up by @evan_pena2003
Red team moving away from PowerShell based tooling/attacks to C# & shellcode due to improved visibility/detection/prevention by AMSI, EDR tools & better logging
#FireEyeSummit
Red team moving away from PowerShell based tooling/attacks to C# & shellcode due to improved visibility/detection/prevention by AMSI, EDR tools & better logging
#FireEyeSummit
Red team released (today) a new tool/framework called DueDLLigence and corresponding blog post to facilitate shellcode injection/execution
#FireEyeSummit
#FireEyeSummit
You can use DueDLLigence to inject into existing process or have it spin up arbitrary process
I think they have an interesting approach so they never had a RWX page in memory. They set RW first, load shellcode, then change permissions to RX & remove write privs
#FireEyeSummit
I think they have an interesting approach so they never had a RWX page in memory. They set RW first, load shellcode, then change permissions to RX & remove write privs
#FireEyeSummit
Next up: @Int2e_ and Anders Velby talking all things related to Exchange server malware
Side note - they are flying through slides so trying to keep up
#FireEyeSummit
Side note - they are flying through slides so trying to keep up
#FireEyeSummit
Two examples of malware families that use sending/receiving emails and Exchange transport agents to enable command and control. Ridiculously stealthy/interesting way of achieving command and control
REDMAIL used by Platinum and XTRANS used by Turla
#FireEyeSummit
REDMAIL used by Platinum and XTRANS used by Turla
#FireEyeSummit
A few weeks ago Anders found a new malware variant used by Turla (uploaded to VT) called NetTRANS
Both NetTRANS and XTRANS store their commands in jpeg images
#FireEyeSummit
Both NetTRANS and XTRANS store their commands in jpeg images
#FireEyeSummit
On the host you can parse the agents.config to return information about all installed exchange transport agents
Can you spot the malicious transport agent in the first screenshot?
#FireEyeSummit
Can you spot the malicious transport agent in the first screenshot?
#FireEyeSummit
Pro tip: remediating exchange transport agent infection requires restarting exchange server to take effect - even if you’ve disabled or deleted agent
Anders & Adrienne found way to use WMI event filters to persist transport agent instead of using agents.config
#FireEyeSummit
Anders & Adrienne found way to use WMI event filters to persist transport agent instead of using agents.config
#FireEyeSummit
Few detection ideas (some easy some hard)
1️⃣ Look for child processes of EdgeTransport.exe
2️⃣ Monitor for modifications to agents.config file
3️⃣ Parse memory of EdgeTransport.exe and analyze all loaded DLLs (hard)
#FireEyeSummit
1️⃣ Look for child processes of EdgeTransport.exe
2️⃣ Monitor for modifications to agents.config file
3️⃣ Parse memory of EdgeTransport.exe and analyze all loaded DLLs (hard)
#FireEyeSummit
Note: talked with Anders and Adrienne after their talk. Exchange Transport Agents are only relevant to on prem exchange and not O365 as its not a supported feature.
#FireEyeSummit
#FireEyeSummit
Next up:
BECs and beyond, investigations in O365 by @madeleyjosh and @doughsec
Doug notes he has developed a love/hate relationship with O365
#FireEyeSummit
BECs and beyond, investigations in O365 by @madeleyjosh and @doughsec
Doug notes he has developed a love/hate relationship with O365
#FireEyeSummit
With O365 orgs need to be aware of what authentication methods are configured/enabled. Most notably legacy auth is enabled by default, doesn’t support MFA, and is used for POP, IMAP, MAPI, PowerShell, EWS, AutoDiscover
#FireEyeSummit
#FireEyeSummit
Real-time monitoring of unified audit log not possible because log events *may* take up to 24 hours to show up 😳😳
#FireEyeSummit
#FireEyeSummit
Note: message bind events (e.g what emails viewed) only enabled for admin users (which happens rarely) & not for *actual* user/owner of email account or delegate(s)
**makes investigating mail compromise hard b/c you can’t determine what emails viewed by attacker
#FireEyeSummit
**makes investigating mail compromise hard b/c you can’t determine what emails viewed by attacker
#FireEyeSummit
If you can contact FBI within 24 hours of Business Email Compromise - high likelihood the banks can recover the money. If longer than that - unlikely to recover wired funds.
#FireEyeSummit
#FireEyeSummit
What happens if you use ADFS and a password spray attack occurs - failed authentications are *not* recorded in the O365 unified audit log 😱
#FireEyeSummit
#FireEyeSummit
In an #APT35 intrusion they used e-discovery capabilities of O365 to search for RSA seed files (we’ve seen this at over 12 incident response engagements) to register a MFA token
#FireEyeSummit
#FireEyeSummit
What’s a good way of stealthily accessing another users email? Delegate access for the email account. And there is very little logged when attackers use this method because only creation events and folder access events are logged in the unified audit log
#FireEyeSummit
#FireEyeSummit
Ewww - one of my favorite subjects. Just like we reported in 2016/2017 with Google - an attacker can create an Oauth app (an Azure app). Once user consents - the app can bypass MFA. Unless you have E5 license only choice is to either enable/disable ALL apps
#FireEyeSummit
#FireEyeSummit
Last talk of the day: All things APT41
With Ray Leong and the bearded wonder @MrDanPerez
#FireEyeSummit
With Ray Leong and the bearded wonder @MrDanPerez
#FireEyeSummit
Programming Note: @ItsReallyNick and I had a dedicated #StateOfTheHack episode with Ray and Jackie O’Leary
APT41 LOVES software supply chain compromise including
CCleaner, Netsarang, league of legends, fifa online 3...etc
Out of these CCleaner likely enabled them access to virtually any org in the world
#FireEyeSummit
CCleaner, Netsarang, league of legends, fifa online 3...etc
Out of these CCleaner likely enabled them access to virtually any org in the world
#FireEyeSummit
.@ItsReallyNick favorite subject - execution guardrails!
APT41 encrypted payloads w/DPAPI so would only decrypt/execute on specific system of their choice. APT41 has also leveraged volume serial IDs to whitelist systems that would receive second stage payloads
#FireEyeSummit
APT41 encrypted payloads w/DPAPI so would only decrypt/execute on specific system of their choice. APT41 has also leveraged volume serial IDs to whitelist systems that would receive second stage payloads
#FireEyeSummit
Kind of neat - FLARE figured out they could brute force key space of ~4 billion keys (relatively small) based on the volume serial ID to decrypt the payload
This enabled us to identify two new malware families
#FireEyeSummit
This enabled us to identify two new malware families
#FireEyeSummit
APT41 compromised company behind TeamViewer - which enabled them to access *any* system with TeamViewer installed 👀👀
#FireEyeSummit
#FireEyeSummit
**new reveal** Recently found new APT41 malware family on a Linux system at a telecom we’ve named MESSAGETAP.
This enabled APT41 track/monitor monitor phone call and SMS records either based on specific IMSI numbers or keywords for SMS terms
#FireEyeSummit
This enabled APT41 track/monitor monitor phone call and SMS records either based on specific IMSI numbers or keywords for SMS terms
#FireEyeSummit
Visual representation of how MESSAGETAP works
**note: once loaded from disk MESSAGETAP deletes the on-disk copies of itself so it is only running in memory on the Linux server
#FireEyeSummit
**note: once loaded from disk MESSAGETAP deletes the on-disk copies of itself so it is only running in memory on the Linux server
#FireEyeSummit
APT41 uses a range of passive backdoors (which are pretty rare in my experience). This enables attacker to initiate a network connection from a system on the Internet that will cause the backdoor to beacon out
#FireEyeSummit
#FireEyeSummit
Has #APT41 changed their tempo, TTPs, retooled since release of APT41 report in August?
Short answer: nope
#FireEyeSummit
Short answer: nope
#FireEyeSummit
...and that’s a wrap for @FireEye Cyber Defense Summit 2019
Hope you enjoyed the Tweet thread!
#FireEyeSummit
Hope you enjoyed the Tweet thread!
#FireEyeSummit
