Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Cred stealing emails bsides austin_2018 v1.0

417 views

Published on

How to evaluate credential stealing emails and what you can do about it. From BSides Austin 2018
Malware Archaeology
LOG-MD

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Cred stealing emails bsides austin_2018 v1.0

  1. 1. Credential Stealing Emails What YOU need to know Michael Gough – Co-Founder Brian Boettcher – Co-Founder IMFSecurity.com LOG-MD.com
  2. 2. Who are we • Blue Team Defender Ninjas, Incident Responders • Michael – Creator of all those Windows Logging Cheat Sheets and the Malware Management Framework • Brian – co-host of the “Brakeing Down Security Podcast” • Creators of “Log-MD” – The Log and Malicious Discovery Tool • NEW – Expanding the BDS podcast – “Brakeing Down Incident Response” LOG-MD.com
  3. 3. 2 years ago… • We announced LOG-MD at this very conference • Today we would like to announce the release of… • LOG-MD ver 2.0 LOG-MD.com
  4. 4. The Challenge LOG-MD.com
  5. 5. The Problem or SERIOUS Challenge • We have a fancy SMTP Gateway that does AV, SPAM, Outbreaks, URL Scanning, and Malware Sandboxing • Credential Stealing Emails are on the rise • And they are VERY difficult to defend against • This is a HUGE gap that we get every week LOG-MD.com
  6. 6. Typical Cred Stealing Email • They come in to 1, 3, 5, dozens to hundreds of recipients • They can have a URL in the email or a PDF with a URL to get by the scanners – Silly Hackers • And they look like any one of the following… LOG-MD.com
  7. 7. What the emails look like LOG-MD.com
  8. 8. A PDF Adobe/Dropbox version LOG-MD.com
  9. 9. Another PDF LOG-MD.com
  10. 10. Or an Dropbox looking email LOG-MD.com https://www.millionauto.com/doc.htm
  11. 11. PDF with link But it is safe AVAST says so LOG-MD.com https://toppingcloths.id/scripts_mwi/onenew/ b9909ec9f947e4f86a71e8eb07339d39/
  12. 12. PDF - Scanned Document from your HP Scanner LOG-MD.com
  13. 13. DocuSign of course… LOG-MD.com
  14. 14. The Lawyer says Click Here… LOG-MD.com https://firstlink-jo.com/jac/font/index.php
  15. 15. Embedded Image with URL LOG-MD.com
  16. 16. Let’s look at the Cred Stealing website LOG-MD.com
  17. 17. PDF Dropbox looking LOG-MD.com • Federation ???
  18. 18. OneDrive needs your login LOG-MD.com
  19. 19. And your PIN… maybe MFA attempt? LOG-MD.com
  20. 20. DocuSign from a URL LOG-MD.com
  21. 21. But WAIT – There’s MORE Federation! LOG-MD.com
  22. 22. And they even want your Telephone and Recovery Email LOG-MD.com
  23. 23. PDF brings you here.. Login Please LOG-MD.com
  24. 24. Dang It… Wrong Password – Try Again ! LOG-MD.com
  25. 25. WeTransfer your Credentials… LOG-MD.com
  26. 26. And then send you to OneDrive LOG-MD.com
  27. 27. Let’s Look at a Targeted Attack LOG-MD.com
  28. 28. Targeted Phish – From Retail Supplier LOG-MD.com https://adinshawandco.com/auth/scan.html
  29. 29. The website LOG-MD.com
  30. 30. Enter your Creds… LOG-MD.com
  31. 31. After you try logging in they redirected to an industry article LOG-MD.com
  32. 32. So what does the attack look like? LOG-MD.com
  33. 33. Incoming !!! • Started at 7:58am CST • Ended at 8:05am CST • We are an hour behind, so sent before we were at work 7:58am CST • 191 emails, batched in roughly 50 at a time • 156 total delivered • 35 failed to deliver – Failed addresses went back as far as Mar 2016 LOG-MD.com
  34. 34. Incoming Exchange Splunk Query • You should have a query ready to go for: – Sender – Subject LOG-MD.com
  35. 35. What did we do? • Once reported, or one of our odd email alerts trigger, which this one did, we just had not seen it yet since we just got into the office and people were already reporting it – So yeah.. AHHHHHhhhhhhhhhhh • We evaluate in a lab and click all the way through, including entering Fake Creds to see what happens next, and use LOG-MD of course to evaluate URL’s and Domains ;-) • We Splunk the email details to identify ALL users that received it – Now we know whom to notify • We add the users to a lookup list in order to track their logins LOG-MD.com
  36. 36. What did we do? • We issued a recall of the email from Exchange • Emailed all recipients – DO NOT OPEN!!!! • Anyone who logged into any Internet-facing system were asked to reset their passwords • Some accounts disabled if the user did not respond in a timely manner, like 1 hour • We called a few people… LOG-MD.com
  37. 37. Knock Knock… Hackers Knocking • It didn’t take the hackers 3 hrs to attempt logins • These Cred Stealing actors are LIVE LOG-MD.com
  38. 38. So what did Threat Intel say about the URL? LOG-MD.com
  39. 39. FortiGuard Webfilter • We checked these on the afternoon of the 16th, 10 days after the event • They rated it Phishing on Feb 13th LOG-MD.com
  40. 40. BrightCloud • Nothing bad LOG-MD.com
  41. 41. Cisco Talos • Nothing Bad LOG-MD.com
  42. 42. McAfee • Phishing • Checked 10 days later LOG-MD.com
  43. 43. MXToolbox • Blacklists all clean LOG-MD.com
  44. 44. RiskIQ - PassiveTotal • Nothing bad LOG-MD.com
  45. 45. PhishTank Didn’t Have Anything LOG-MD.com
  46. 46. Sucuri • Blacklisted by Norton and McAfee LOG-MD.com
  47. 47. Symantec • Suspicious 7 Days ago LOG-MD.com
  48. 48. Trend Micro • Dangerous LOG-MD.com
  49. 49. Unmask Parasites • Nothing bad LOG-MD.com
  50. 50. URLQuery • Nothing bad… But wait there’s more !!! LOG-MD.com
  51. 51. URLQuery • SCREEN SHOT !!!! LOG-MD.com
  52. 52. URLScan • Nothing bad… SCREEN SHOT !!! LOG-MD.com
  53. 53. URL Void • Nothing bad • Domain is 2 years old • Is from India • Safety Reputation - 0 LOG-MD.com
  54. 54. Google VirusTotal • Nothing bad… Seriously ??? LOG-MD.com
  55. 55. WatchGuard • Nothing bad LOG-MD.com
  56. 56. Zscaler • Nothing bad LOG-MD.com
  57. 57. Example #2 Investigate within a couple hours to the end of the same day LOG-MD.com
  58. 58. Example #2 - The Scenario • This email came in at 12:10 EST • We looked at it within an hour • Ran Threat Intel within 2 hours • Then ran Threat Intel again between 4:30- 5:00pm EST • What do you think we found? LOG-MD.com
  59. 59. What does Threat Intel think? • Alexa – No rank available • Cisco Talos – No Score • DomainTools – Nothing • ForcePoint – Nothing • Symantec – Nothing • Trend Micro – Nothing • McAfee TrustedSource – Nothing • URLVoid – Nothing • URLQuery – Nothing & Screen Shot • URLScan - Nothing & Screen Shot • VirusTotal - Nothing LOG-MD.com
  60. 60. What do the Browsers say? • Tested this at the end of the day • Chrome Safe Surfing – Deceptive Site • FireFox - Deceptive Site • Edge Browser – No warning • Internet Explorer – No warning LOG-MD.com
  61. 61. Sample #2 - FortiGuard Webfilter • Winner Winner Chicken Dinner • 9:34am (UTC) no data.. CLEAN • 10 mins later at 9:44am - “Medium” – So if you check early, this might say “OK” too LOG-MD.com
  62. 62. So what should you do? LOG-MD.com
  63. 63. Your only real options • MFA • 2 Factor Auth will cripple these attacks • The creds won’t work anywhere on Internet facing systems, so you have time to respond – “Hopefully” • Fast and Mass disable of accounts and/or rotate passwords for ALL recipients LOG-MD.com
  64. 64. Detect and Respond… FAST !!!! 1. The Alert – How you get notified 2. Evaluate the URL in a lab or manually 3. Block the URL and/or IP ASAP 4. Get a list of ALL recipients 5. Consider Fast and Mass password resets – Yes, painful the larger the event it is… 6. Monitor your Internet logins with the list of recipients LOG-MD.com
  65. 65. Evaluating the URL • On the 2nd sample FortiGuard was the only one that flagged a recently received phish within the first couple of hours – Do not take this as an endorsement – If you check fast enough, it may say it’s “OK” • I checked all of the URL Threat Intel sites at the end of the day… so 6 hours later – 0, zippo, none, zilch changed… YUP, all good LOG-MD.com
  66. 66. Evaluating the URL • Pick a few of the ones we just blew through and collect the following to make a quick evaluation – Screen Shots – GREAT indicator a credential stealing site with an authentication page – Domain age - How old is the website in days or years. Is it new? – Category – Lack of a category or has the site been categorized (BLOG/Malware/etc.) – Reputation – Is this a Bad, Neutral or Good site – Blacklists – Is the domain in any blacklists, if so, why is the SMTP gateway not catching it – Country – Where is this URL from – Alexa Rating - How known is it • LOG-MD will give you the IPs and WhoIs lookup LOG-MD.com
  67. 67. Other Possibilities • Add an email warning on all Internet originating emails • You could temporarily turn off any non- MFA/2-Factor systems when these hit – Ouch ! – Would need buy-in from everyone – And a good “repeatable” procedure LOG-MD.com
  68. 68. Conclusion • If you don’t have MFA – You are screwed • These actors are active within hours or a day • You can’t trust your IDS/IPS as it can only see HTTP (in the clear) traffic, or if the site is well known as “Bad” could you get an alert • Learn how to react FAST and reset creds • Teach your team how to evaluate these quickly – Evaluate the emails in a lab and click through the URLs – Many will have re-directs to the Cred stealing site, this is the URL you want to block! LOG-MD.com
  69. 69. Recommend Sites • Screen Shots – URLScan.io – URLQuery.net • Blacklist lookup – FortiGuard.com/webfilter – global.sitesafety.trendmicro.com – safeweb.norton.com – trustedsource.org – URLVoid.com – TalosIntelligence.com • Reputation – URLVoid.com – TalosIntelligence.com • WhoIS – DomainTools.com – LOG-MD.com (We have WhoIs lookups now ;-) • Alexa – URLVoid.com – Alexa.com LOG-MD.com
  70. 70. Questions • You can find us on the Twitters – @HackerHurricane – @Boettcherpwned • LOG-MD.com • MalwareArchaeology.com • Preso will be on SlideShare and linked on MalwareArchaeology.com • Listen to the PodCast to hear the rest of this topic – http://www.brakeingdownir.libsyn.com/ LOG-MD.com

×