In August of 2012, Shamoon, a new malware that was designed to attack Aramco, the Saudi Arabian national oil and natural gas company was discovered. In its wake, the Shamoon malware destroyed data on about 30,000 of Aramco’s computers and servers, and inflicted a massive amount of damage and chaos that is still reverberating today. From kill switch to wiper, join us for an in-depth exploration of this two stage targeted attack.
-Explore the mechanics of the two stage targeted attack known as Shamoon
-Understand why the attack was not prevented by traditional on-premises security solutions
-Understand through the Shamoon attack that 100% prevention is not possible
-Gain an introduction to the tools and solutions that detected Shamoon
-Further comprehend APTs and other advanced malware and how to protect your company from attacks like Shamoon
This presentation was given by Seculert Co-Founder and CEO Dudi Matot at Infosecurity Europe 2014.
2. Case Study: Shamoon, a two stage targeted attack
Dudi Matot, Co-Founder & CEO
29/04/14
3. Company logo
Agenda
• The Shamoon attack
• Why the attack was not prevented
• Attacks today
• How Shamoon was identified
• A holistic approach to threat protection
• Q&A
4. Company logo
Shamoon Targeted Attack
• Shamoon is a 2-stage attack targeting Oil &
Energy companies
• Comprised of 3 modules
— Dropper
— Reporter
— Wiper
• Extracted data via an internal infected
machine proxy
5. Company logo
Shamoon Targeted Attack
• Spread itself on the local network via
Scheduled Tasks
• Abused a legitimate & signed RawDisk
driver to wipe MBR
• Wiper module Time Bomb
• Wiped drive and MBR at
specified dates and times
• Risk of copycats
6. Company logo
Shamoon: Why wasn’t it prevented?
• Actual attack vector – still unknown
— Insider
— Physical access of a partner
— Spear phishing
• Time based attack (time bomb)
• Worm spreading in local network
• Using local machine as a proxy
• Targeted companies were using solutions which are focused on
prevention
7. Company logo
Attacks Today: The Kill Chain
• Describes the progression an attacker follows when planning
and executing an attack against a target
• Based on “Intelligence Based Defense”
• Presumes a rich threat intelligence capability leveraging
internal and/or external sourced visibility
Recon
Weapon
-ization Delivery Exploit Install C&C Action
Predictive Proactive Reactive
8. Company logo
Why it wasn’t prevented
• Traditional solutions are limited
Recon
Weapon
-ization Delivery Exploit Install C&C Action
AV
Recon
Weapon
-ization Delivery Exploit Install C&C Action
FW/IPS/IDS
Recon
Weapon
-ization Delivery Exploit Install C&C Action
Sandbox/NGFW/Proxy
9. Company logo
100% Prevention is Not Possible
• Only focused on part of the kill chain
Recon
Weapon
-ization Delivery Exploit Install C&C Action
Neiman
Marcus
Target
PoS
French
Aerospace
0 day
10. Company logo
How Seculert Identified Shamoon
• Take the accurate intelligence gathered during the late stages
of the kill chain and push it back into existing systems
• Enhances your ability to recognize and stop attacks
Recon
Weapon
-ization Delivery Exploit Install C&C Action
Malware behavioral profile
Actionable Data Crowdsourced threat data
Traffic log analysisElastic Sandbox
11. Company logo
A Holistic Approach
PREDICTIVE
Recon
Weaponization
PROACTIVE
Delivery
Exploit
Install
REACTIVE
C&C
Action
Risk
Intelligence
FW/IPS
Sandbox/NGFW/
Proxy
IR/Forensics
Threat Intel
SIEM
IntelligenceVectors
Seculert
Intelligence Identification
• Explore the mechanics of the two stage targeted attack known as Shamoon• Understand why the attack was not prevented by traditional on-premises security solutions• Understand through the Shamoon attack that 100% prevention is not possible• Gain an introduction to the tools and solutions that detected Shamoon• Further comprehend APTs and other advanced malware and how to protect your company from attacks like Shamoon
In August of 2012, Shamoon, a new malware that was designed to attack Aramco, the Saudi Arabian national oil and natural gas company was discovered. In its wake, the Shamoon malware destroyed data on about 30,000 of Aramco’s computers and servers, and inflicted a massive amount of damage and chaos that is still being felt today.
Created scheduled tasks on remote machines on the local networkWorm capabilities spread itself, by trying to create a scheduled task on remote LAN linesWiper module time bomb designed to evade traditional Sandboxing technologies Eldossigned the certificate
AS ONE CISO TOLD ME – ANY TIME I STOP A STEP IN THE KILL CHAIN, I WIN. I NEED INTELLIGENCE TO PRIME MY DEFENSES EARLIER IN THE KILL CHAINCyber adversaries are increasingly sophisticated and well-fundedDesign malware to evade a sandbox by having it remain dormantDevice specificVirtualized environments The majority of today’s attacks follow the kill chainIt is important to addresses all 3 stages of the kill chain- maximizing protectionPredictiveProactiveReactiveNeed a whole lot of threat intelligence
This leaves significant gaps that attackers take advantage ofShamoon took advantage of a gap the kill chain
targeted companies were using solutions which are focused on prevention/ the predictive section of the kill chainonly stops known threatsthis leaves significant gaps in a company’s security allowing threats to get through we saw this most recently with examples like Target PoS, Neiman Marcus, French Aerospace
How the attack was identified?A customer uploaded a suspicious file to the SeculertElastic SandboxA malware behavioral profile was automatically createdBig Data analytics simultaneously searched for anomalies on another customers’ gateway traffic logs and found activity that fit new behavior profile Crowdsourcing the threat data- feeds devices at start of kill chainProtected othersSmarter use of resourcesAccurate and actionable threat dataother vendorshoneypotsP2P and HTTP sinkholesbotnet communicationsmachine learningtraffic log analysis
AS WE MOVE FROM LEFT TO RIGHT – WE MOVE THROUGH THE STEPS OF THE KILL CHAIN – THE RISK OF LEARNING OF THE ATTACK VECTORS INCREASES THE LONGER YOU WAIT; BUT THE INTELLIGENCE OF WHAT”s HAPPENING DOES ALSO - THIS MAKES RESPONDING MUCH MORE EFFECTIVE.AS WE LOOK AT THE DEFENSES WE HAVE AT EACH STAGE OF THE KILL CHAIN, WE UNDERSTAND THAT EACH DEFENSE IS FALLIBLEFW/IPS is EASILY BYPASSEDSANDBOX; NGFW; PROXY HAS 2-5 MINS TO IDENTIFY NEW INBOUND EMAIL or URLs, even then this is just THREAT – not yet an INFECTION – so how do you respond to a THREAT – EITHER BLOCK IT or FOLLOW WHERE IT GOES. What do you do when you get there?SIEM/THREAT INTEL – We are looking for possible INFECTIONS when we compare where our users and systems have communicated vs the best ‘THREAT INTEL’ we can buy – but due to the HIGH FALSE POSITIVE RATE, we have to employ EXPENSIVE and HARD TO FIND ANALYSTS to figure out if we are TRULY INFECTED or COMPROMISED. The IR/Forensic Team dream of ACCURATE, ACTIONABLE information that allows them to MIGITATE or REMEDIATE an INFECTION or COMPROMISE before it becomes a BREACHAt SECULERT, we are providing that CRISP, CLEAN, ACTIONABLE, ACCURATE INTELLIGENCE that confirms an INFECTION or COMPROMISE before it BREACHES. Making it much more COST EFFECTIVE and EFFICIENT for existing ANALYSTS, IR and FORENSIC TEAMs to respond, whether the USERS is INTERNAL or REMOTE, an EMPLOYEE or a PARTNER/CONTRACTOR. The Key is to feed this advanced information into the EARLIER PREVENTION DEFENSES to give them the latest INTELLIGENC VECTORS to BLOCK current COMMUNICAITONS, giving IR time to REMEDIATE the INFECTION.WHAT DOES THIS LOOK LIKE IN REAL LIFE?