The document discusses threat intelligence and interdiction efforts at Cisco Systems. It describes Cisco's threat intelligence capabilities including hundreds of researchers, billions of daily network requests and emails monitored, and trillions of threats blocked. It then discusses how interdiction involves disrupting threats outside networks through cooperation with law enforcement, hosting providers, and other partners. An example interdiction case study involving the Samsam ransomware actor targeting vulnerable JBoss servers is provided.

1. SESSION ID:SESSION ID:
#RSAC
Matthew Olney
Weaponizing Intelligence:
Interdiction in Today’s Threat Landscape
SP01-W11
Manager, Threat Intelligence and Interdiction
Cisco Systems
@kpyke

2. Matthew Olney
Talos Threat Intelligence & Interdiction Group
WEAPONIZING INTELLIGENCE
INTERDICTION IN TODAY’S THREAT LANDSCAPE

3. Matthew Olney
Manager of Threat Intelligence and Interdiction
11 Years with Sourcefire VRT and Cisco Talos
Prior to that 10 years in network engineering and security
I’m on Twitter
@kpyke
WHO AM I?

4. 250+
Full Time Threat
Intel Researchers
MILLIONS
Of Telemetry
Agents
4
Global Data
Centers
1100+
Threat Traps
100+
Threat Intelligence
Partners
THREAT INTEL
1.5 MILLION
Daily Malware
Samples
600 BILLION
Daily Email
Messages
16 BILLION
Daily Web
Requests
Honeypots
Open Source
Communities
Vulnerability
Discovery (Internal)
Product
Telemetry
Internet-Wide
Scanning
20 BILLION
Threats Blocked
INTEL SHARING
TALOS INTEL BREAKDOWN
Customer Data
Sharing
Programs
Provider
Coordination
Program
Open
Source
Intel
Sharing
3rd Party Programs
(MAPP)
Industry
Sharing
Partnerships
(ISACs)
500+
Participants

5. “Interdiction is a military term for the act of delaying, disrupting,
or destroying enemy forces or supplies en route to the battle area.”
Threat Intelligence and Interdiction takes action:
• Outside the border of our customer’s networks
• To disrupt and degrade actor capability
• Using linguists, reverse engineers, incident responders,
mathematicians, researchers and developers
• Working with law enforcement organizations (LEO), government
and industry organizations, hosting providers and other
intelligence partners
WHAT IS INTERDICTION?

6. Easy
• ISAC (Information Sharing
and Analysis Center)
• Industry, National and
Multinational CERTs
• Internet Service Providers
• Individual Researchers and
Research Groups
• Industry Partners
• Competitors (Seriously)
Tricky
• Web Hosting Providers
Strategic
• Law Enforcement
• Military
• Government
“I apologize for being a black hole.”
– Undisclosed Government Agency
WE ARE SUCCESSFUL WITH FRIENDS — NOT TECHNOLOGY

7. “It seems like they
gave up after about 4
days of 2-3 orders a
day. We have not
seen any order
attempts since 5/15.
Thanks for the quick
heads up, getting
those C&C IPs into
our netflow system
stopped them cold.”
– Intelligence Partner,
Angler Investigation
• Legal and economic barriers to cooperation
• Narrow profit margins
• Limited investment in abuse and security
services
• But there are costs incurred by hosting
malicious actors
• LEO interactions
• Abuse handling
• Bandwidth, engineering, charge-backs
Let’s help each other
TRICKY: WEB HOSTING PROVIDERS

8. INTERDICTION CASE STUDY #1:
SAMSAM & JBOSS

9. CVE-2007-1036
• “…JBoss does not restrict access to the console
and web management interfaces…”
CVE-2010-0738
• “The JMX-Console web application … performs access control
only for the GET and POST methods...”
TWO CRITICAL JBOSS CVES

10. “João Filho Matos Figueiredo, what did you do?”
– João’s mother, probably
JEXBOSS

11. • Telemetry indicates
December, 2015 start date
• Network-wide ransomware
attack
• Ransom paid via Bitcoin
SAMSAM
• Seen in many verticals,
but best known for activity
in healthcare
• Uses ‘Jexboss’
• Multiple Cisco IR
engagements
• Strong LEO interest
0.7-
1.5BTC
BTC/workstation
22BT
C
Total for all
keys

12. Preliminary blog post:
• Samsam: The Doctor Will See You, After He Pays The Ransom
Research: How bad is this JBoss problem?
• Full IPv4 scan Found roughly 3.2M IP addresses that behaved
in a way suggesting they were vulnerable JBoss servers
Express mild concern on social media:
TALOS RESPONSE (MARCH)

13. Day X
• JexBoss Invocation &
JBossAss backdoor installation
X+47 Days
• File Upload Installed on web
server
X+49 Days
• Full Webshell installed and
CVSDE Executed – Active
Directory dump
Forensic Timeline Developed By Cisco IR
X+73 Days
• tunnel.jsp installed allowing IP
Tunnel
• Elevated privileged user
connect via RDP
• Recon with Hyena
• Likely first use of admin
credential
X+74 Days
• Samsam encryption operation
begins
EMAIL OF THE YEAR: CISCO IR SHARES CRITICAL INTEL

14. • There is a window between shell installation and file encryption
• I dramatically fail at math and also manage to underestimate the
capabilities and determination of my team.
They finished it over the weekend and had the
results waiting for me Monday morning.
“ACTIONABLE”

15. 2104
Shells
1575
Unique IPs
88
Countries

16. http://<Jboss IP address>/status

17. http://<Jboss IP address>/status&full=true

18. 2,176
Uniquely-named shells

19. Almost 2000 notifications
• Intel partners
• Sales staff
• 20 Talos researchers
• 2 Weeks
Samples gathered
• IR specialists on site
• Sample exchange with Follett
and intel partners
New actors tracked
• JBoss status pages
• JBoss honeypots
Tracking compromised servers
STATUS CHECK

20. • IR received a SAMSAM engagement from an unmarked IP address
• Could be SSL on 443
• Or, fairly often, on port 8080
• Run the same play
• 2^32 scan for all 443 and 8080 ports displaying vulnerable JBOSS behavior
• Scan potentially vulnerable hosts for known backdoors
NEW DATA FROM CISCO IR

21. 2,104
New targets
625
New backdoor IPs

22. • Notified servers not 100% remediated
• Actors continue to attack JBOSS servers
• Working with LEO
JBOSS – THE SAGA CONTINUES

23. Floki Bot Strikes
Talos, Flashpoint and FIRST

24. WHAT IS FLOKI BOT?

25. IDA Pro
FIRST – FIRST-PLUGIN.US
Function Identification
and Recovery Signature Tool
Streamline code research
• Prevent duplication of effort
• Reduce analysis time
• Detect code reuse between malware family
Open Beta
133
Users
187,988
Functions annotated

26. IDA Pro
FIRST SYSTEM OVERVIEW
Check for Metadata
56 6A 0C 6A 01 E8 64 AB 00 00
Add Function Metadata
Name / Prototype / Comment
Update Function Metadata
With the most recent version

27. sub_401000
--------------------------------------------------
56 6a 0c 6a 01 e8 64 ab 00 00 8b f0 8b 44 24 10 89
46 04 8b 44 24 14 89 46 08 a1 08 b4 47 00 85 c0 59
59 74 12 83 3d 00 b4 47 00 00 75 09 ff 35 0c b4 47
00 ff d0 59 a1 04 b4 47 00 85 c0 74 04 89 30 eb 06
89 35 00 b4 47 00 89 35 04 b4 47 00 83 26 00 5e c3
HOW THE PLUGIN WORKS
Check for a function
or many at once
Plug-in sends the server the opcodes,
architecture, and APIs called by function

28. BEFORE AND AFTER FIRST

29. USING FIRST TO ANALYZE FLOKI BOT

30. TOR SUPPORT

31. COLLABORATION WITH FLASHPOINT

32. CUSTOMER SERVICE IS IMPORTANT

33. TAKEAWAYS

34. WHAT SHOULD YOU DO?
• There is more to defense than just what happens on your network
• Demand that your information security operation spend time building relationships
with peers
• Demand that your security software supports customized detection
• Snort Rules
• ClamAV Signatures
• IP and domain blacklisting
• Arbitrary IOC tracking and blacklisting
• Ensure you have the visibility and policies necessary to share critical information
with your partners before you reach out for help
• Maneuver yourself in advance into a position that allows for flexibility and speed
when a crisis occurs

35. Q&A

36. talosintelligence.com
@talossecurity
@kpyke

37. INTELLIGENCE COMMUNITIES
Project Aspis – collaboration between Talos and host providers
• Talos provides expertise and resources to identify major threat actors
• Providers potentially save significant costs in fraudulent charges
• Talos gains real world insight into threats on a global scale, helping us
improve detection and prevention, making the internet safer for everyone
CRETE – collaboration between Talos and participating customers
• Talos provides a FirePower NGIPS sensor to deploy inside the customer network
• Talos gathers data about real world network threats and security issues
• Customers receive leading-edge intel to protect their network
AEGIS – information exchange between Talos and participating members
of the security industry
• Open to partners, customers, and members of the security industry
• Collaborative nexus of intelligence sharing in order to provide better
detection and insight into worldwide threats

38. #RSAC