Download to read offline
More Related Content
Similar to Cisco. Лукацкий Алексей. "Внешние угрозы: текущие тенденции"
Cisco. Лукацкий Алексей. "Внешние угрозы: текущие тенденции"
- 1. 4 февраля 2016 Бизнес-консультантпо безопасности Внешние угрозы: текущие тенденции Алексей Лукацкий
- 2.
- 3. Изменение в поведенииатак Скорость Ловкость Адаптация Уничтожение Инновации, использование старых приемов на новый лад и обход защитных механизмов
- 4. Ловкость нарушителей –их сила Постоянные обновления увеличили уровень проникновения Angler до 40% В два раза эффективнее, чем другие exploit kits в 2014 Скомпрометированная система Уязвимости Flash Смена цели Angler Непрерывное забрасывание «крючков в воду» увеличивает шанс на компрометацию Социальный инжиниринг Сайты- однодневки TTD Меры защиты Блокирование Web Блокирование IP Ретроспективный анализ Антивирус Защита ПКСканирование Email
- 5. Прямые атаки формируютбольшие доходы Более эффективны и более прибыльны
- 6. Эволюция вымогателей: Цель –данные, а не системы TOR Вымогатели теперь полностью автоматизированы и работают через анонимные сети $300-$500 Злоумышленники провели собственное исследование идеальной точки цены. Сумма выкупа не чрезмерна Личные файлы Финансовые данные Email Фото Фокусировка вымогателей – редкие языки (например, исландский) или группы пользователей (например, онлайн-геймеры)
- 7. Теневая инфраструктура устойчиваи скрытна Разработаны для уклонения, восстановления и контроля работоспособности 15000Уникальных сайтов, перенаправляющих на Angler 99,8%из них использовались менее 10 раз
- 8. Постоянная модификация вредоносного кода AdwareMultiPlug использует собственную схему кодирования URL для обхода обнаружения, тем самым увеличивая «эффективность» по отношению к скомпрометированным пользователям Число скомпрометированных пользователей: Новая схема URL vs. старая схема URL Новая схема URL драматически опережает старую. Изменение домена – раз в 3 месяца (уже 500 доменов) Непрерывное изменение имен Add- On для браузера (уже 4000 имен)
- 9. Dridex: воскрешение старыхметодов Использование «старых» методов, краткосрочность и постоянная мутация приводят к сложностям в блокировании макровирусов Кампания стартовала Обнаружена с помощью Outbreak Filters Антивирусный движок обнаруживает Dridex Но злоумышленники все равно проникли в систему Мы обнаружили с начала года 850 уникальных образцов рассылок Dridex, действующих не более нескольких часов
- 10. Rombertik Вредоносное ПО эволюционируетне только в сторону кражи данных — если его обнаруживают и пытаются воздействовать на него, он может уничтожить зараженную систему. Уничтожение если обнаружено • Уничтожение MBR • После перезагрузки компьютер перестает работать Получение доступа • Спам • Фишинг • Социальный инжиниринг Уход от обнаружения • Записать случайные данные в память 960 миллионов раз • Засорение памяти в песочнице Украсть данные пользователя • Доставка данных пользователя обратно злоумышленникам • Кража любых данных, а не только банковских Анти-анализ Стойкость Вредоносное поведение
- 11. Обход «песочниц» Вредоносное ПОэволюционирует в сторону защиты от исследования в песочницах, где вредоносный код запускается и анализируется. Данные методы не новы, но в 2015-м году они стали применяться все чаще.
- 12. Уязвимая инфраструктура используетсяоперативно и широко Рост атак на 221 процент на WordPress
- 13. Аппетит к Flash ПлатформаFlash – популярный вектор атак для киберпреступности
- 14. Идет спад использованияFlash, Java и Silverlight Но общедоступных эксплойтов для Flash больше, чем для других производителей
- 15. Интерес к продукцииApple возрастает
- 16. Бот-сети Многоцелевые бот-сети (например, Gamarueи Sality) Бот-сети для «скликивания» (например, Bedep и Miuref) Банковские трояны I II III
- 17. DNS: слепая зонадля безопасности 91,3%Вредоносного ПО использует DNS 68%Организаций не мониторят его Популярный протокол, который используют злоумышленники для управления, утечки данных и перенаправления трафика
- 18. Заражения браузера: чума,которая не проходит Более чем 85%опрошенных компаний страдают каждый месяц
- 19. Менее популярное незначит менее эффективное
- 20. К чему этовсе приводит? Bitglass 205 Trustwav e 188 Mandiant 229 2287 дней – одно из самых длинных незамеченных вторжений Ponemon 206 HP 416 Symantec 305
- 21.
Editor's Notes
- #3 NEED PERCENTAGE INCREASE OR DECREASE IN BOTTOM CORNER OF SQUARE Concerns about security are changing how these professionals protect networks. For example, we are seeing more security training, an increase in formal written policies, and more outsourcing of tasks such as security audits, consulting, and incident response. In short, security professionals show signs that they are taking action to combat the threats that loom over their networks. Security awareness and training increased to 90% Organizations with formal written policies increased to 66% 52% of organizations outsource audit and consulting services Outsourced incident response dramatically increased to 42% 39% of organizations indicated that they outsource threat intelligence (a new question in 2015)
- #4 The tactics developed by malware authors and online criminals have shown increasing sophistication over the past several years. Recent Cisco security reports have chronicled such innovation in the shadow economy, along with security professionals’ fight to stay ahead of adversaries. What’s new is the threat actors’ growing ability to innovate rapidly and enhance their capacity to compromise systems and evade detection. In the first half of 2015, the hallmark of online attackers may be their willingness to evolve new tools and strategies—or recycle old ones—to dodge security defenses. Through tactics such as obfuscation, they can not only slip past network defenses but also carry out their exploits long before they are detected—if ever.
- #5 Earlier this year, Cisco Security Research singled out the Angler exploit kit as the one to watch among known exploit kits observed in the wild because of its innovative use of Flash, Java, Microsoft Internet Explorer, and Silverlight vulnerabilities. So far in 2015, Angler stands as the leader in exploit kit sophistication and effectiveness. The exploit kit’s authors’ recent concentration on, and quick work to take advantage of, vulnerabilities in Adobe Flash is an example of their commitment to innovation. Cisco Security Research reports that, on average, 40 percent of users who encounter an Angler exploit kit landing page on the web are compromised. This means Angler can identify a known Flash (or other) vulnerability that it can exploit. It then downloads the payload to the user’s machine. By comparison, in previous years, other widely used kits that featured a mix of exploits had an average success rate of just 20 percent. Angler methods include: Angler targets exploits, particularly those of Flash, and takes advantage of the patching gap Angler comprises over 75% of domain shadowing activity since December 2014; Nuclear and RIG are adopting the same practice Angler leverages well-constructed landing pages (to include Jane Austen text) that avoid detection Malvertising provides a steady stream of visitors to landing pages Angler operates in very high volume, short-lived, random campaigns with rapid IP switching Angler drops encrypted malicious payload to delay time to detection. There was a 100% increase in Angler’s penetration rate
- #6 REVENUE DETAILS $30,000,000 is a lot of money and requires some explanation on how we arrived at it. First let's look at the Angler instance we analyzed. In the course of a single day of activity, which is the average life of an Angler server, it served exploits to ~9000 unique IP addresses. Based on our previous research we have found that ~40% of users being served exploits are compromised by Angler. This means that 3600 users were compromised by that server. We also found a health server that was monitoring 147 Angler servers over the course of a month. Assuming that the average server compromises 3600 users and there were 147 servers this adversary compromised ~529,000 systems over the course of the month. Also during our research we found that ~62% of Angler infections delivered Ransomware and the average ransom is $300. Using numbers from USCert via Symantec 2.9% of users pay the ransom. So, using simple math you can easily determine that this specific adversary is making potentially $3 Million a month or a little more than $34 Million annually. It is difficult to be 100% accurate with these number. The blog post has an interactive site where you can adjust variables to account for your own scenarios.
- #7 In today’s flourishing malware economy, cryptocurrencies like bitcoin and anonymization networks such as Tor are making it even easier for miscreants to enter the malware market and quickly begin generating revenue. To become even more profitable while continuing to avoid detection, operators of crimeware, like ransomware, are hiring and funding their own professional development teams to create new variants and tactics. Ransomware encrypts users’ files—targeting everything from financial files to family photos—and provides the keys for decryption only after users pay a “ransom.” Ransomware targets everyone from large companies to schools to individual users. The malware is typically delivered through a number of vectors including email and exploit kits. The exploit kit Angler, for example, is known to drop the Cryptowall payload. The ransom demanded is not exorbitant. Usually, a payment between $300 and $500 is required. Why such a modest fee? Adversaries who deploy ransomware have done their market research to determine the ideal price point. The idea is that the ransom is not set so high that a user won’t pay it or, worse, that it will motivate the user to contact law enforcement. Instead, the ransom is more of a nuisance fee. And users are paying up. Cisco Security Research reports that nearly all ransomware-related transactions are carried out through the anonymous web network Tor. Adversaries keep the risk of detection low, and profitability high, by using channels like Tor and the Invisible Internet Project (I2P). I2P is a computer network layer that allows applications to send messages to each other pseudonymously and securely. Many ransomware operations also have development teams that monitor updates from antivirus providers so that the authors know when a variant has been detected and it’s time to change techniques. Adversaries rely on the cryptocurrency bitcoin for payments, so transactions are more difficult for law enforcement to trace. And to maintain a good reputation in the marketplace—that is, being known to fulfill their promise to give users access to their encrypted files after the payment has been processed—many ransomware operators have established elaborate customer support operations. We have recently observed a number of customized campaigns that were designed to compromise specific groups of users, such as online gamers. Some ransomware authors have also created variants in uncommon languages like Icelandic to make sure that users in areas where those languages are predominantly spoken do not ignore the ransomware message. Users can protect themselves from ransomware by backing up their most valuable files and keeping them isolated, or “air gapped” from the network. Users should also realize that their system could be at risk even after they pay a ransom and decrypt their files. Almost all ransomware is multivector. The malware may have been dropped by another piece of malware, which means the initial infection vector must still be resolved before the system can be considered clean.
- #8 Cisco struck a blow to a group of hackers, disrupting a significant international revenue stream generated by the notorious Angler Exploit Kit. Angler is one of the largest exploit kits found on the market and has been making news as it has been linked to several high profile malvertising/ransomware campaigns. This is the most advanced and concerning exploit kit on the market – designed to bypass security devices and ultimately attack the largest number of devices possible. In its research, Cisco determined that an inordinate number of proxy servers used by Angler were located on servers of service provider Limestone Networks with the primary threat actor responsible for up to 50 percent of Angler Exploit Kit activity, targeting up to 90,000 victims a day, and generating more than $30M annually. This implies that if you apply the full scope of Angler activity the revenue generated could exceed $60M annually. Angler is actually constructed in a proxy/server configuration. There is a single exploit server that is responsible for serving the malicious activity through multiple proxy servers. The proxy server is the system that users communicate with, allowing the adversary to quickly pivot and change while still shielding the exploit server from identification and exposure. Additionally, there is a health monitoring server that is conducting health checks, gathering information about the hosts that are being served exploits, and remotely erase the log files once they have been fetched. This health server revealed the scope and scale of the campaign, and helped allow us to put a monetary value on the activity.
- #9 As reported in the Cisco 2015 Annual Security Report, we conducted an in-depth analysis in 2014 of a highly sophisticated, botnet-like, web-based threat that uses malvertising from web browser add-ons as a medium for distributing malware and unwanted applications. This family of malware has a clear signature: Adware MultiPlug. The browser extensions are bundled with other seemingly useful yet unwanted applications, such as PDF tools and video players. Cisco has been monitoring this threat for more than a year. We have observed that the threat is constantly changing in order to remain undetected. The average time period that the threat uses a domain name is three months, and add-on names still change continuously. As reported in the Cisco 2015 Annual Security Report, we have so far discovered more than 4000 different add-on names and over 500 domains associated with this threat. In January 2015, the researchers started to notice that the threat was mutating. Specifically, it abandoned its URL-encoding scheme for evading detection so it could cloak itself in common web traffic instead. This shift in tactics appears to be increasing the threat’s effectiveness at compromising users. Malvertising Breakdown Bot-like, web-based web browser add-on threat Uses domains for three month intervals Changes add-on names continuously; in 2014, 4000 add-ons and 500 domains were observed Once successful, external and internal web-pages visited are exfiltrated via browser extensions In the first five months of 2015 malicious actors abandoned their original URL encoding scheme to cloak its activity in common web traffic to increase penetration rate
- #10 The upswing in the use of Microsoft Office macros to deliver banking Trojans shows the convergence of two trends in the world of online criminals: resurrecting old tools or threat vectors for reuse, and changing the threat so quickly and frequently that they can re-launch attacks over and over again and evade detection. The old tools used by the perpetrators of these Trojans are macros in Microsoft Office products such as Microsoft Word. Popular with adversaries years ago, these macros had fallen out of favor because they were eventually turned off by default. However, using social engineering techniques, bad actors can persuade users to turn on macros, thereby adding a new tactic to their toolboxes. Our researchers noticed that the spam campaigns carrying the Dridex payload tended to be very short-lived—perhaps just a few hours long—and that they also mutated frequently, as an evasion tactic. While antivirus solutions perform useful security functions, they are not well suited to detecting these short-lived spam campaigns. By the time a campaign is detected, attackers have already changed the emails’ content, user agents, attachments, and refers. They then launch the campaign again, forcing antivirus systems to detect them anew. This approach—combining spam, Microsoft Office macros, and Dridex—appeared to be catching on with cybercriminals during the first half of 2015. We examined 850 unique samples of the emails and attached Microsoft Office files carrying this Trojan, a relatively large number of unique examples for a spam campaign. The creators of these quickly mutating campaigns appear to have a sophisticated understanding of evading security measures. They are aware of the reliance on antivirus detection for these threats, and they work to make sure they avoid detection. Dridex Breakdown Re-use of old attack vectors Uses email delivery with attachments Uses social engineering to get the user to turn on the macros that are turned off by default Executes campaigns within a matter of hours before detection notices propagate Once detected, morphs campaign to evade detection (changes to email content, user agents, attachments, referrers) 850 unique campaign samples observed
- #11 The authors of sophisticated malware design it to simply stop working in order to avoid being blocked or destroyed when it’s examined by security systems. At the same time, security researchers are constantly on the lookout for new static, dynamic, and automated analysis tools that will make it more difficult for attackers to remain undetected. The goal of Rombertik is to hook into a user’s web browser to extract and deliver sensitive user information to a server controlled by attackers. In this way, Rombertik is similar to the malware known as Dyre. However, Dyre exists to steal banking logins, while Rombertik appears to indiscriminately collect all kinds of user data. Rombertik gains a foothold in users’ systems through spam and phishing messages that use social engineering to entice recipients to download and unzip attachments carrying the malware. When a user unzips the file, it appears to be a PDF; in fact, it’s a screensaver executable file that begins to compromise the system. If Rombertik detects that it is being modified, it attempts to destroy the system’s master boot record and then restart the computer, which will then be inoperable. Breakdown of Rombertik Uses spam and phishing messages to get users to download and unzip attachments which turn out to be screensaver executables Excessive garbage code keeps the sandbox busy with 960 million instructions to memory; a form of stalling tactics rather than sleeping If Rombertik senses inspection or modification it begins to destroy the MBR or the computer’s home directory If successful, it hooks into browsers to extract user information
- #12 The authors of sophisticated malware design it to simply stop working in order to avoid being blocked or destroyed when it’s examined by security systems. At the same time, security researchers are constantly on the lookout for new static, dynamic, and automated analysis tools that will make it more difficult for attackers to remain undetected. The goal of Rombertik is to hook into a user’s web browser to extract and deliver sensitive user information to a server controlled by attackers. In this way, Rombertik is similar to the malware known as Dyre. However, Dyre exists to steal banking logins, while Rombertik appears to indiscriminately collect all kinds of user data. Rombertik gains a foothold in users’ systems through spam and phishing messages that use social engineering to entice recipients to download and unzip attachments carrying the malware. When a user unzips the file, it appears to be a PDF; in fact, it’s a screensaver executable file that begins to compromise the system. If Rombertik detects that it is being modified, it attempts to destroy the system’s master boot record and then restart the computer, which will then be inoperable. Breakdown of Rombertik Uses spam and phishing messages to get users to download and unzip attachments which turn out to be screensaver executables Excessive garbage code keeps the sandbox busy with 960 million instructions to memory; a form of stalling tactics rather than sleeping If Rombertik senses inspection or modification it begins to destroy the MBR or the computer’s home directory If successful, it hooks into browsers to extract user information
- #13 Analyzing the systems used to support ransomware and other malware, Cisco security researchers found that many online criminals are shifting online activity to compromised WordPress servers. The number of WordPress domains used by criminals grew 221 percent between February and October 2015. This shift in venue, Cisco researchers believe, has happened for a couple of reasons. When ransomware uses other tools to communicate encryption keys or other command-and-control information, those communications can be detected or blocked, which prevents the encryption process from completing. However, communications that relay encryption keys through compromised WordPress servers may appear normal, thus increasing the chances that file encryption will be completed. In other words, the WordPress sites act as relay agents.
- #14 ADOBE FLASH TOPS VULNERABILITIES LIST The Adobe Flash platform has been a popular threat vector for criminals for several years. Flash vulnerabilities still turn up frequently on lists of high-urgency alerts. In 2015, the good news was that the vendors of products in which these exploits commonly occur, such as web browsers, recognized this weakness and are now taking steps to reduce opportunities for adversaries. In 2016, criminals are most likely to focus their exploits and attacks on Adobe Flash users. Some of these Flash vulnerabilities have exploits available online either publicly or for sale as part of exploit kits. (The volume of Flash-related content has declined, but Flash remains a primary exploitation vector.) This figure displays high-risk vulnerabilities, and indicates whether the vulnerability is part of an exploit kit for hire or has exploits publicly available. Vulnerabilities for which functional exploits are available are a high priority for patching.
- #15 ADOBE FLASH TOPS VULNERABILITIES LIST The Adobe Flash platform has been a popular threat vector for criminals for several years. Flash vulnerabilities still turn up frequently on lists of high-urgency alerts. In 2015, the good news was that the vendors of products in which these exploits commonly occur, such as web browsers, recognized this weakness and are now taking steps to reduce opportunities for adversaries. In 2016, criminals are most likely to focus their exploits and attacks on Adobe Flash users. Some of these Flash vulnerabilities have exploits available online either publicly or for sale as part of exploit kits. (The volume of Flash-related content has declined, but Flash remains a primary exploitation vector.) This figure displays high-risk vulnerabilities, and indicates whether the vulnerability is part of an exploit kit for hire or has exploits publicly available. Vulnerabilities for which functional exploits are available are a high priority for patching.
- #16 ADOBE FLASH TOPS VULNERABILITIES LIST The Adobe Flash platform has been a popular threat vector for criminals for several years. Flash vulnerabilities still turn up frequently on lists of high-urgency alerts. In 2015, the good news was that the vendors of products in which these exploits commonly occur, such as web browsers, recognized this weakness and are now taking steps to reduce opportunities for adversaries. In 2016, criminals are most likely to focus their exploits and attacks on Adobe Flash users. Some of these Flash vulnerabilities have exploits available online either publicly or for sale as part of exploit kits. (The volume of Flash-related content has declined, but Flash remains a primary exploitation vector.) This figure displays high-risk vulnerabilities, and indicates whether the vulnerability is part of an exploit kit for hire or has exploits publicly available. Vulnerabilities for which functional exploits are available are a high priority for patching.
- #17 All companies today are IT companies to some degree because they are dependent on their IT and OT (operational technology) infrastructure to be connected, digitized, and successful. That means they need to make IT security a priority. Yet many organizations rely on network infrastructures built of components that are old, outdated, and running vulnerable operating systems—and are not cyber-resilient. 92% of devices surveyed across the Internet were running known vulnerabilities with an average of 26 each 31% of devices surveyed across the Internet were End of Service 5% of devices surveyed across the Internet were End of Life
- #18 Our analysis of malware validated as “known bad” found that the majority of that malware—91.3 percent—use the Domain Name Service in one of these three ways: To gain command and control To exfiltrate data To redirect traffic Despite adversaries’ reliance on DNS to help further malware campaigns, few companies are monitoring DNS for security purposes (or monitoring DNS at all). This lack of oversight makes DNS an ideal avenue for attackers. According to a recent survey we conducted, 68 percent of security professionals report that their organizations do not monitor threats from recursive DNS. (Recursive DNS nameservers provide the IP addresses of intended domain names to the requesting hosts.)
- #19 Malicious browser extensions can steal information, and they can be a major source of data leakage. Every time a user opens a new webpage with a compromised browser, malicious browser extensions collect data. They are exfiltrating more than the basic details about every internal or external webpage that the user visits. They are also gathering highly sensitive information embedded in the URL. This information can include user credentials, customer data, and details about an organization’s internal APIs and infrastructure. Across the 45 companies in our sample, we determined that in every month we observed more than 85 percent of organizations were affected by malicious browser extensions—a finding that underscores the massive scale of these operations. Because infected browsers are often considered a relatively minor threat, they can go undetected or unresolved for days or even longer—giving adversaries more time and opportunity to carry out their campaigns.
- #20 Malicious browser extensions can steal information, and they can be a major source of data leakage. Every time a user opens a new webpage with a compromised browser, malicious browser extensions collect data. They are exfiltrating more than the basic details about every internal or external webpage that the user visits. They are also gathering highly sensitive information embedded in the URL. This information can include user credentials, customer data, and details about an organization’s internal APIs and infrastructure. Across the 45 companies in our sample, we determined that in every month we observed more than 85 percent of organizations were affected by malicious browser extensions—a finding that underscores the massive scale of these operations. Because infected browsers are often considered a relatively minor threat, they can go undetected or unresolved for days or even longer—giving adversaries more time and opportunity to carry out their campaigns.
- #21 In examining the most common vulnerabilities for the first half of 2015, we find the same types of errors showing up year after year. For example, buffer errors are once again at the head of the list of Common Weakness Enumeration (CWE) threat categories, as defined by the National Vulnerability Database Buffer errors, resource management errors, and input validation, the three most frequent CWEs, are perennially among the five most common coding errors being exploited by criminals. Assuming vendors are aware of the CWE list, why do these errors keep occurring with such regularity? The problem lies in insufficient attention being paid to the secure development lifecycle. Security safeguards and vulnerability tests should be built in as a product is being developed. Instead, vendors wait until the product reaches the market and then address its vulnerabilities. Vendors need to increase the importance of security within the development lifecycle, or they will continue to spend time and money on catch-up efforts to detect, fix, and report vulnerabilities. In addition, security vendors must assure customers that they are doing everything possible to make their solutions trustworthy and secure—in this case, by making vulnerability testing a crucial component of product development.