The Project Sauron APT

Key takeaways,

  • DNS keeps being an important protocol for exfiltration
  • Process Injection, Memory Persistence, no file trace in disk
  • Living of the land techniques to move laterally
  • They thwarted the attribution process not using twice the same threat infrastructure

https://securelist.com/files/2016/07/The-ProjectSauron-APT_research_KL.pdf

 

Battlefield Digital Forensics

 

imagesIn a quick break this weekend I had a chance to read this new paper developed by NATO to explain and train special forces in the art of digital intelligence and evidence collection.

It is clear from this publication how rapidly the world around us is transforming, special forces from now on will be trained in the process of gathering intelligence from the battlefield. Guess how that information looks like, it is digital!

The paper is very interesting covering the process of SIDSS process and other subjects such as anti-forensics, data exfiltration and potential scenarios faced by operators deployed in the field.

You can read the document here.

Hunting down Threat Infrastructure (1)

 

imagesIn this two article series, I am going to explain how to spot anomalous activity in proxies and DNS queries coming out of your network. Additionally, I am also explaining how to recognize suspicious threat infrastructure, what elements you need to pay attention to, how this infrastructure behaves, what are the challenges for the defender and I will also present a solution worth considering when hunting down this infrastructure in an enterprise environment.

To start hunting threat infrastructure we are going to look at the activity generated by your proxies and DNS. In a previous post, I explained some hunting techniques to use when investigating DNS logs. The richness of proxy logs allow you to hunt for different sort of activities such as drive by downloads looking at the fields ‘Referrer’ and ‘URI’ , malware looking at the ‘User Agent’ field or ‘Host’ and some other activities like data exfiltration. There are different suspicious activities and you can find some of them in the following link associated to their log fields.

http://www.symantec.com/connect/articles/forensic-log-parsing-microsofts-logparser

https://www.sans.org/reading-room/whitepapers/modeling/advanced-threat-analytics-incident-response-2133

I will focus in the URI field and Referrer mainly because these 2 fields point the user to a resource in internet that may be suspicious or will compromise your network. URLs are the value of this field and we will discuss them in this post. These URLs are the link between your organization and the threat infrastructure of the attacker, which he leverages to compromise and control your network.

There are some interesting components of an attack that I will describe very briefly such as drive by downloads, malware delivery networks, fast flux networks and dynamic DNS.

All these components are currently the link between you and your attacker. A simple visit to a URL can redirect you to another URL and serve you an exploit through the landing page. An image is worth hundred words.

 

diagram

 

 As an example for Exploit Kit detection – a good practice is to search for http code 302 and 200, which indicate that a url redirection and a landing page was loaded. Do not forget this is normal activity however it may not be depending on the value of your url and the analysis results you obtain from it. This url is primarily the tip of the iceberg and the first hit against the malware delivery network

Once the compromise has happened the malware will phone home to receive commands, extend the foothold and perform any sort of activity coded in the malware. This last step in which malware is served or is calling home through the malware delivery network, is the most important to understand for a defender. Modern botnets and malware use what is called fast-flux techniques, Dynamic DNS and DGAs to evade eradication and add confusion to the defender.

The main idea behind a fast flux network is to map multiple IP addresses to the same DNS name, so the domain name resolves very quickly, usually in minutes, to different IPs.

These IPs do not host the backend server, they only proxy the query and they send it to a backend server. This provides the attacker a big grade of resilience, cloaking and savings since they do not need to duplicate the backend of the malware delivery network.

 

diagram2

 

 

Dynamic DNS:

Is a legitimate technology that allows businesses to host resources sitting on constantly changing IP addresses. An example would be an individual or small company which needs to host resources on top of a dynamic IP. When the IP is constantly changing Dynamics- DNS has the benefit of being able to map that resource to that constantly changing IP. This particular feature of DNS makes it very attractive for the criminal who needs to constantly change the IP address of his malware delivery network to avoid detection. Dynamics DNS can be perfectly detected in the URL field. Not all dynamic DNS domains are malicious however they are one isolated indicator that in conjunction with others can automatically flag up the malicious nature of the url. Dynamics DNS is in essence an effective technology to evade IP blacklisting.

DGA:

I already mentioned DGA in a previous article.

https://cyber-ir.com/2016/04/06/the-evil-side-of-dns/

This technology helps to avoid domain blacklisting using randomly generated disposable subdomains. Similar to fast flux however the difference is that for that dynamic dns the IP falls in the addressing space of one ISP and 1 or 2 ASN´s (autonomous system number) and for fast flux the IP falls in different ASN´s or different IP´s scattered across multiple geographic locations.

Let’s now look at some potential options for the attacker to deliver the attack, parked domains, legitimate compromised domains and shady domains.

Parked domains:

They are legitimate resources on the internet, they are usually single page with ads that provide a very limited value to the user who visits them. These domains are registered by typosquatters or legitimate domain registrars that want to monetize the visit of users who might land on the main page.

The trick is the following, sometimes these domains get mixed with malicious practices and content, the page can serve malvertising or get compromised and serve malware.

Legitimate compromised domains:

This option is easy to understand, a vulnerable site that is not well maintained can be compromised and be used for malicious purposes.

Shady Domains:

In the internet revolution nearly 40 years ago we started with 6 TLDs (top level domains) such as .com”, “.net”, “.org”, “.gov”, “.mil”, and “.edu”. In later decades internet evolved quickly and until today we have around 1,000 TLDs. The proliferation of TLDs is supporting the internet development however it also poses a severe risk since it is impossible to monitor them for malicious activity and that´s how some of these Shady Domains support exclusively malicious content.

The biggest challenge here for the defender is to block or disrupt the communication to defend against these attacks without causing collateral damage having to block or take down shared domain names, IP addresses hosting different sites or block name servers used by different domains.

In the next article I will tackle this issue and I will explain what tools we have available to detect, block, research and track this malicious infrastructure. I did not only want to present what is possible to detect but also how malware currently behaves since some of the activity described above will be seen in the analysis of the url´s you find in your proxy logs. I have seen analysts go crazy since they were not able to explain why tools and automation rules were reporting clean sites or different IP’s every time the domain is resolved creating the mentioned confusing situation in them to effectively evade detection as explained before.

In the meantime if you are looking to hunt in your proxy logs I recommend you the following resources. I have taken some time hunting in proxies and they will be helpful to understand what sort of activity is possible to detect in them. As always, it will take time for you to put all the information together but it is the same process I had to go through  that will make hunting in your proxy logs second nature. Hunting is an endless learning process in which we need to strive to understand what is possible and also be able to catch up with coming techniques.

http://www.threathunting.net/

https://www.bluecoat.com/company/press-releases/blue-coat-reveals-webs-shadiest-neighborhoods

http://www.hexacorn.com/blog/category/proxy-logs-analysis/

https://forensics.cert.org/latk/LogTools-220414-0802-340.pdf

http://energy.gov/sites/prod/files/cioprod/documents/Mining_Proxy_Logs_-_Matthew_Myrick.pdf

https://www.bluecoat.com/security-blog/2015-05-05/know-your-agents

http://www.hexacorn.com/blog/category/proxy-logs-analysis/page/2/

http://energy.gov/sites/prod/files/cioprod/documents/Mining_Proxy_Logs_-_Matthew_Myrick.pdf

https://www.sans.org/reading-room/whitepapers/malicious/mining-malware-gold-thar-proxy-logs-32959

The ultimate targeted attack: Malvertisements

I am very surprised to see the title of this video, it should have included malvertising in it however if someone would have asked me about malvertising I would have undoubtedly answered ‘Elias Manousos’. Him and RiskIQ are today the pioneers in the field of external threat surface.

The number of views demonstrate how low the number of viewers is and unfortunately, this is one the videos that if you are currently working in cyber security whether you are a practitioner or manager you should watch.

Malvertising is an emerging attack vector that does not seem to be very popular yet in the enterprise world neither very well known among the security professionals. I am just judging because of the amount of resources, technical solutions and material existing today in internet.

The impact is real, it can be a massive vehicle for spreading malware or a terribly targeted attack against your organization. The video is short and to the point, I like the way he presents the subject which goes beyond and shows you how insecure the web architecture it is today and how impactful these attack vectors are. All this done in an elegant way without even mentioning much how powerful their solution is.

 

Security Intelligence: A Practitioner’s Guide to Solving Enterprise Security Challenges

This is another awesome book I recently found trying to validate some knowledge for my next blog post. This is the definitive book to understand today’s malware distribution networks and how they operate.

SI

I have spent a considerable amount of time researching and working with technologies aimed at recognizing Malware Delivery Networks and this is the book to learn everything you need to know about the subject without the painful experience of scattered resources.

If you are working as a threat intelligence analyst or SOC analyst –  this book must be on your shelf, no exaggeration.

The most interesting chapters for my validation work were chapter 2: Proxy Deployment and challenges, chapter 4: Malware and malware delivery networks and chapter 5: Malnet detection techniques.

The book isn’t a practical book but if you have been hunting or dealing with incidents related to malware you will understand better how to defend and interpret data provided by different solutions such as AV, OSINT and Passive DNS. Understanding the dynamic nature of today’s MDN’s to avoid detection will help you to interpret the results better from your tools, how to detect and block these persistent threats.

https://www.amazon.co.uk/Security-Intelligence-Practitioners-Enterprise-Challenges/dp/1118896696/280-3524242-5629225?ie=UTF8&*Version*=1&*entries*=0