Tuesday, February 09, 2010

Pwnt: The Terrifying State of Cyberwarfare Today

A recent, nerve-wracking report on the current state of information warfare from MANDIANT is enough to send you off the grid forever (hat tip: Wired). While it does not mention the infamous Google-Adobe hack specifically, it's clear that common traits are discussed. I've captured the highlights because of the importance associated with disseminating this material far and wide. Even if you're not remotely technical, send it to your company's I.T. chief. Whether you like it or not, your organization is at war.

...These intrusions [against government and corporate entities] appear to be conducted by wellfunded, organized groups of attackers. We call them the “Advanced Persistent Threat” — the APT — and they are not “hackers”. Their motivation, techniques and tenacity are different. They are professionals, and their success rate is impressive.

The APT successfully compromises any target it desires. Conventional information security defenses don’t work. The attackers successfully evade anti-virus, network intrusion detection and other best practices. They can even defeat incident responders, remaining undetected inside the target’s network, all while their target believes they’ve been eradicated...

...Although the U.S. government and defense communities are aware of and countering APT attacks, many victims and targets are unaware and unequipped. Often, these victims of the APT react in a way that does more harm than good.

High-level trending and correlation

Step 1

In every intrusion investigated by MANDIANT, the APT used a consistent exploitation cycle. The attackers typically perform reconnaissance on the target prior to exploitation. Through this reconnaissance, the attackers identify individuals of interest and develop methods of potential access to the target. Targeted individuals range from senior leadership to researchers to administrative assistants.

In multiple cases, MANDIANT identified a number of public website pages from which a victim’s contact information was extracted and subsequently used in targeted social engineering messages.

Step 2

The APT may use several techniques to gain initial access... The most common and successful method has been [through] the use of "spear phishing". The APT attackers target a small number of specific individuals with a spoofed e-mail. For example, if a number of employees recently attended a business conference, the APT attackers might send a spoofed e-mail addressed from a speaker at the conference.

The spoofed e-mail will contain an attachment or a link to a ZIP file. The ZIP file will contain one of several different intrusion techniques:
  • A CHM file containing malware.
  • A Microsoft Office document exploit.
  • Some other client software exploit, like an Adobe Reader exploit.
...The attackers typically operate late in the night (U.S. time) between the hours of 10 p.m. and 4 a.m. These times correlate to daytime in China.

Establish a Backdoor into the Network

The attackers attempt to obtain domain administrative credentials (usually in encrypted form) from the targeted company and transfer the credentials out of the network. MANDIANT identified instances where attackers decrypted the credentials within minutes and used them to escalate privileges, either through a pass-the-hash or other legitimate tool. The attackers then established a stronger foothold in the environment by moving laterally through the network and installing multiple backdoors with different configurations.

The APT intruders use stealthy malware that routinely avoids detection by host-based and network-based security safeguards. The malware is installed with system level privileges through the use of process injection, registry modification, or scheduled services...
  • The malware is continually updated to ensure that it cannot be easily detected by host-based inspection looking for specific filenames, MD5 hashes, or file content searching.
  • The malware uses encryption and obfuscation techniques of its network traffic to make analysis of Command and Control (C2) traffic and data being exfiltrated difficult.
  • The attackers’ malware uses built-in Microsoft libraries, when available, to reduce the size of the executable and other third-party dependencies.
  • The attackers’ malware uses legitimate user credentials so they can better blend in with typical user activity.

Obtain User Credentials

The APT intruders access the majority of compromised systems via valid credentials. They often target domain controllers to obtain user accounts and corresponding password hashes en masse. They also obtain local credentials from compromised systems. They use these credentials to perform NETBIOS log-ons to compromised systems in order to inspect and pilfer data. On average, APT intruders access approximately 40 systems on a victim network using compromised credentials, however MANDIANT has assisted companies with as few as 10 compromised systems and some with over 150. The most commonly-used credentials used have domain administrator privileges.

Install Various Utilities

The APT intruders use utility programs to perform
common system administration tasks [including tools to install] backdoors, dump passwords, obtain e-mail from servers, list running processes, and many other tasks. These utilities are often found on systems that do not contain backdoors. Therefore, we can conclude that the attackers install their utilities by using valid credentials.

Privilege Escalation / Lateral Movement / Data Exfiltration

Once a secure foothold is established, the APT exfiltrate data such as e-mails and attachments, or files residing on user workstations or project file servers. In most cases, the exfiltrated information is compressed using of an archival utility such as password-protected RAR or Microsoft Cabinet File. The data is exfiltrated from the compromised network to a server within the APT’s command and control infrastructure...
  • The use of “staging servers” to aggregate the data they intend to steal.
  • Encryption and compression of the data they steal.
  • Deleting the compressed files they exfiltrated from the “staging server”.
The staging servers are usually identified when a compression utility, such as RAR, is found on the system...

Maintain Persistence

The APT intruders will respond to remediation efforts in order to maintain access to victim networks. As they detect remediation, they will attempt to establish additional footholds and improve the sophistication of their malware.

Trend: The APT Has Become More Sophisticated at Hiding in Normal Network & Host Traffic

APT attackers are becoming more sophisticated in the way they hide command and control protocols in normal network traffic. While some APT traffic is fairly easy to identify, the use of more common user agent strings and better HTTP request headers makes it harder for an untrained eye to detect malicious activity.

The APT is starting to use more randomly-generated information within various protocols to make it harder for a static signature to be developed. Several backdoors use random information within HTTP GET and POST requests that do not match an identifiable pattern; however, the GET and POST headers remain HTTP compliant, so many proxy servers will assume the traffic is legitimate. Thus, detecting malicious activity requires additional knowledge about the network protocol. Advanced regular expressions can sometimes detect the malicious traffic; however, attackers using more than one encryption algorithm effectively scramble the encrypted C2 streams, which makes detection harder.

The APT is also using website domain names and SSL certificates that appear legitimate at first glance. For example, the attackers have spoofed Microsoft, Yahoo! and AOL SSL certificates. They also use backdoors that appear to request a Microsoft Update web page. The attackers are also using a form of HTML comments identified as “ADSPACE” comments. With these comments, encoded commands to the malware are stored after what appears to be a comment for legitimate “adspace” revenue generators. Attackers also use .gif image header information to mask C2 activity as a legitimate file transfer.

Lastly, the APT uses backdoors that communicate over distinct chat protocols. The implant first establishes a connection to the chat service providers, and the attacker then logs into the session and connects. These full-featured backdoors offer the attackers command shells and file transfers to and from the infected machine. It is much more difficult to detect this kind of activity, because the legitimate chat services form a buffer between the victim network and the attacker’s
command and control infrastructure.

APT Malware Trends and Statistics

MANDIANT has identified, collected and analyzed hundreds of unique APT malware samples. A recurring theme is the APT recognizes that being an anomaly in the network leads to detection.

Standard security tools usually do not detect APT malware. When MANDIANT discovers new APT malware, we scan it with the anti-virus and antimalware programs that most organizations use. Of the samples we discovered and examined, only 24% of all the APT malware was detected by security software.

The APT malware “hides in plain sight”. It avoids detection by using common network ports, process injection and Windows service persistence. Every piece of APT malware initiated only outbound network connections. No sample listened for inbound connections. So, unless an enterprise network is specifically monitoring outbound network traffic for APT-related anomalies, it will not identify the APT malware beaconing attempts.

The encryption is not always SSL. We also found encrypted commands sent in cleartext HTML web pages.

Most APT malware is not packed, because packing is relatively easily detected. APT malware that is packed is often more advanced and may contain optimizations or routines that appear to be written directly in assembly language instead of a higher-level programming language. APT attackers that use packed malware are usually more advanced in their skills. They are typically found in more critical targets, such as those with access to more sensitive information.

Because APT malware is difficult to detect, simple malware signatures such as MD5 hashes, filenames, and traditional anti-virus methods usually yield a low rate of true positives. APT malware shares similar characteristics, and profiling APT malware from multiple victims provides the best chance of positive identification.

Trend: Complex Indicators ARE more Likely to Detect Unknown APT-Related Activity


Detecting the APT is incredibly difficult and many organizations are not prepared to effectively identify that they have been compromised. In most cases, initial notification of an APT intrusion originated from a third-party, primarily law enforcement. The primary reason organizations fail to identify the APT is that most of their security devices examine inbound traffic at the perimeter. Most organizations rely solely on antivirus solutions to provide host-based monitoring. In
addition, implementing the ability to monitor internal to internal communications on a network is costly and challenging. In both instances, being able to respond quickly and to deploy APT indicators is difficult, as organizations’ security arsenals are not configured to monitor using this methodology.

Host- and network-based signatures used to detect malicious activity have previously consisted of data like MD5, file size, file name, and service name, etc. Although useful, the lifespan of these type of signatures is often short because attackers can routinely modify their malware to avoid detection. Although those signatures will periodically work to identify attacker activity, MANDIANT has found greater success in adapting specific signatures into what are known as Indicators of Compromise (“IOC” or “indicators”)...

Case Studies


...During 2009, MANDIANT witnessed the APT targeting multiple local, state and federal government entities whose commonality was their access to information related to terrorism. These attacks increased concerns regarding the type of information sought by the APT. One event involved a spear phishing e-mail containing a malicious file sent to multiple individuals from a fictitious account of an executive. A second event involved an attacker who conducted network exploitation that revealed passwords of user accounts with administrator privileges, networked critical assets and network topology. A third event involved data exfiltration of e-mails and attachments containing terrorism-related information.

When collectively viewed, these incidents clearly indicate an effort to satisfy an intelligence gap. The malicious e-mails in the first event were sent to an organization tasked with consolidating local, state and federal law enforcement agencies into a central location to foster information sharing among various levels of government. The second event involved a high-ranking counter-terrorism official whose e-mail account was targeted with pinpoint accuracy. The third event involved data belonging to a government coordinating authority that receives intelligence information from local, state and federal law enforcement. The stolen data was comprised of e-mail communications, e-mail attachments and networked file share directory file structure and file metadata.

...These events show the APT appears to have clear intelligence requirements including, among others, the suppression of internal political threats. Within each of these targeted organizations, persistence mechanisms were enabled so access to the penetrated networks remained. In these cases, the APT persisted through the use of multiple backdoors and sustained access via multiple network command and control channels.

The backdoors were protected with known and/or custom packers. This indicates that the attackers in this instance were using more advanced APT malware. The command and control channels were masked through the use of SSL, custom base64 encoding or custom layered encoding involving XOR and/or base64 combinations.

This case demonstrates that the APT assigns critical targets to the most advanced APT groups using the most sophisticated malware and command and control communication methods. The degree to which the attackers protect their malware rendered traditional perimeter defense techniques nearly ineffective.

Detection is challenging, but possible, with the right team armed with robust APT indicators. The need for a scalable, enterprise, host-based scanning capability and sophisticated indicators looking for components of APT malware is critical to the success of identifying and defending against the APT.

Significant Findings


In the preceding case studies, the attackers used the custom base64 encoding algorithm that was previously observed by MANDIANT at other commercial organizations and defense contractors. In some cases, the attacker used the additional security of encrypting the traffic with Secure Socket Layer (SSL) communications.

This allowed the attacker to better blend in with legitimate network traffic. It also demonstrates that the attackers are constantly upgrading their tools. Based on the tactics observed, MANDIANT believes the attackers use the least secure tool for the job and upgrade only when necessary to avoid detection...

Defense Contractor

...In early 2009, a medium-sized contractor (CDC1) contacted MANDIANT to assist them in remediating an APT intrusion. The victim was provided with a list of over 100 possibly compromised systems by external sources.

The contractor attempted to remediate the attack by wiping and removing only the compromised systems. They brought MANDIANT in to confirm they had successfully removed the compromise from their network.

After a two-day investigation using APT indicators, volatile data analysis and traditional forensics, MANDIANT identified an additional 20 compromised workstations and servers. During the investigation, MANDIANT determined the APT initially gained access to the cleared defense contractor as far back as early 2007. Command and control malware placed throughout the enterprise was identified as having been installed between 2007 and 2009. MANDIANT also identified that additional spear phishing campaigns were conducted between 2007 and 2009.

MANDIANT identified multiple pieces of APT malware that appeared to fit into at least two distinct categories of APT activity. The command and control communications
included:
  • C2 instructions contained in base64 encoded comments on webpages.
  • Multiple web-based protocols that appeared to blend in with normal web-based traffic.
  • Two custom encryption protocols.
  • SSL.
Over time, it became obvious that the attackers continued to upgrade backdoors that were currently in place. In one instance they installed an implant that used a custom encryption algorithm. In a second instance they leveraged the same functionality and incorporated the same exact command set, but enabled more secure communications using SSL. A third capability leveraged the use of a custom backdoor that took advantage of a chat application programming interface (API) to conduct command and control activity. The use of chat sessions allowed the attacker to take advantage of the API while also providing secure log-on and communication capability.

There were several decisions made by the organization that ultimately hindered their ability to fully remediate the situation. To date, due to the rolling remediation, additional assessments continue to identify new systems compromised by the APT. First, the organization decided to immediately disconnect any compromised system.

The problem with immediately removing compromised systems from the network is that it typically alerts the attacker and lets them know an infected system has been identified. This forces the attacker to shift tactics and use a compromised system that may likely be unknown to the victim organization. The attacker will then likely use different malicious software to communicate with the victim network. This makes it very difficult for the security team to investigate and respond to the latest activity when that activity may be new and unknown...

Defense Contractor

In 2009, a large contractor (CDC2) contacted MANDIANT to perform a threat assessment. The objective of the assessment was to determine the extent of APT activity on their corporate network. The contractor contacted MANDIANT because they knew there were problems, but had no way of identifying the scope of the ongoing compromise. MANDIANT deployed MANDIANT Intelligent Response™ (MIR) to sweep the enterprise network of 50,000+ systems.

Additionally, MANDIANT deployed a set of known network-based indicators. Within 24 hours, we identified more than 10 compromised systems. Within days, MANDIANT used deployed indicators to locate a previously known APT backdoor. Network forensics performed on the captured network traffic indicated backdoors were dormant for various periods of time. By reverse engineering the malware, MANDIANT identified that the implants were configured to sleep for anywhere from a few weeks to a few months, with one implant configured to sleep for over a year. This is a clear example of how patient the APT attackers are and indicates the length of time they strategically invest in a victim network.

...MANDIANT identified additional backdoors that contained the ability to communicate via UDP and TCP network protocols. The malware also contained features that allowed it to operate in an environment where various proxies exist. The implant had the ability to “sniff” network traffic for packets containing “Proxy-authentication” headers. Once identified, the backdoor dynamically generated proxy credentials that allowed the backdoor to successfully communicate with its APT operators.

A second type of APT activity revealed that the attackers used modified base64 encoded commands within comments on a legitimate web page. Through the encoded commands, the compromised system downloaded a total of seven malicious files, including two additional backdoors and the RAR archiving program...

...One unique capability of the additional two backdoors was the ability to self-destruct. If the backdoors could not reach their intended destination, they would remove themselves from the system. The backdoors did not leave any additional backdoors or any traceable system modifications. As a result, the malicious files were more difficult to detect.

A third set of APT activity discovered three versions of malware with version information embedded within an encrypted Windows registry key. MANDIANT identified version revisions and was able to clearly identify additional features bundled with each subsequent version. These features included command and control channels over HTTP that subverted network proxy through supplying valid network credentials...

...A fourth set of masked web traffic was discovered during APT sweeps. When the backdoor beaconed to the attacker’s external command and control server, the HTTP request seemingly requested a web page associated with Microsoft Update; however, the APT’s server was not a legitimate Microsoft Update server. The APT’s software on the server interprets the inbound request for the Microsoft Update page and translates the requests into commands. None of the web pages legitimately existed on the APT server.

There are three types of requests that the command and control server would initiate:
  • Command request beacons: One web page request represented command request beacons from compromised systems.
  • Initial connection requests: Another request represented the initial connection from the APT’s command and control server to the compromised system, indicating the APT was active on the server.
  • This returned various host-based information from the compromised system to the command and control server.
  • Command initiation: The last request passed commands from the APT’s command and control server to the compromised system. Depending on the request, the contents may or may not contain encrypted data with a custom encoded key.
This type of command and control traffic has been detected through the validation of legitimate traffic, such as checking for Microsoft Update activity against known Microsoft net blocks, to check for oddities...

This is only an excerpt of the report. For complete details visit the MANDIANT website.

It's not an option to pretend the threat doesn't exist.


Reference: "MANDIANT M-Trends - The Advanced Persistent Threat", 2010. 1st Edition. MANDIANT Corporation.

3 comments:

Whitehall said...

I'm told that my company, a medium sized nuclear engineering firm, gets 100,000 instrusion attempts per day.

Yes, cyberwar is a very real threat.

Anonymous said...

Wouldn't the problem be much alleviated if all public facing servers booted read-only (off of CD)? Or if they were running virtual, if they had their image refreshed every day?

This could even help desktops; look at all the fully functional LiveCD Linux desktops around.

You can't inject malware into a read-only filesystem.

Anonymous said...

The anonymous poster makes the mistake of assuming malware has to write to disk. While writing to disk may be incredibly useful for it's persistence mechanism, malware can definitely exist in memory only.