Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
SlideShare a Scribd company logo

Abusing "Accepted Risk" With 3rd Party C2 - HackMiamiCon5

Download as PPTX, PDF

This document discusses how threat actors can abuse third-party services like social media, cloud storage, and communication platforms to establish command and control (C2) infrastructure and exfiltrate data. It provides examples of real-world adversary campaigns that have leveraged services like Twitter, GitHub, Yahoo Mail, Dropbox, Google Forms, and others. The document argues that detecting such abuse is challenging as it can mimic normal user behavior, but outlines approaches like analyzing network flows, process correlations, and anomalies to help identify compromised systems communicating with third parties for malicious purposes. Detecting these threats requires collecting and correlating diverse endpoint and network data sources.

1 of 44

1

Abusing “Accepted Risk” With 3rd-Party Command and Control (C2) Justin Warner Jon Perez

2

$whoami Justin Warner - @sixdub ■ Computer Science grad from USAF Academy & former USAF Cyber Guy ■ Former: Red Team Lead w/ Adaptive Threat Div ■ Current: Principal Security Engineer at ICEBRG ■ Co-founder of PowerShell Empire and contributor on numerous open-source projects ■ BlackHat USA Instructor in 2015 & 2016

3

$whoami Jon Perez (JP) ■ Army Veteran and part-time grad student ■ Former: Army Cyber Ops Specialist ■ Current: Security Research Engineer at IronNet Cybersecurity ■ First time conference presenter (be kind) ■ True tinkerer who spends his free time diving head first into malware and malicious network flows

4

Disclaimer ■ We are not data scientists ■ We are not mathematicians ■ We are not all-knowing ■ We are amateurs/n00bs ■ We have not seen your networks • Although we have seen many like it ■ We are not the first people to research these techniques

5

Hold Up... What is this about?!

6

Who Are The Adversaries?

7

Methods of Infrastructure ■Utilize paid services • Digital ocean, AWS, Azure, etc ■Utilize bare metal • Buy dedicated servers around the world ■Utilize previously compromised infrastructure • Hack people to hack other people ■Utilize 3rd parties • Utilize techniques to bend traffic in “legitimate” ways

8

Break… It… Down “Accepted Risk” of allowing various services ■ Organizations are constantly fighting the battle of risk vs reward • Workplace culture and satisfaction ■ Do the technical controls match policy rules? ■ Some services are considered productive vs traditional social media Let me illustrate this for you…

9

When Did This Become Okay? CTO CIO CISO Network Security Team

10

Break… It… Down... “3rd Party C2” ■ The use of neutral services as a means of C2 • Uses API or programmatic interaction ■ Useful throughout the killchain

11

Put It Together “Social media and storage services are a must for my standard users and marketing team” (Reward > Risk) ∴ Adversaries Abuse Services

12

Real World Case Studies Lessons from “the field”

13

Case Study #1: APT 29 & Twitter+Github+Stego git.io/vHegd #viper098 exfil.ps1

14

Case Study #2: Icoscript Malware & Yahoo Mail djiwdE@FHU #DJwd3i2jdi3 2dm23idm3i2 Decrypts “script” from .ico file IE COM Object Yahoo Mail Account Check Inbox For Commands Send Email w/Exfil Uses Script To Command Fake User Interaction

15

Case Study #3: CloudAtlas & CloudMe Webdav Connection Implant Activities webdav.cloudme.com<Username>CloudDrive Encrypted C2 & Exfil Victim Folders

16

Case Study #4: Random Phish & Google Forms System Survey w/ WMI & Environment Win32_Processor Win32_OperatingSystem ENV Variables: USERNAME, COMPUTERNAME, USERDOMAIN 1 2 3

17

Threat Replication … and how we can do it!

18

What is Adversary Emulation? ■A type of red teaming that focuses on the emulation of a specific adversaries • Utilize intel to model the adversary • Highly realistic tools • Attempt to behave as they have before • Works against networks and products ■Some weaknesses to this approach • Risk of handcuffing the red team • Easy to study tools, hard to emulate tactics/techniques (lack of real intel)

19

Existing Tools ■ Surprise… we are not the only ones doing this: • GCat - Shell over gmail • Empire 2.0 - Able to do custom C2 modules including 3rd party apps • DropSmack - C2 over Dropbox sync folder • Instegogram - C2 over Instagram with stego ■ We are using our POCs to prove a point • Not weaponized • More time should be spent with realistic IOAs (known unknowns) rather than threat data feeds

20

“ You: Justin/Jon… I can stop your POCs… I block PowerShell! Me: Can you block all C exes? How about legit signed C++ exes? How about .dll files? How about py2exe? Can you do so without impacting business? If so, we should talk. I know you can defeat my POCs.

21

MAKE CALC.EXE GREAT AGAIN!

22

CloudMe WebDav C2

23

Google Mail COM Object C2

24

Google Sheets C2

25

Dropbox API C2

26

Twitter COM C2

27

Detecting Threats #BigData

28

“ “I can’t possibly capture that amount of data…” “How will we be able to parse and process the data quick enough?” “I don’t even know where all of my endpoints are let alone am I able to collect from them” “All I end up with is a giant collection of telemetry, what is that useful for… what do we go look for?” “99/100 times, I spend hours looking at false positives” I didn’t say this was easy…

29

If User Can Do It, So Can APT I didn’t say this was easy…

30

Define “Normal” I didn’t say this was easy…

31

What You Need To Find Evil ■Wide swath of data with a statistically significant sample size • Ongoing collection is helpful ■Collaborative data is helpful (host/net) • Hunting is easier with a full picture • SSL terminating might give more info but… privacy ■Ability to rapidly ingest, parse, and analyze data to prevent relevant information

32

Information Process Context Enrichment Intel Information Intel Raw Data

33

Examples of Data Sources (Not All Inclusive) ■Network • PCAP / Span off of core switch and egress • DNS logs or passive DNS • Netflow • Proxy logs • Internal Threat Intel (Sandbox Detonation) ■Endpoint (eventing is best) • Process listing events • Network connection events • DNS lookup events • Service add/removal events • Program install / uninstall events

34

Data Enrichment Sources ■ Data helps you draw a picture but does not turn it into a movie • Enriching the data makes it significantly more useful ■ Any question you would normally ask about an indicator… someone else has probably thought of it! (Enrich) • REST APIs • Free Sources of Info • Internal Info ■ If not, try to calculate or look up the information yourself (correlate / contextualize)

35

Indicator of Compromise (IOC) vs Attack (IOA) IOC - Evidence or artifact on a computer that indicates that the system/network has been compromised [breached] Has been focused on data aka IP address, hash, C2 domain, etc IOA - Series of actions or events that indicates malicious action is ongoing Usually chains together data points into an analytic that indicates progression in the kill chain

36

Endpoint Based: Binary Signature Heuristics w/DNS ■Signature hygiene has significantly increased through the years ■Should unsigned code be reaching out to the internet? Can we detect on it?

37

Network Based: Timestamp Analysis & Beaconing ■Assuming you have an analytic to determine periodicity ■Establish a baseline for nodes in the environment

38

Network Based: API Token & Host Pairing ■SSL termination is a risk/reward tradeoff • Lets just assume you do SSL termination and collect metadata or PCAP

39

Endpoint Based: Network & Process Correlation ■Next-Gen EDR “X” usually has eventing capability (or you can use event logs) • ETW is a great built-in capability for defensive teams to collect eventing data from environment! Should powershell.exe be reaching out to Dropbox API?

40

Network Based: Flow Abnormalities

41

So What? Takeaways

42

Wrapping Up ■Threat actors are creative and will find ways to use your weaknesses ■3rd party services make for quick and easy C2 or exfiltration vectors ■Detecting the use of 3rd party services for C2 is difficult • Requires foundational network collection • Attacker activity will often come in a series of behaviors to create a pattern • Need to look for anomalous activity

43

THANKS! Feel free to reach out with questions or share ideas… justin@sixdub.net johnny.nohandle@gmail.com Off to the beach…

44

CREDITS Case Study 1: https://www2.fireeye.com/rs/848-DID-242/images/rpt- apt29-hammertoss.pdf Case Study 2: https://www.virusbulletin.com/virusbulletin/2014/08/icoscript-using- webmail-control-malware Case Study 3: https://threatpost.com/red-october-attackers-return-with- cloudatlas-apt-campaign/109806/ Case Study 4: @JohnLaTwC (and the real authors) Slide Template: slidecarnival.com

More Related Content

Abusing "Accepted Risk" With 3rd Party C2 - HackMiamiCon5

  • 1. Abusing “Accepted Risk” With 3rd-Party Command and Control (C2) Justin Warner Jon Perez
  • 2. $whoami Justin Warner - @sixdub ■ Computer Science grad from USAF Academy & former USAF Cyber Guy ■ Former: Red Team Lead w/ Adaptive Threat Div ■ Current: Principal Security Engineer at ICEBRG ■ Co-founder of PowerShell Empire and contributor on numerous open-source projects ■ BlackHat USA Instructor in 2015 & 2016
  • 3. $whoami Jon Perez (JP) ■ Army Veteran and part-time grad student ■ Former: Army Cyber Ops Specialist ■ Current: Security Research Engineer at IronNet Cybersecurity ■ First time conference presenter (be kind) ■ True tinkerer who spends his free time diving head first into malware and malicious network flows
  • 4. Disclaimer ■ We are not data scientists ■ We are not mathematicians ■ We are not all-knowing ■ We are amateurs/n00bs ■ We have not seen your networks • Although we have seen many like it ■ We are not the first people to research these techniques
  • 5. Hold Up... What is this about?!
  • 6. Who Are The Adversaries?
  • 7. Methods of Infrastructure ■Utilize paid services • Digital ocean, AWS, Azure, etc ■Utilize bare metal • Buy dedicated servers around the world ■Utilize previously compromised infrastructure • Hack people to hack other people ■Utilize 3rd parties • Utilize techniques to bend traffic in “legitimate” ways
  • 8. Break… It… Down “Accepted Risk” of allowing various services ■ Organizations are constantly fighting the battle of risk vs reward • Workplace culture and satisfaction ■ Do the technical controls match policy rules? ■ Some services are considered productive vs traditional social media Let me illustrate this for you…
  • 9. When Did This Become Okay? CTO CIO CISO Network Security Team
  • 10. Break… It… Down... “3rd Party C2” ■ The use of neutral services as a means of C2 • Uses API or programmatic interaction ■ Useful throughout the killchain
  • 11. Put It Together “Social media and storage services are a must for my standard users and marketing team” (Reward > Risk) ∴ Adversaries Abuse Services
  • 12. Real World Case Studies Lessons from “the field”
  • 13. Case Study #1: APT 29 & Twitter+Github+Stego git.io/vHegd #viper098 exfil.ps1
  • 14. Case Study #2: Icoscript Malware & Yahoo Mail djiwdE@FHU #DJwd3i2jdi3 2dm23idm3i2 Decrypts “script” from .ico file IE COM Object Yahoo Mail Account Check Inbox For Commands Send Email w/Exfil Uses Script To Command Fake User Interaction
  • 15. Case Study #3: CloudAtlas & CloudMe Webdav Connection Implant Activities webdav.cloudme.com<Username>CloudDrive Encrypted C2 & Exfil Victim Folders
  • 16. Case Study #4: Random Phish & Google Forms System Survey w/ WMI & Environment Win32_Processor Win32_OperatingSystem ENV Variables: USERNAME, COMPUTERNAME, USERDOMAIN 1 2 3
  • 17. Threat Replication … and how we can do it!
  • 18. What is Adversary Emulation? ■A type of red teaming that focuses on the emulation of a specific adversaries • Utilize intel to model the adversary • Highly realistic tools • Attempt to behave as they have before • Works against networks and products ■Some weaknesses to this approach • Risk of handcuffing the red team • Easy to study tools, hard to emulate tactics/techniques (lack of real intel)
  • 19. Existing Tools ■ Surprise… we are not the only ones doing this: • GCat - Shell over gmail • Empire 2.0 - Able to do custom C2 modules including 3rd party apps • DropSmack - C2 over Dropbox sync folder • Instegogram - C2 over Instagram with stego ■ We are using our POCs to prove a point • Not weaponized • More time should be spent with realistic IOAs (known unknowns) rather than threat data feeds
  • 20. “ You: Justin/Jon… I can stop your POCs… I block PowerShell! Me: Can you block all C exes? How about legit signed C++ exes? How about .dll files? How about py2exe? Can you do so without impacting business? If so, we should talk. I know you can defeat my POCs.
  • 23. Google Mail COM Object C2
  • 28. “ “I can’t possibly capture that amount of data…” “How will we be able to parse and process the data quick enough?” “I don’t even know where all of my endpoints are let alone am I able to collect from them” “All I end up with is a giant collection of telemetry, what is that useful for… what do we go look for?” “99/100 times, I spend hours looking at false positives” I didn’t say this was easy…
  • 29. If User Can Do It, So Can APT I didn’t say this was easy…
  • 30. Define “Normal” I didn’t say this was easy…
  • 31. What You Need To Find Evil ■Wide swath of data with a statistically significant sample size • Ongoing collection is helpful ■Collaborative data is helpful (host/net) • Hunting is easier with a full picture • SSL terminating might give more info but… privacy ■Ability to rapidly ingest, parse, and analyze data to prevent relevant information
  • 32. Information Process Context Enrichment Intel Information Intel Raw Data
  • 33. Examples of Data Sources (Not All Inclusive) ■Network • PCAP / Span off of core switch and egress • DNS logs or passive DNS • Netflow • Proxy logs • Internal Threat Intel (Sandbox Detonation) ■Endpoint (eventing is best) • Process listing events • Network connection events • DNS lookup events • Service add/removal events • Program install / uninstall events
  • 34. Data Enrichment Sources ■ Data helps you draw a picture but does not turn it into a movie • Enriching the data makes it significantly more useful ■ Any question you would normally ask about an indicator… someone else has probably thought of it! (Enrich) • REST APIs • Free Sources of Info • Internal Info ■ If not, try to calculate or look up the information yourself (correlate / contextualize)
  • 35. Indicator of Compromise (IOC) vs Attack (IOA) IOC - Evidence or artifact on a computer that indicates that the system/network has been compromised [breached] Has been focused on data aka IP address, hash, C2 domain, etc IOA - Series of actions or events that indicates malicious action is ongoing Usually chains together data points into an analytic that indicates progression in the kill chain
  • 36. Endpoint Based: Binary Signature Heuristics w/DNS ■Signature hygiene has significantly increased through the years ■Should unsigned code be reaching out to the internet? Can we detect on it?
  • 37. Network Based: Timestamp Analysis & Beaconing ■Assuming you have an analytic to determine periodicity ■Establish a baseline for nodes in the environment
  • 38. Network Based: API Token & Host Pairing ■SSL termination is a risk/reward tradeoff • Lets just assume you do SSL termination and collect metadata or PCAP
  • 39. Endpoint Based: Network & Process Correlation ■Next-Gen EDR “X” usually has eventing capability (or you can use event logs) • ETW is a great built-in capability for defensive teams to collect eventing data from environment! Should powershell.exe be reaching out to Dropbox API?
  • 40. Network Based: Flow Abnormalities
  • 42. Wrapping Up ■Threat actors are creative and will find ways to use your weaknesses ■3rd party services make for quick and easy C2 or exfiltration vectors ■Detecting the use of 3rd party services for C2 is difficult • Requires foundational network collection • Attacker activity will often come in a series of behaviors to create a pattern • Need to look for anomalous activity
  • 43. THANKS! Feel free to reach out with questions or share ideas… justin@sixdub.net johnny.nohandle@gmail.com Off to the beach…
  • 44. CREDITS Case Study 1: https://www2.fireeye.com/rs/848-DID-242/images/rpt- apt29-hammertoss.pdf Case Study 2: https://www.virusbulletin.com/virusbulletin/2014/08/icoscript-using- webmail-control-malware Case Study 3: https://threatpost.com/red-october-attackers-return-with- cloudatlas-apt-campaign/109806/ Case Study 4: @JohnLaTwC (and the real authors) Slide Template: slidecarnival.com