Red Sky Weekly - Anatomy of an Attack

Thanksgiving and Black Friday mark the start of the holiday season --bringing not only scrums for $97 televisions at Walmart, but also exponential increases in online activity. During the next several weeks, lasting until roughly the second week in January, more retail dollars will flow than any other time of the year. What’s this mean to you? Willie Sutton once said when asked why he robbed banks “That’s where the money is”. Why will hackers be out in force? Now is when the money flows.

What do these attacks look like? This week, a report detailing an incident at a state government victim was posted (leaked?) to the Internet. While there is no evidence (that I can see) of APT activity (bad guys paid by a government to steal information), this is clearly a targeted event carried out with purpose over the course of several weeks using multiple accesses ranging from backdoors to legitimate (but stolen) credentialed accounts. The organization owning the victim network moves a lot of money, and is responsible for protecting privacy information for millions of people.

In this case, the victim had been notified by a law enforcement agency that the privacy information (PII) of at least three people had been identified as stolen (this is probably the most common way of finding out about breaches such as this --someone else usually tells the victim).  A consultant was called in to identify the extent of losses, figure out if it was ongoing, and create remediation plans.

According to the report, the attack went something like this:

1. The initial attack vector was confirmed as phishing emails, delivered on August 13, 2012. At least one user clicked, rendering the network compromised and likely, first credentials captured.
2. Fourteen days later (8/27), the attacker entered the network, logging into a Citrix server (remote access) using credentials obtained (probably) during the initial August 13th breach.
3. On the 29th, the attacker reentered the network, releasing tools designed to capture other user credentials on six additional servers.
4. Between September 1st and the 4th, the attacker executed additional tools to capture Windows credentials. Additional tools were used to create ‘backdoor’ capabilities. The attacker uses new-found bounty to perform reconnaissance on other parts of the network.
5. After roughly a week, the attacker performed additional reconnaissance on the network, until finally...
6. Over the course of three days in mid-September, the attacker copied database backup files to a staging area, where they were encrypted into 15 encrypted 7-zip files. The files were then moved to another server (presumably their own) before deleting the files from the staging server.

The attack resulted in compromises of at least 44 systems. (One member claims the cost of fixing each server is roughly $10,000. At that price per machine, this incident cost, at a minimum, $440,000, but likely significantly more. This is a very public breach.)

• One had a ‘backdoor’ loaded, three had database backups or files stolen
• One server was used to remove data from the network, but 39 systems were accessed by the attacker during reconnaissance or password captures
• Roughly 75 GB of data were compressed into fifteen 8.2 GB 7-zip files and (presumably, although not confirmed) removed from the network (we must assume these files contained information related to revenue generation and capture in the state, although the report does not mention losses of any privacy information)

• Fourteen of the files contained 23 database backups, one contained roughly 1200 files related to the encrypted version of the data encryption key

Over the past months, you’ve read about Fusion Reports. The Fusion Report is a compilation of all information known about the attack --taken from one victim or multiple victims in the Red Sky Alliance, or externally when data is available. The Fusion Report is a two part report:

Part one is authored in prose; intended to show our work and tell the story of the attack(s), much like shown above.

Part two is mitigation. Red Sky Analysts author snort, yara, etc., signatures when we can. Artifacts --file names with full directory structures, including file hash values and other meta data are included, and “Kill Chain” Formatted indicators are presented in a final tabular format. A sample is shown below. the idea is, Alliance members should be able to take information from any of our reports and cut/paste information distilled from reporting into highly actionable information that any member can act on today.

In this case, the kill chain information might look like Table 1. (Completely fictitious. Please do not attempt to use):

Table 1: Sample Fusion Report indicator list

So here’s the deal. Remember Willie Sutton? There will be more retail transactions in the next few weeks than any other time during the year. Retailers will lose money as a result of cyber shenanigans. In addition to retail losses, the added noise on the networks will create opportunities for others to steal information from non-retailers, and to top it off, kids all over the world are home for the holidays, so the kiddie scripters will be active too (they always are over Christmas vacation!). Wouldn’t it be nice to be getting fusion reports, each containing hundreds of indicators from the Alliance --before you are attacked? The only way you can is to join.

Red Sky = private

Corporate members only

Beadwindow = Private | Public

Many of our private corporate members + government members

Drop us a note. Join us now.

Until next time, have a great week!
Jeff

Academic Services Division

Two items for the blog.  First, with Thanksgiving this week I'd like to say thank you to all our members of the armed services both present and past and to all first responders and people who will give their time and effort to keep us safe.  Many of us are generally quite comfortable and it unfortunately takes an event like Sandy to make us realize what these people do for us.  Red Sky has a commitment to helping our veterans transition to civilian life by working with any of them who would like to work as data analysts.  If your organization can do anything to help, I ask that as a way of saying thank you, you consider qualified veterans.  Red Sky is developing a relationship with the Wounded Warriors Project but your company should feel free to work with an organization that best suits your needs.

Second, I was reading this week on various sites about the recent Iranian attack on American banks.  When the attack was going on I was at a meeting in a bank relating to advanced persistent threats.  As I read about the attacks, it seems that it began with hackers getting into the computer network at the University of Michigan's Engineering School (see link below) by using little used ports.

As the Director of Academic Services, I work with colleges and universities as well as non-profit and government agencies in protesting their networks.  By getting into the commercial world through a university, it highlights that all our networks are intertwined more that we sometimes realize.   The openness of academia makes it an ideal place to get into other networks.

Red Sky is based on the simple concept that intelligent people working together can achieve more than any one person alone.  I invite you to contact me concerning Red sky's Beadwindow to discuss our common areas of interest and better protect all our networks.

Dave Chauvette

University Of Michigan and Iranian Cyber Attack

http://cognitionemission.wordpress.com/2012/10/15/iran-used-university-of-michigan-network-to-launch-cyber-attack-against-u-s-financial-system/

Red Sky Weekly - 11/17/12

It was another busy week. This Thursday we saw more malware submissions to the portal -- the most we have received in a single day. While many submissions stop at automated analysis, many also undergo human analysis by either Red Sky or members of the Alliance. One of the pieces submitted on Thursday included an unknown variant for which we performed same-day protocol analysis. This resulted in a tailored signature for identifying the encoded communications. 

This week:

• Fusion Report 31 was released and details a new variant of a previously observed downloader. The report provided analysis on probable targeting requirements for the actors and included four new snort signatures for detecting the unique user agents generated by the malware.  This was a really good example of what we’re trying to do in Red Sky Alliance and in the Beadwindow portal. Hit with malware --we handled it nicely --our MAG device is supposed to be able to process up to 40K pieces per day.. we’ve not exercised that yet but maybe someday. FR-31 was tipped off by malware, but the report offered a number of new indicators and what we believe the actor was actually trying to find in the network. If you knew ‘where’ you needed to protect as well as ‘how’ you could protect it, wouldn’t that be of value? Of course!
• This week we attended FedCyber. It was great running into folks I'd worked with in the government. Thanks to Bob Gourley for the invite!
• Red Sky attended SAGE in Portland, ME and Vistage in Boston. Vistage is a CEO group, but SAGE is a security group and resulted in several requests for Red Sky Alliance introductions.

Last, we’re honoring our Founding Member prices through the end of this year. After that, they’re gone. While most will not be brought into the Advisory Board, the price holds through 12/31. We’re accepting full members and associate (vendor) members at 2012 prices. Don’t wait.

Until next week.
Jeff

Red Sky Weekly - New TTP detected by Beadwindow member!

This week will mark two milestones --our active user-adoption is at an all time high and Fusion Report 30 is about to be released. As with every social network, there are ebbs and flows, however this week the flow has hit a record rate. We hope the momentum will continue. Saturday will see the release of our 30th fusion report which will detail a previously unobserved TTP and C2 protocol. To date we have reported on over 10 different threat actors and have built out a solid profile of several of the more active groups.

If you haven’t been able to tell, I’m really excited! I haven’t been this excited about a major success in one of the portals since earlier this year. We’ve had a ton of ‘wins’ but this week one of our government members posted early indicators and pcap of a TTP shift in the Beadwindow portal. That information generated incredibly active discussions in the portal --crowdsourcing. Everyone brought a piece to the table until in the end, the new TTP was validated and shared.

So major activity this week:

• Beadwindow was on fire with activity surrounding a TTP shift. The information was shared with the private portal, prompting several of them to jump into the conversation on Beadwindow
• Red Sky received a submission from a non-member which lead to the discovery of more activity utilizing Windows Credential Editor to steal Windows creds (does anyone know when this will be fixed in Windows?)
• A piece of malware that our folks have struggled with for the last couple of weeks finally broke and gave up the booty --a previously unknown (at least by us) TTP and C2 protocol

Interestingly enough, this stuff really demonstrated what I think is the value of Beadwindow. Our submitter is a state government guy who used our Norman MAG2 malware analysis tool, bounced findings and ideas off of our Red Sky Alliance technical lead and analyzed the targeted cyber events by interacting directly with the mature, APT-hardened information security teams in large private companies --and they’re helping him protect his networks --and he’s given them something to protect theirs. This is exactly how Beadwindow is supposed to work.

Before I forget, if you’ve not been mailed directly, we’re honoring our Founding Member prices through the end of this year. After that, they’re gone. While most will not be brought into the Advisory Board, the price holds through 12/31. We’re accepting full members and associate (vendor) members at 2012 prices. Don’t wait.

Until next week. Hopefully I’ll see some of you at FedCyber!
Jeff

Epic week in Red Sky!

Despite the storm, it was very busy in the portal this week. Red Sky staff and member analysts participated in crowd-sourcing various targeted malware. We also posted relevant details on two ongoing large-scale Blackhole campaigns which were sourced by our Beadwindow members and are now being corroborated by the private member analysts. Fusion Report 29 will hit the press this weekend and describe a highly targeted incident which leveraged a backdoor that was specifically tailored for the target environment. The malware is not a known variant so the report will include a detailed analysis for future mitigation and correlation.

Beyond that, membership continues to grow! We picked up four new global members this week --a gas and oil company, a large player in the networking community, a new financial institution, and another global internet provider! Data is moving nicely as we round out the last quarter of our first year in operation. 

We’re in planning mode for 2013. Membership projections are looking good. We've got bookings already staged for next year, and we're looking for member feedback on several new features that might include full mobile access, real time encrypted communications, unified messaging, and semi-automated analytics to help reduce some of the manual burden of farming, correlation, and repetitive tasks.

Last, but certainly not least, our intern is preparing to fly the coop. He’s our first, and has ranked out in the top 10% of our peer reviewed analysts since starting with us in March. As a result, he’s currently listed as provisionally “Red Sky Certified” (RSc)*, and will qualify for one year certification in March if he sticks around that long. He graduates in December, and as promised, we’ve referred him into two member companies, and to make sure we align with his long term goals, we introduced him into a third, non-member company. I’ll let you know where he finally lands, but this is very exciting. We’ve narrowed down next year’s crop of interns to four, and will be working them through a filtering process over the next couple of weeks. Interested in learning cyber analytics in the APT space? Drop our Academic Director a note.

Until next week!
Have a great weekend!
Jeff

* Red Sky certified (RSc) is granted provisionally after two quarters of ranking in the top 10% of all peer reviewed analysts in Red Sky. Four consecutive quarters of top 10% peer reviews earns one year of Red Sky Certification. Three years certified makes it permanent.

Beadwindow is growing!

We kicked off our "Beadwindow" portal a couple of months ago with the idea that we could give government participants a place to quietly share notes with the private sector companies in the Red Sky Alliance.  While participation isn't as strong as we see on the Red Sky private portal, we are seeing growth as a result of a couple of new features:

• Beadwindow users enjoy access to our Malware Analyzer: Imagine working in an information security shop and not having access to a malware analyzer! One of our top community analysts has probably pushed 150 malware samples through our MAG2, and tells us it saves him a ton of time every day. In an average processing time of less than a minute, he learns very quickly, which code, URLs, or documents are bad, and if so, how he can block the C2 before losing any more data. He then takes the analysis from our analyzer and starts looking for other instances of the same code in his network. 59 second average triage malware analysis time and expert assistance from our back-end team if needed. Where else can he go to get that?
• Cross portal communications: As of today Beadwindow users can now tag a question to be posted to the Red Sky private portal. This is especially useful when comparing notes between the two. We've had a couple of cases, even in this short period of time, where activities in one also targeted folks in the other. The benefits have been incredible. A direct result of this is two new Red Sky private portal users have requested (and were given) accounts on the Beadwindow portal. 
• Beadwindow users get the same direct access to Red Sky analysts as the private portal -this means full length unclassified Fusion Reports based on actual cases you're talking about in the portal, with easy to use, high confidence actionable indicators that can be cut and pasted directly into your own sensors.

Join the conversation! Federal, State, Local, or tribal, we don't care. Take advantage of the Beadwindow analytic capabilities and embed Beadwindow into your daily routine and incident response processes. We've created special rate plans for government and academic users who would like to participate in Beadwindow. So, if you'd like to 'poll the audience' all you have to do is ask!

Last, looking for training?  Are you an analyst with training in another discipline who's just jonesing to get into cyber but can't seem to catch a break?  We've got three interns signed up for 2013 and one more possibly on the way, but we're always looking for wounded warriors or other folks who might have crazy m4d research, analytic and writing skills but need to be taught cyber. Red Sky and Beadwindow are now offering a training program for those who are willing to commit and study hard. Once completed, if you do well, we'll introduce you to our membership for your next job. Our first Intern is going through the process as we speak. Interested? Drop me a note or contact our Director of Academic Services directly.

Jeff

In their own words... “Red Sky Rocks!”

In their own words... “Red Sky Rocks!”

Analysis centers, CERTS, DCISE --we all go through periods where activities slow. Summer, holidays.. we all go through it. Summer for us was no different. The portal could have been more active, but started coming back right after Labor day, and grew steadily through September and October. We’re full-out busy now. While we knew it’d get busy again, it still makes me nervous. I try my best to keep my finger on the pulse of the membership. Are we doing ok? Have members stopped seeing value? Where is everybody? So we asked the question... are we doing ok? We received some really nice responses that I thought I might share:

“Good stuff happening here.  Red Sky Rocks!”

“We’ve decided to make a commitment. We love the analysis and reporting!”

“I’m not much for words. I will say this. Beadwindow makes me a better analyst.  Red Sky makes me a faster analyst.  Having access to the MAG2 creates a repeatable triage process for our Abuse, Malware, and Threat Intelligence. The MAG2 is my go to tool for exploring malware, suspected phishing attempts, and researching new threats.  I suck every bit of intel I can out of the reports provided from the portal and information from the MAG2. Having access to the tools and expertise (Chris H.) provides me a level of comfort that I have only experienced professionally when I was at DHS SOC.  As my organization moves forward with our 24/7 capabilities I can only see us asking (begging) for more users to help augment our staff at the State of M....”

“Without a doubt the SOM [sic] is safer today (and tomorrow) because of membership and participation in Beadwindow from RedSky.”

In my last job, I’d tell my boss and team that I like to deliver body blows. What’s that mean? In boxing, a knockout punch might be delivered in one out of every fifty blows (or more). Body blows have the same effect (winning) but are easier to deliver, provide a larger target, and have an amazing effect when delivered consistently, time and time again... They just take a little longer. Knockouts require one good punch. Body blows require focus, persistence and patience, and while the first blow might not feel so bad, they wear the opponent down over time until, finally, the opponent succumbs. Red Sky and Beadwindow are delivering body blows.

We focus on doing one thing right, over and over and over, while talking with our members to ensure we’re delivering value --over and over and over. We bring in great companies who have mature infosec teams who’ve developed processes for dealing with the new threats; we encourage conversations during incident response; we offer tools to help with analysis, and then we boil those conversations down into fast-turnaround analysis reports with highly relevant, actionable information that can be cut and pasted out of the report and straight into your defense-in-depth. Others coming in maybe aren’t so mature, but seem to be hungry and ask questions. That’s great too! We WANT you to learn how to defend yourself. And when you don’t know what to do with the information, just ask. All of our members are peer reviewed. It’s about delivering high quality products every time, every day, over and over and over. Body blows.

It’s funny. I’m sitting here typing this as I discuss with my daughter if she’s going to the Halloween dance. The only thing running through my mind right now is “Don’t be a wallflower!” I’d say that to all of you who’ve been standing by the sidelines waiting to see if Red Sky was going to work. While we’re not doing Founding member certificates anymore, we are honoring Founding member pricing through the end of the year. Don’t be a wallflower. Drop us a note. Schedule a demo.

Until next week, have a great weekend... and please, if you’re in the path of Sandy, stay safe!

Jeff

Red Sky Weekly - From the users perspective...

From the users perspective...

This week we released Fusion Report 27. FR12-027 contains analysis on the Citadel Banking trojan to include details on how the malware encrypts communications and behaves differently in a virtual environment. While this activity was not targeted in nature, the malware appeared to be widespread and affected users in both of our Red Sky and Beadwindow communities. This prompted me to thinking.. what does a typical user think about simple intrusions like this one?

To that, I took I the opportunity this week to have great conversations with users whose machines had been victimized during various events. I wanted to bring this back to a “human” perspective and write this week’s blog and talk a bit about how users react when their computer starts to act funny. These are great observations. Infosec folks should pay attention. This is important. Here are a couple of observations and thoughts:

Users are becoming numb

This user, deep in work, checked his email, never suspecting that simply previewing email might launch a host-side attack, allowing the attacker access. The problem started with the bluetooth being turned on on his computer without his taking any action. The user simply closed the laptop assuming the operating system was acting up. Small issues, when noted on computers running multiple applications don’t mean much. One issue, when seemingly cleared up on reboot is far less trouble than contacting the helpdesk.

Agents on enterprise computers do funny things

When your computer slows down for no apparent reason, a typical user chalks it up to bad bandwidth, or all of the agents running on a computer. Antivirus slows performance, as do other agents running. Many applications fire up the webcam momentarily to gain situational awareness for later use, and contact lists are routinely updated, exported and interact with social networking sites --all creating small ‘glitches’ that are normal, but make real ‘gotchas’ seem normal too. Users can’t tell the difference.

Spearfishing and waterhole tactics are invisibile

Does the human have the advantage when identifying spearphished emails before they infect their computer? I’d argue not. What about waterhole attacks where frequently visited websites are poisoned in hopes users would stop by and become infected without knowing? Absolutely users are at a disadvantage. Users must take responsibility for their actions, but many, many of these attacks are designed to get past the user or infect their computer when they visit their favorite web page.

It’s easier to reboot or work through it

What’s more important, worrying about the obscure chance that someone is in your computer, or meeting the deadline? We work all hours day and night, and the inconvenience of something happening (for reasons known or unknown), simply mean a little extra work or inconvenience. The dedicated user works through it, waiting to see if it worsens. If so, they might contact the helpdesk or Infosec, but heck, we’ve got an Infosec team and they’re watching anyway, so if there’s really something wrong, Infosec will call.. right?

Bottom line: Users are learning to live with risk. Agents running on machines, the constant threat of bad email, and simple enterprise issues that arise daily are all causing users to work through the pain.

Users don’t know how to prioritize those risks that might really be stealing information, or how to recognize the symptoms. How do we reach them? I’m interested in your feedback and thoughts.

Thoughts?
Jeff

Suspected Palestinian malware? Why a Red Sky Associate Membership?

We sent folks to training in Vegas this week, one to Marine Corps drill weekend, another heading for a week off in Steamboat, and me holding down the fort. So, no published Fusion Reports this week. We did however have some interesting threads and analysis via the portal. We analyzed our first suspected Palestinian malware specimen which consisted of an open source RAT. While the malware was not unique, we did derive tailored mitigations to protect against future attacks from this tool. Additionally, an Associate member used their resources to help identify a substantial amount of related infrastructure which was reported out to the members.

… This is a great example of why Red Sky welcomes certain vendors to the table. We call them Associate Members, and we believe that they, if they can do what they say they can do, should be rewarded. When vendors bring great analytics to the table, like we mentioned above, and the membership sees the value in their offerings, they get rewarded -through peer reviews, networking in a great community, and exposure. We don’t allow active selling, nor do we tolerate ambulance chasing, but we do believe that vendors were probably operational security folks at one point too, but now they’re entrepreneurs in the infosec space. Just like turning management, we lose a little bit of our operational skill and situational awareness every day we’re not pounding a keyboard and scouring PCAP for the nuggets. Smart folks who chose the entrepreneurial path lose their edge as well. So in Red Sky, vendors get the benefit of being analytic members of the community. They pay a fee for membership, must pass the advisory board, and then play by the rules. In exchange they get to participate in a forum where some of the best minds in some of the best infosec teams are looking at some of the hardest problems. They participate like any other analyst, get peer reviewed like any other analyst, and are rewarded by showing off their wares. There is no better way to show what your products/services can do than to actually do it... and there’s no better way to buy, than to see what it can do first.

This week we observed our first occurrence of targeted activity which was independently reported from both Beadwindow and Red Sky members. This is to be expected and just goes to show that while we have two separate communities, the threat is sometimes the same. This activity will be detailed in an upcoming report to be released to both communities.

Those of you who know me know I’m a ‘keep it simple stupid’ kinda guy. All the data in the world, even when aggregated smartly, should never be implemented in your network without evaluating it first. So while aggregated security data may look great on paper, it still needs evaluation locally before implementing --locally meaning by your infosec team. How much time does it take to validate indicators in a security aggregation feed? My personal opinion is this... I’d rather ask someone smarter than me if the data was useful to them before I implement. I’d like to know what others found and of any lessons learned. There are two companies I’ve seen who I believe do aggregation well -they come at it from different perspectives. One is malware as the tripwire for aggregation and the other begins the process with browser-based data. Both offer real good perspectives on hard problems, but, there is a lot of malware out there, and there’s a lot of host based badness out there. Can you implement a steady stream potentially hundreds of thousands of indicators on your network and in your host based IPS in near real time? Could you evaluate all of the data coming from them? How much labor would that cost? Me? I’d rather ask someone else how they did it, and then do it my way using their lessons. That’s what Red Sky and now Beadwindow are all about.

Why do I mention this?

I had a call this week with a large enterprise company -pretty typical of the companies that we work with on a daily basis. This company had been an ‘anchor’ in another information sharing environment. The guy I talked to told me he’d dropped his membership in this other group, and asked what Red Sky does differently. It was interesting to me to hear about this one group. The claim (as they all seem to be) is aggregation of the meta-data associated with APT activities. I like to call this “Utopia” (I didn’t come up with this, a friend did), but here’s what I know. I’ve been tracking Utopia for many, many years. So far it doesn’t seem to exist. Me? I’m going to use my phone-a-friend. And yes, this company will continue to be attacked, and continue to receive aggregated open and premium sourced (ahem) security intelligence feeds, and yes, *I believe* we’ll be seeing that ‘anchor’ company joining Red Sky soon.

It’s not always about tech. Sometimes it’s about people.

Have a great weekend!
Jeff

Red Sky Weekly: What lies behind the DDoS?

Interestingly enough, I’ve got folks now sending me inputs for the portal, but they’re not members. Their management probably doesn’t know that they’re sending me good information, but they (the practitioner level) know they need help and one of the best ways to get help is to ask.

This week I received a call from a large credit card company wanting to know what Red Sky knows about the DDoS attacks. While we don’t much track DDoS, we do track activity going on in the noise. So one thing I can tell you is this.. while the DDoS got the press because of potential geopolitical connections, the real story is what was going on behind the noise. So let’s try this:

1. Major changes in the way one fairly prolific (economic espionage focused) group does business ---and a resulting uptick in their activity during the DDoS activities.
2. Two others (both non-members) wanted to know what we knew about malware used to steal accounts and money from banks. Evidently there was an uptick there too.
3. Did anyone else find it interesting that the DDoS attacks seemed to go quiet during a Chinese Golden Week?
4. This week we released Fusion Report 26 which details a new variant of downloader leveraged by a known threat group. The report also included information on the potential targeting of 13 additional entities ranging from  government organizations to defense contractors. We provided a targeted analysis on the inner workings of the new malware and a tailored signature for identification of it on the wire. FR12-026 provided over 60 new indicators and artifacts for proactive defense.

Our answers to those questions resulted in two new membership packages being sent out, and two new applications both now in legal review of our terms and conditions. This is exciting stuff. What’s even more exciting is that at least three CISOs that have moved to new positions are buying Red Sky accounts almost immediately upon arrival at their new jobs. One of them (who just left a defense contractor) told me he’d made it a condition of his employment! How freakin cool is that!?

I’ve got a bunch of consulting work this week, and will be attending DARPA’s Plan X and then the i4 Conference in DC next week, so I’m hitting the road today. I’ll be driving for about nine hours, so if you want information about Red Sky, Beadwindow, or our Research Service, give me a call. It’s a long drive!

Until next week,
Jeff