Black Hat Asia 2019: Watch Out for the Secondary Payload
Black Hat 2019 returned to Singapore with Black Hat Asia with four days of Trainings and Briefings, with the Business Hall. Cisco Security is proud to be a Technology Partner of Black Hat in the Network Operations Center’s (NOC) Security Operations. The focus of the NOC is to provide secure and open Internet access to the conference presenters, attendees and sponsors. Many of the trainings, briefings and demonstrations require access to malicious files and domains; so the NOC does not block such traffic. Rather, we focus on the security of the conference assets and ensuring there are no internal or external attacks that would disrupt the educational and collaborative conference.
Tighter Inter-Vendor Integration
The NOC team continues to work on deeper product integration and workflow, getting better with each conference. Sean Ennis of RSA Security has been working on a NOC integration platform using the APIs of the security products, including Ruckas wireless access points, NetWitness Packets, NetWitness Orchestrator, Palo Alto Firewall, Cisco Umbrella, Cisco Threat Grid and a honeypot.
In the interface, the SOC team could search for IPs, Users, MAC and Domain for threat intelligence and start an investigation in the top tool bar. Priority alerts would scroll on the timeline, the classroom map was interactive for security events and a Cookie Monster ran in the upper right corner. If someone entered the honeypot, the Cookie Monster would go red and start eating cookies, a fun visual clue.
The NOC team thwarted a ransomware attack on the conference registration computers. We are excited to see where the Black Hat NOC “Dashy McDashFace” evolves for Black Hat USA in August 2019.
In 2019, we saw much less cryptomining activity; however, there was still activity that warranted investigation and response. For example, in Cisco Umbrella, we noticed cryptomining activity at a domain pinkvilla[.]com.
We used the glovebox feature of Cisco Threat Grid to investigate the domain and found it provided news on the Bollywood industry, along with scripts used for crypto.
However, it also attempted to exploit Windows machines with HyperLink buffer overflow exploit
We alerted the RSA NetWitness team, who replayed the session and found an iPhone user went to www[.]editpv[.]com
And, was then served content from pinkvilla[.]com. The device was not exploited because the attack was for Windows.
Like we started at Black Hat Europe, in Singapore we deployed a security alert captive portal to warn users if their devices showed cryptomining activity.
Unsuspecting Malicious Payload
Cisco Threat Grid is integrated with RSA NetWitness Packets, for network forensics and investigation. The RSA team does full packet capture and its Malware Analysis component sends potentially malicious .exe, .dll, .pdf and .rtf files to Threat Grid for dynamic malware analysis.
During the Business Hall, the Cisco Security team observed an executable enter Threat Grid. The threat score returned 95, which is confirmed malware on a scale of 0-100.
Investigation noted the artifact was known by many antivirus services, but that it is not enough for a conviction. Adding a machine learning model determined that one or more artifacts are likely malicious. The machine learning model is trained on a very large number of samples. The output of the training is a decision engine that takes static features of executables as input and returns a verdict on whether it is malicious or unknown. In general, a single feature of an artifact will not cause it to be determined as malicious, but rather the decision engine uses all features about the artifact together to come up with a verdict.
The Cisco team conducted further research and noted the executable was a secondary payload for the ramnit trojan. Ramnit is a worm that spreads to removable drives, steals sensitive information such as saved banking and FTP credentials and browser cookies. Ramnit has evolved into a banking trojan capable of injecting victims’ web browsers to conduct and conceal fraudulent wire transfers.
With enough information to know that something wasn’t right, the team enabled the Black Hat NOC Captive Portal for malicious activity for the device. Working together they were able to take action in less than seven minutes from the initial “infection”! Researching further, the team noted that the file seen was one of five files used in this Ramnit campaign. They were able to identify one other payload being used but could not find any trace of the remaining three. Digging into the network traffic, they also noted a lack of command and control traffic and some other behaviors indicative of the campaign. The next morning a vendor from the Business Hall came over and excitedly showed the NOC team a picture of their booth with the NOC Captive Portal on the screen. The vendor team thought they were using a benign “simulation” version of a “malware” infection and were unaware that it was actually downloading the ramnit payload to their demonstration machine.
To understand the depth and breadth of the Ramnit infrastructure, Michael Auger utilized the Maltego integration to query Threat Grid intelligence database and visualize the relationships. Starting from the initial payload he queried for associated samples. From there he queried for domains, then selecting the domains queried for samples again. This resulted in 300 Ramnit samples. The final two queries were for domains and URLs from the 300 samples. This resulted in 1268 domains and 93 URLs,
Another sample of note was communicating with a domain known by Cisco Umbrella as malicious.
With all samples, we were able to pivot to Cisco Threat Response for a global intelligence viewpoint.
Having a global understanding of a threat allows the NOC to assess if it is a unique or modified sample, or a common threat.
Pivoting into Umbrella Investigate, we could see how the domain had low global activity until right around the Black Hat Asia conference.
Less DNS Requests
Like many training events, we saw a lot of Newly Seen Domains, created just for the excellent training. Total DNS requests for the conference were over 4.3 million, down from 5.1 million in 2018.
Top Domains for the week:
Black Hat USA 2019 will be 3-8 August 2019. See you in Vegas!