Black Hat USA 2019 Network Operations Center
Cisco Security is honored to be a supporting partner for the Black Hat USA 2019 Network Operations Center (NOC) for the third year; joining conference producer Informa Tech (formerly UBM) and its other security partners: RSA Security, Palo Alto Networks, Ruckus, CenturyLink and Gigamon. Cisco provided DNS visibility and architecture intelligence with Cisco Umbrella and Cisco Investigate; and automated malware analysis and threat intelligence with Cisco Threat Grid, backed by Cisco Talos Intelligence and Cisco Threat Response.
Like other Black Hat conferences, the mission of the NOC is to build the conference network that is secure, stable and accessible for the training events, briefings, sponsors and attendees. This requires a robust connection to the Internet (CenturyLink and Gigamon), firewall protection (Palo Alto Networks), segmented wireless network (Ruckus) and network full packet capture & forensics and SIEM (RSA NetWitness); with Cisco providing cloud-based security and intelligence support. The trainers, briefers and sponsors need to be able to access and demonstrate malicious code and network activity; without infecting attendees or other networks, or experiencing an outage. It is a balancing act that the NOC team enjoys creating at each conference.
Black Hat USA 2019 activity in the NOC was exciting from the first day and it never let up through the week. NOC leaders Neil Wyler (@grifter801) and Bart Stump (@thestump3r) give an out briefing at the end of each conference, on some of the highlights of the security incidents and network metrics; and the security partners each have the ability to blog about some of their findings, with the approval of Black Hat public relations.
Use https and VPNs…
Part of the NOC mission is to protect the users from themselves and to educate the community. On the first day of operations, a PDF was sent to the Threat Grid malware analysis platform from NetWitness. In the thumbnails of the live analysis, I saw what appeared to be a Wells Fargo mortgage statement. I clicked into the Glovebox where the live file could be examined.
The RSA NetWitness and Palo Alto Networks (PAN) Firewall teams were alerted. The PAN team found the .PDF file was downloaded over port 80 to a training class room from a platform that allowed a user to setup a private Dropbox/Box type shared folder in the cloud. However, https was not enabled and all of the data transfer was in the clear. The RSA team was able to reconstruct the packets and observe the plaintext password. With the mortgage account information, the PAN team was able to find the Twitter and PhotoBucket accounts of the user on the Internet and their information security business.
With this information, the PAN team was authorized by the NOC leadership to put up a captive portal for the user, to warn them the next time they connected to the network, that they were passing personal information in the clear. The user saw the warning and clicked through it, without changing their security settings. So, the NOC leader Neil was briefed and went to the classroom to personally inform the student the extent of the personal data and passwords that were being transmitted in the clear. It became a humorous highlight of the conference out briefing.
In a related incident, a user was sending sensitive human resources files in clear text emails. Using the same investigative techniques, the RSA and PAN teams were able to identify the user by name and classroom, and the NOC leadership went to advise them to change the setting on their Outlook email account from http to https.
Lessons learned: Use https and a VPN on a public Wi-Fi network.
So many unique malware samples
There were a number of malware classes that required executables to be downloaded. They were extracted by the NetWitness Packets Malware Analysis and sent to Threat Grid for automated analysis, if the hash has never been seen before…in other words it de-duplicates the files before submission to Threat Grid.
We could see the peaks in the submissions during the training days.
For example, several Metasploit Framework toolkits were downloaded with unique hash values. Metasploit is a collection of tools, exploits and payloads to assist in offensive security exercises. It has a wide variety of payloads that provide remote access capabilities to targets once access has been gained via exploitation of commonly used software. These payloads can be exported to portable executables which can in turn be used to infect machines without requiring initial exploitation.
We also saw the activity of a command shell class, with dozens of unique hash values, illustrating how easy it is to create new files to escape 1-1 hash detection.
Between midnight and 1am on the 2nd day of training, a data exfiltration class came online and downloaded dozens of unique hash exploit kits with random alpha-numeric names.
We also saw a number of instances where Potentially Unwanted Application (PUA) Dealply (also known as Ikarus) was slipped into installers. It is a newer PUA that is in a family of adware that gets distributed through freeware programs and software bundlers. Once installed, Dealply shows advertising pop-ups in the web browser, prompts the user to install fake software updates, modifies default browser settings, and may also collect and transmit various marketing-related information about the user. Dealply was found to be included in packages such as camstudio_0127815701.exe, Setup_ImgBurn_184.108.40.206_dlm_1629102111.exe, idafree50_2113446264.exe and (Hydra) setup_1540910788.exe.
For the first time at Black Hat USA, captured webpage notifications to users who connected to the BH network and were found to be infected with malware. The notifications were done by moving affected users into a group within the PAN Firewall.
Will trade cryptomining for porn
The NOC team also is now alerting users whose devices are seen communicating with cryptomining domains and/or passing clear text passwords. If the attendee wants to cryptomining, that is fine; however, some sites do so without consent.
We saw many cryptomining domains during the conference. However, on the last day of the trainings, I noticed a unique domain that was flagged as both Pornography and Cryptomining.
|avxhm[.]se||Adult Themes,Illegal Downloads,Cryptomining|
|ws2.bitcoin[.]de||Ecommerce/Shopping, Financial Institutions, Cryptomining|
|ws3.bitcoin[.]de||Ecommerce/Shopping, Financial Institutions, Cryptomining|
|old.nicehash[.]com||Financial Institutions,Online Trading,Cryptomining|
|www.nicehash[.]com||Financial Institutions,Online Trading,Cryptomining|
We took a closer look with Umbrella Investigate, to see the global requests and note that several known malicious samples communicated with the domain.
In the Threat Grid Glovebox, we have the ability to investigate URLs without becoming infected, and to observe the behavior. In this case, the website was catering to Japanese porn and we had the ability to see if the behavior of the website changed if the connecting location is the US vs Japan, and if there were differences in the behavior on operating systems, such as the Japanese version of Windows 7.
Examining the website in the Glovebox, we found no mention of the cryptomining in the description of the website, other than they are “…adding more features that will keep your love of for Japanese porn alive and well.”
The Terms of Service also had no mention of the underlying cryptomining.
The .js was able to be downloaded as a network artifact from Threat Grid, for further code examination.
Many of the NOC members respected the business model: delivering ad-free full-length HD pornographic movies in exchange for using the CPU cycles for cryptomining. However, it is not disclosed to the user that the mining is taking place. We coordinated with the PAN team for the captive cryptomining portal.
Another very active cryptomining domain was minergate[.]com.
We also safely examined the domain in the Threat Grid glovebox.
The behavior was similar to the pornography / cryptomining domain.
In 2018, there were about 42.4 million DNS requests on the Black Hat USA network. This year, there were nearly 50 million requests, of which over 5,000 would have been blocked by default as Malware, Command and Control or Phishing.
Working with our partners at RSA NetWitness, we were able to graph the DNS requests into a timeline showing the peaks and valleys from the training events, lunch time and sleeping.
One incident of note, five hosts from five classrooms communicated with a new malicious domain within minutes of each other. Research into the domain reveals abnormal behavior. Coordination with the Talos team indicate this was associated with a new malware campaign.
In App Discovery, over 3,600 applications were used to request DNS. In a production environment, we would have had approval control over category and individual application.
Next stop for the Black Hat NOC team is Black Hat Europe.
Acknowledgements: Special thanks to Michael Auger, our NOC partners RSA (especially the RSA Security team led by Percy Tucker), Palo Alto Networks (especially Sandy Wenzel and Dan Ward), Ruckus (especially Heather Williams), Gigamon, CenturyLink and the entire Black Hat / Informa Tech staff (especially Marissa Parker – Queen of the NOC, Steve Fink – Chief Architect, Neil Wyler and Bart Stump).
About Black Hat
For more than 20 years, Black Hat has provided attendees with the very latest in information security research, development, and trends. These high-profile global events and trainings are driven by the needs of the security community, striving to bring together the best minds in the industry. Black Hat inspires professionals at all career levels, encouraging growth and collaboration among academia, world-class researchers, and leaders in the public and private sectors.
Black Hat Briefings and Trainings are held annually in the United States, Europe and Asia. More information is available at: blackhat.com. Black Hat is brought to you by Informa Tech.