Three weeks ago, OpenDNS Research Labs was at the annual Kaspersky Security Analyst Summit held in Tenerife, Spain, February 7 to 11. Thomas Mathew and I were delighted to talk about “Defeating malware with signal analysis techniques” on the 9th. SAS is one of my favorite security conferences of the year because it combines great quality talks, a very tech-savvy yet jolly crowd, and highly entertaining activities. We had the chance to catch up with friends from the community and meet with our friends from the Talos research team. As a matter of fact, we are pleased to invite Nick Biasini from Talos to contribute to this blog.
After the 2 days conference, we had a full day of entertainment organized by Kaspersky for all attendees. We took a trip to Teide National Park, a must-see wonder in Tenerife. At 3,700 m, this is the highest peak on Spanish soil and it is regarded as the world’s third-tallest volcanic structure. The views were breathtaking and otherworldly. We also visited the Teide Observatory which is an astronomical observatory on Mount Teide operated by the Instituto de Astrofísica de Canarias. Several technicians at the observatory gave us a tour of several world-class telescopes financed by various European countries for advanced astronomical projects. Teide Observatory is known for its great astronomical seeing conditions.
Insights from Dhia Mahjoub
There were numerous quality talks at SAS, and it’s hard to go over all of them here. A nice appearance was that of Reuben Paul as a keynote speaker. He demonstrated live attacks and delivered inspiring words, from his 9-year-old perspective, on teaching kids to be curious and enthusiastic about security. I was pleased to meet Reuben’s family afterwards.
In “Poseidon’s APT boutique” Kaspersky researchers unveiled the first Portuguese-speaking targeted attack group, named “Poseidon.” The group is more likely a commercial threat player and appears to have been active since at least 2005. Poseidon’s campaigns were particularly tailored towards the MS Windows family, and heavily focused on espionage for commercial interests with at least 35 enumerated victims including companies in energy and utilities, telecommunications, public relations, media, financial institutions, governmental institutions, services in general and manufacturing. These victims are mostly in Brazil, USA, France, Kazakhstan, United Arab Emirates, India, and Russia. Poseidon used spear phishing as the main infection vector packaged with embedded, executable elements inside office documents with the executables often digitally signed to avoid detection or blocking. After the infection, the malware reports to CnC servers, then starts a lateral movement phase. This phase will often leverage a specialized tool that automatically collects a variety of information including credentials, group management policies, or system logs to better adapt further attacks. The information exfiltrated is then leveraged by a company front to blackmail victim companies into contracting the Poseidon Group as a security firm under the threat of exchanging the stolen information with competitors. This extortion component of this campaign is what differentiates the Poseidon group from others. It is also noteworthy that the group did not leverage zero-day vulnerabilities in the samples analyzed. Poseidon focused primarily on conventional means to deceive users with executables posing inside office documents, and actual poisoned documents with malicious macro-scripts has been the sole method used for compromising their desired targets. Finally, it seems this group managed to stay under the radar because many of its campaigns were designed to run on specific machines with diverse CnC servers located in different countries that are swiftly discarded.
Insights from Thomas Mathew
Thomas Rid, professor at Imperial College London and author of Rise of the War Machines, gave an excellent talk about the Moonlight Maze APT group. The talk was part detective story and part historical overview. Many security practitioners are familiar with APT groups that have been named in the last five years by companies like Kaspersky and Mandiant. Information about older APT groups has been more rare. What made the talk interesting were the details about an APT group that had been around in the 1990s. Through a painstaking investigation involving multiple Freedom of Information Act requests to obtain first hand government documents and interviews with personnel involved with the case. Rid was able to piece together how a suspected Russian APT group was able to enter classified US networks and exfiltrate data. The group ‘Moonlight Maze’ used universities with close connections to government run programs as entry points to into the government networks. This gave them the ability to not only obtain sensitive material but also run jobs on US supercomputers. Ultimately the discovery of the Moonlight Maze group led to a classified congressional hearing. Rid had to conduct many personal interviews to obtain information about the group because many of the original documents detailing the group’s MO were destroyed. Moonlight Maze also has a connection to the present. Parts of the Maze infrastructure were also used by the Turla group as they hacked satellites.
In another talk, Sergey Golovanov and Vladislav Roskov of Kaspersky gave an update on the Carbanak group that Kaspersky discovered last year. This year the group exposed Metel/Corkow, another Trojan that infected a Russian bank and surreptitiously transferred money to criminals. By identifying flaws in the groups code, Kaspersky was able to identify servers involved in the money transfers. They accomplished this by scanning the entire IP space for servers that output a particular error string when asked a question. It was a cool demonstration of using network tools like scanning to help find malicious servers.
Insights from Nick Biasini
A couple weeks ago I was given the opportunity to present at Kaspersky’s Security Analyst Summit. The topic was Bedep, a favorite payload of Angler, and associated threats. This was a continuation to the previous work on Angler by Talos. It was my first SAS experience and I thoroughly enjoyed spending time in Tenerife. The venue was excellent, including the accommodations and the conference tracks. In particular, I enjoyed the duration of the talks. The 20-30 minute window provided time for technical details, without a lot of excess information. This allowed for more talks, covering a diverse range of topics.
Overall, I found SAS to be a good mixture of technical and high-level presentations with an emphasis on APT. The conference opened with an interesting presentation from Reuben Paul, giving a glimpse into the future of information security. I really enjoyed the opportunity to meet up with colleagues and discuss threats, including Angler and Bedep. One takeaway from the presentations is how much crimeware is evolving. It’s clear that adversaries are becoming more sophisticated and have really progressed over the last handful of years. There were plenty of examples of crimeware carrying out operations and executing them effectively with substantial financial returns.
See you at RSA 2016
Next Thursday, March 3 at 10:20am, OpenDNS Research Labs will be presenting at RSA on “Using Large Scale Data to Provide Attacker Attribution for Unknown IoCs”. Hope to see you there.