• Home
  • Articles
  • Tools
  • Support


    Secureworks Threat Intelligence Summit 2018 Overview

  • Australian Alex Tiley (CTU) covered how a criminal group used a blend of tools to steal millions from banks. Demystifying GOLD KINGSWOOD aka Cobalt gang. The identifiers for this group - targeting, tooling, timing. Attack Tools in use include: Ratopak. Cobaltstrike.cyst. cobint. WCE, Acehash, inveigh, listrix, logkatz APT typical behaviour methods are: perform spearphish, dump creds, move laterally, locate target, gather intel. Fsell.info underground darkweb forum was found to be sharing compromised data. Another criminal group referenced was the Lurk group. A case of a forensics investigation was talked over, which (disappointingly he said) all too commonly resulted in the supplied host turning out to be a Nginx proxy, rather than the C&C machine itself. However its still worth reviewing the Vim history & Ssh root logins as they reveal other running infrastructure such as domains and attack infrastructure. When asked for prevention, the response was make sure you have good network hygine (2fa, app whitelisting, LAPS etc)

  • Rafe Pilling (CTU) Explained the ‘Redirect to SMB’ credential stealing. IRON LIBERTY (RU) aka energetic bear are one group mentioned using this. With NTLM Windows hashing being common for authentication, an SMB redirect hash listener can be dropped to listen for the SMB handshake when call a call to SMB is made. Inveigh is packet sniffer tool that listens for and responds to LLMNR/mDNS/NBNS requests.

  • An example was shown that indicated this attack using a website running a page that would invoke Microsoft word to perform an SMB lookup: http://90.10.10.90/template.dotm causes SMB lookup Listeners for handshake externally!? Advice, you should already be Filtering SMB 445/139/137 at perimeter! Hillcrest/leaf miner was a group mentioned that target aerospace industry.

  • Adam Orton (CTU) explained a very advanced satellite hijacking method for deniable communication used by IRON HUNTER (RU) aka Turla/white bear ISP satellite to IP provider used from local African C2 host Buckshoy yanker is the name of an identified attacker. IVBB were attacked. One interesting point was that copied/cloned websites will have “Doctype=” matching the cloned copied site in the page code. He also used a Web headers/page title Shodan search to discover more detail on copied sites. Also mentioned was a Tims2 (sp?) intel platform used to track attack infrastructure and fill with passive DNS data.

  • Chris Taylor (CTU) explained how BRONZE FIRESTONE (CH) aka APT29 hide using the same naming convention as Google use on domains: 1e100.net google domain to hide. They also park their domains on google DNS 8.8.8.8

  • Mark Osborn (CTU) had followed BRONZE UNION (CH). He broke down the technique of a Malicious DLL sideload search hijack dropper of self-extracting RAR file with signed library. Attack tools listed as used by the attacker were: Plugx httpbrowser, sysupdate, hyperbro, GetUserSpn was a mentioned script search for service accounts. The attack would result in a normal looking svchost.exe that was in fact running a malicious attached DLL.

  • Iranian group COBALT DICKENS (IR) which performed the Mabna phishing against universities was explained by Alison Wikoff (CTU). Landing pages on newly registered domains such as unit.edu redirect SSO. Intel says Iranian sanctions have caused a brain drain. This activity was to gain course access and intellectual property.

  • Their original method during (2013-2017) was broad phishing, spear phishing, password spraying followed by further methods (photo of slide below). The new recent activity was seen as matching the previous Iranian activity so this August 2018 the domain detail was shared and taken down early.

  • Don Smith (Director CTU) covered a broad section on real world attacks. An example of fake persona compromise was Mia Ash, a cultivated personality lure, a catfish: https://www.wired.com/story/iran-hackers-social-engineering-mia-ash/ A term for common scanning malware was referenced, its termed: 'scan and exploit'. A technique used by attackers that is a warning flag is: IIS forking cmd.exe An exploit seen in the wild is: Outlook forms exploit used to launch powershell. Mention of attackers targeting and stealing NTDS.dit which holds all A.D. passwords and requires decryption to reveal them. Secureworks use Redcloak host protection to aid their incident response. BRONZE RIVERSIDE (CH) aka cloudhopper talked about. Download dropper using a jpg filename which is a renamed puppyRAT. Attackers now seek Oauth tokens for Gmail and GSuite https://en.wikipedia.org/wiki/OAuth Another modern target is AWS keys, stolen from poorly made code, attackers then create VPS used for BTC mining. Yet another target is Okta SSO phishing in USA. One shady activity referenced was Windows Kmspico licensing. When large scale issues occur in the UK there is alliances between groups such as the NCA, NCSC and SCIG [Strategic Cyber Industry Group] work to pool intel and data. During the Wannacry incident the NHS was inordinately affected, more than other firms even that ran Windows XP. New thinking is that their N3 network was trusted too much, more than securely sensible by the NHS. n.b. N3 is now Health and Social Care Network (HSCN). A term used to describe the initial compromise was: IAV initial access vector.

  • Threat Actor Mistakes talk by Matt Webster(CTU) covering revealing mistakes by attackers. Pdb file strings show similar patterns. IRON TWILIGHT (RU) performed the DNC hack An interesting holiday that affects Russian Recon is April 15th, a sigint holiday in Russia. BRONZE EXPORT (CH), dns tunneling. BRONZE MOHAWK(CH) /temp.periscope/leviathan Htran proxy used by attackers (infrastucture picture below)

  • The more you learn about threat groups, the better it helps with countermeasures to the learned threat group behaviour. Implement 2fa on all external access points. On-site not required, off-site always required.

    • Next talk was business email compromises by Nigerian scammers, Chris Yule (CTU). Covering the GOLD GALEON group, Business email scam methods in steps.

  • GOLD SKYLINE Nigerian group, uses ispy keylogger to gain screenshots. Email address scraper tool is used, simply put in target sector, scrape websites, send mails. Buckaneers confeaternity and the confraternities involved in phishing cyberscams. Wikipedia: https://en.wikipedia.org/wiki/Confraternities_in_Nigeria Pyrate confraternity, Magnificent Seven. Many are sea themed. They have a Facebook page. Ben Bergman covered the history as they went from brotherhood in 1972 to todays cults. Naijagists.com website covered bucaneers as cultists. Premium times newspaper also covered them in Lagos, calling them Yahoo boys.

  • When a business mail attack causes a spoofed supplier invoice, who is liable the supplier who’s mail was attacked and not paid, or the receiver who was clicked on the link and paid? Again recommendation is External gateway 2fa on webmail etc. A point was made that Office365 requires a forensic tick log to store the right mail logs. Also Microsoft Technet recommends to disable automatic forwarding on the company config. When it comes to these attacks, do senior managers understand 'emergency' process bypasses are dangerous? What approval processes are in place?

    Mention of Park Jin Hyok, North Korea cyber criminal. The FBI inditement document contains many pages of tradecraft, included here: https://assets.documentcloud.org/documents/4834259/Park-Jin-Hyok-Complaint.pdf Attacks of Sony and a UK media firm included. The North Korean NICKEL GLADSTONE (NK) NICKEL CAMBIAN (NK)

    COBALT GYPSY (IR) COBALT TRINITY (IR) aka APT33 COBALT URSHIN (IR) COBALT DICKENS (IR) aka Mabna COBALT HUEY (IR)

    • Solving Phishing - filtering works to a degree. Blue team phishing. Honeytrap accounts on social media are favoured by North Korea.

    Attribution helps understand intent. Focus resources. Cluster of TTPs attribution.