Hiding Your Attacks with Misdirection

Mic Check okay all right well hello everyone welcome to my top it's called a height of your tax in this direction like redacted right off the bat let's play let's talk about some general disclaimers here all content on the slide is going to be available for you to download you know please review share whatever and views that I'm expressing here are my own and are not representative my employer so don't hold them accountable for what I say so during this talk what we're gonna be doing is we're gonna be taking a look at techniques and methodologies applied by advanced persistent threat groups and then how we as penetration testers hackers and whatever you are Ken

utilizes methodologies to you know basically become more effective and have your campaign be more effective so some of these groups you know you may know the you may heard of the NSA you may heard of GCHQ the PLA electronic warfare division those kinds of groups and we're going to take a quick look at what they do so if you are interested in a good image of what these people look like that's probably not it but let's get representation so a little background on who I am I work as an IT security engineer / research or like west well I phones company based in Tampa we do a lot of IT security related things so contest we also provide managed security

services and so you know hey if you need someone to watch your logs for you you can do that among other things I mean university student and I love security man I you know breaking things and so much fun I securing things isn't as much fun but hey whatever alright a quick shout outs let's give a round of applause or be sized Orlando organizers because those guys have been awesome quick hello to my co-workers because you guys are awesome hello to anyone from Def Con 813 you guys are awesome I don't see any white Hatter's but if there are any people from wait headers hello hack Miami crew and the two NSA agents in here you guys about

your heads or whatever but just give me a little wave right off the bat let's talk about government capabilities and capabilities of these apt groups I don't care who you are the government is going to have more money than you they're going to have more access you could ever possibly hope to get and they're going to have a lot more leverage and you could ever possibly hope to get so don't get it in your head that you're ever going to be as good as then because unless you're rich and really really really really really rich which you're not you're not going to um but on the other hand advanced persistent threat groups don't necessarily have to be tied

to government um you know by the standard definition advanced persistent threats or just hackers that are better than your regular script kiddies so yeah all right so as a little forewarning I'm gonna we're gonna be going to school right now I'm going to give you a little history on these you know advanced apt groups or whatever you want to call them just bear with me but at the same time what we're doing this kind of take note of you know the evolution of their methodologies and their tactics and how it's changed over time starting in nineteen ninety eight we'll take a look at this campaign called moonlight maze basically what happened was the US was

parsing logs whatever and they found notice some electronic probing of you know Pentagon systems DOD systems department of energy and other like research labs something interesting and something to take note of is that humans are the weakest link security we all notice we have an intrinsic flaw built into our systems and basically we love routine and we hate change because of this fact that enables blue teens to leverage things like pattern analysis and just help collect better intelligence against people so with moonlight maze you know some of the log patterns that they found were that hey these people are working in an office that kind of matches up in you know that all the activity that

we're seeing is between eight to five moscow time now we're chasing these logs and we trace the back to a server in Moscow I wonder who did that in 2003 there was another campaign called Titan ring these attacks focused on defense contractors and DOD and the attack vectors for these was social engineering emails it's important to highlight the fact this fact because they did an extensive amount of reconnaissance before performing their initial attacks recon is key to the success of these campaigns better recon leads to better social engineering attacks all the [ __ ] all the communications actually ended up getting traced back to China now that wasn't the chats not say that was a

Chinese government but it got traced back to China in 2006 there was psyche pas this was a really really sophisticated campaign that targeted key us industries such as telecommunications harbor manufacturers defense contractors and aerospace organizations unlike a lot of bots at the time psyche block clients didn't talk back to the command control server at regular intervals so it was a lot difficult especially for the tools that exist at a time to notice that initially you know you know most botnets they'll communicate every 30 minutes back to the C&C server just to do a check back if you just say hey check in 15 minutes and then next check in 30 minutes of the next check in 32 min

that really throws off and just manual analysis at humans there because you're looking for patterns right there was some other really interesting characteristics from the malware utilized in this campaign they hid their their DLLs that they use for exploitation as Microsoft dll's that's really really easy stuff to do take a resource editor right flick say hey let's change it from saying oh my god I run an evil corporation LLC to microsoft corporation that actually hides a lot better than you think that mean you may consider exactly exactly um it also had some other characteristics that would time soph itself to match the timestamp of svchost so you know if you're looking for like time patterns it kind of hides

itself and then it's at this really really cool technique to perform persistence which was kind of cutting edge at the time so we can actually you know see the actual the important part is what it does is it deletes its dropper task most I exe that launches itself from from the startup folder to remove any traces of resistance e1 Ram so when you when you put up the computer you can't see it being when it's executed a new thread is created that detects the ending of a window session only when windows exits does it relocate itself to the startup folder to survive reboot since it only exists in startup folder when required live analysis techniques probably miss it when startup

entries are inspected and again you know this is for the kind of analysts that are quickly looking through things automated schools and just you know not paying a lot of attention and that is just easy ways to hide from them in 2009 there was a campaign named ghost am very very extensive and it's interesting because you can kind of tell a lot about you know the Mauer operators about who's controlling and who's performing these campaigns by their targets you'll see here that it's had a pretty good list of targets in Taiwan India Thailand Germany Iran and Tibetan exiles centers um when you combine that with location analysis like the fact the C&C servers were posted from the same

region as a signals intelligence facility in China you kind of learn a lot about what you can tell from the group and that's some other features you know included the ability to utilize audio and video recording from devices that would find in the network but it also had a really really really massive OPSEC failure and op SEC is another key thing to always be aware of essentially some of the seed some of the CTU servers that talked back had similar records in the end a host and the movers they're both survived lost half 33 @ hotmail.com you do a little bit of Google magic and that leads you to a blog post on Windows hacking which is on the left hand side

here if you do a quick look at the profile you can see that this guy's handle is lost 33 get his date of birth place of residence and his personal motto the board soldier swing on an empty battlefield the trail would normally go cold here because this guy never posted again but you know kind of going back to the intrinsic flaw of security and how humans are stupid let's do a google search for this motto and ooh you come up to a new blog title the board soldiers blog space at this point you know assuming that they're the same person he changes his handle from lost 33 to damn foot nine but I know you're

probably thinking Jonathan this is just speculation I mean this isn't concrete evidence to you I must say you just activated my check

basically the fact of the matter is it's somehow these two personas share the same motto the same birthplace in the same birth place of residence I mean that kind of indicates that they're probably the same person but in all seriousness don't cross contaminate your handles you can have a public handle you can have a private handle make new handles for each campaign be random ops X key but not enough apparently in 2010 there was another one called Operation Aurora now this one was kind of interesting just because of who they were targeting right they're looking for developers and development companies large organizations that hosted you know software code base management Google was one of the people that were targeted and

whenever they realized that hey these people were probably Chinese they actually left a Chinese market because of it ultimately the goal of this miss campaign was to put malicious code in pro in the code base of solutions before they even left the market you're downloading trusted programs and now they're packed with mauer that no one even knows about that's the ultimate win at that point um the commander control servers were also hosted on rackspace accounts so they could post these up anywhere and it was a lot harder to you know determine where these were coming from although looking at the source of the phishing emails you could see that they were coming out of smtp server from

city in china which just so happened a host and intelligence facility huh and then there's 2010 with one of my favorite campaigns Stuxnet these targeted the Iranians and their nuclear control facilities it was amazing it's a very very sophisticated campaign that supposedly has some origins of American and/or Israeli you know characteristics it's a self-cleaning malware and by exploiting 40 days it would cause really it would cause I you know nuclear centrifuges to spend really really fast and pretty much explode it had three modules one that was the worm that executes routines related to the main payload a link file that automatically execute the propagated copies of the worm and a rootkit component responsible for hiding malicious files and processes

preventing the detection and presence of sucks on it the other really cool thing about this is that scared the bejesus out ever going was the fact that it infiltrated an air-gapped network you're not gonna put your you're not going to network your uranium enrichment facilities that's just probably not smart when you're running up structured that scared a lot of people and you know initially most people thought the initial attack vector must have a no they found some guy that had access to a USB and that was able to drop us be in there what people don't normally talk about the Stuxnet was how did that USD manage to get infected that leads us to talking about the supply chain attack

vector which is just beautiful so essentially let's see here you have this organization called foolin Technic international what they do is they create automated systems for industrial Iranian industrial facilities next month the group called neta international group who is a component supplier for industrial systems specifically Iranian industrial systems and they also make products for with potential military applications and then the month after that control gostar jahed company who's an industrial control systems vendor who sells to iran was hit with an another was hit with sucks in it as well most people think that net and ghosts are were used as like intelligence-gathering hubs which makes sense you know the entire time that you're in there you're kind of seeing

who are these guys telling to and essentially these guys also the Iranians they all are in the same space so you kind of think they're all talking to each other and when you have a foot hole in all of them that really really helps the amount of reconnaissance that you can do and you are able to collect much more effective and actionable intelligence finally a year year afterwards it hits Cal electric who's the developer of the centrifuges that were used that we're targeting Stuxnet so going back to the code based attacks it's like it really kind of makes sense as to how all this happen you know they're good they're going to send a developer to update firmware on these

centrifuges at some point right USB key infected code base goes in Stuxnet worm destroys the Center for you just deletes itself boom everyone's happy well so with the nuclear facilities are gaps the attacks were conducted in the assumptions the firm's own exchange information with clients thereby facilitating the attack on Iran's nuclear program and then in 2012 there is another one called flame this one was actually discovered by the Iranian cert team and some interesting changes took place here there was some hints from ghost you know taking some it's from ghost net flame had the ability to collect information via bluetooth devices around compromised house so if your computer had bluetooth on it and you had bluetooth enabled on your phone

I'm now able to pull info off of your phone bids we it's Bluetooth let's assume for a second that the creators of Stuxnet we're American and due to the fact that flame shares some code was Stuxnet it's really interesting to see that the location of C 2 servers were not for once and they're presumed location of origin another really interesting feature of the c2 panel for flame was it the way it was disguised it's made to look completely benign to you know any passerby so if these are hosted on VPS or you know like Rackspace account somewhere and then they're going to say oh this server seems to be doing something funky as the rack spaces

administrator I'm going to pierce through her to see if I see anything on returning looking at this panel you see things like you know it doesn't use bot bot net oh my god ultimate botnet 3000 uses common words like data upload download client news blog ads it just disguises it makes it look not threatening this was likely done to deceive those guys in 2013 there was another campaign called rain awesome really really incredibly sophisticated malware ever get a chance read the analysis paper on it because it's really cool you know very highly modular uses the same technique to mimic Microsoft drivers and it had a pretty wide target specifically a lot of those targets just

happen to be in telecommunications so you're kind of attacking infrastructure at that point it employed a lot of stuff and a lot of antique forensics and it also used a custom-built virtual file system and even alternative encryption just encryption types that weren't commonly used or just slightly modified the encryption that was being used another key thing to look at is the fact that it used multiple means of protocols talk back to the CNC server so it's not just talking back over IRC or PGP or whatever it's using ICMP cookies IRC p2p it's just using a multitude of protocols so that it's a lot harder to figure out how data is feeding exfiltrated it remained undetected for a long time

because of you know they try to hide it as much as they cook we're going to give a special mention to the belt rom hack 2013 that was unofficially done by GCHQ um they're using a little bit more interesting attack vector basically what happened is they can't assume that they compromised the backbone of the internet right or whatever in front of Bel jicama they pretty much just man in the middle of everything so they were looking at system administrators and they said hey I see you're going to LinkedIn before you go to LinkedIn I'm going to intersect your request upload a little bit of you know execute code that's going to execute and then pass you

through the LinkedIn oh and now I have a shell in your box sorry um you can literally inject code in transit transparently by intercepting the requests and all you got to do is control network infrastructure another key point is the fact that they performed really really extensive reconnaissance reconnaissance leads to success that's a fact use reconnaissance yeah all right history lessons done you guys can wake up now let's take a quick peek at some of the methodologies and just properties of these of these attacks and then how we can use them to hack all the things rule number one it's the location have you seen see to server don't put it where you're attacking from

that's [ __ ] you know even if you're using junk boxes and but I'm my see two servers right next to me in Florida is that really the smartest thing to do just like imagine if the u.s. launched their attacks from an IP address located in fort meade gee I wonder who did that so for penetration testers that means don't call don't use the host name of your botnet as c2 dot your company name com that's not very smart and for governments host that out of the country you have multiple partners why don't you host your attack from Sweden or host your attack from I don't know a server you probably owned in China and for

malware operators you guys are black hats hack people China many many vulnerable systems own them and use them VPS operators have been doing this for years takings from them for extra kudos and this is really cool you guys can take a line from the NSA it's a tailored up access operations group they use a technique that they it's called a fourth party collection called the pliant warrior and essentially they penetrate while you penetrate while you're getting penetrator right they'll take a look at existing botnet servers and see two servers you know there's plenty out there people are running snooze button lets people earning pony soul or whatever they hack into those hi there botnet inside of it and now attribution

gets shifted right say you're the Bata that you're running gets compromised or somehow it gets discovered there's already someone else running another botnet on that c2 server they're going to take the blame for it because oh you're running a public you know you're running a publicly known botnet obviously our data is being communicated back to you you must be be at fault that will really really hinder the investigation process don't get me wrong there's ee service associated with this technique like the fact that your campaign might not last as long Oh like the fact your campaign might not last as long but it really helps out in the long run especially if they're really hot on your

tail they're going to get very distracted just by looking at the existing button mask more comprehensive forms of penetration over someone else's performer penetration again going back to this very important key recon matters intelligence and war is just the same as intelligence cybersecurity extensive reconnaissance will raise the effectiveness of your operations and this is especially true for fishing campaigns you can't just send people hey click me and you're good to go the more tailored and more normally you make something look the more effective it's going to be recon should be also be something that you perform constantly throughout your operation it shouldn't you shouldn't be doing recon at the very beginning and say okay spearfishing is

done now will launch an attack when you own a box start performing recon at that from that vantage point start performing recon from the next vantage point and just really build a solid database of information and it allows you to execute attacks much more effectively another key characteristic of these campaigns has been patience let's look at the sucks net group they waited an entire year before commencing the final part of their their attack there's a lot of reasons reasons that the there's a reason that many of these penetrations were able to last as long as they were and it wasn't just from viagra slow and methodical movements tend to be much more pleasurable for an attacker in the

long run so tread lightly and anti forensics one of my favorites so there's some common anti forensic techniques shared across all of these you know different different campaigns they utilize secure secure delete shred overwrite a file with zero and it's suddenly nearly impossible to recover for the rain see two servers the way that they were discovered they were at they were actually able to recover an image from the the VPS is that they were hosting from the you know VPS provider because they were like hey we noticed that these were being used in a malware campaign can you provide us with an image of the boss and they said sure what the sea two operators actually

ended up doing initially was they disabled all the logs including web server logs so there was no logs whatsoever located on the box you know you might think but they have the image and they can sink hole de campagne whatever that won't give them a history of previous clients so say for example you deleted you know pots that you compromised there earlier you're not going to be able to trace that back and that really hinders help center the investigation masquerade DLLs masquerade the names or functions and injects drivers as something more legitimate than oh hi ma'am our operator LLC hide your panel in plain sight take it from ring you know Google Google dorks are

awesome start looking for box and you'll pretty much find a botnet panel don't make it about don't make it so obvious if it says ultimate uber leet botnet you're just as bad as the people who you overuse cloud also it's a lot easier to hide from web crawlers now we're going to talk about encryption and encapsulation just we'll take a quick look at fashion cleft which is probably one of the coolest things that has ever come out of NSA's tale about access operations which is there you know infiltrate penetration group basically what this protocol does is it takes a copy or a clone of a host packet appends metadata and redirects copy packets to a listening post or another

host hiding normal traffic still goes out from the host but at the same time it splits off you know at another hop could obviously outside of the you know of your target organization and then it splits off and sends the data to to the sea to server at that point the investigators can't do anything if you're if they start splitting splitting information in transit there's not a whole lot that can be done because the device that's splitting the information is no longer in control of you know your target so they can't pulling the logs off of it and analysis stops it also had a keeper it also had a way to authenticate the data copy packets and

help ensure integrity now I'm sure there's not a lot of us a lot here that can take a bit to make something like that but it's definitely something cool and cool to think about kind of CCB ever be able to apply similar techniques the key thing is don't get frustrated tap select your data HTTP communications should always be encrypted with at least ssl no matter what even if you can't x fill it over for 43 x fill it over 80 it'll help hide your attack no matter what you know if if an analyst is going to be looking at the say that all he's going to see is oh there's junk you know random packets going over over port 80

sure that might raise a red flag but it's better than saying oh this is obviously malware data going over port 80 DNS exfiltration is sometimes easier to detect is sometimes easy to detect and you know you'll typically see a lot of invalid request to a single domain Jesse's multiple domains split split it and always use the bright protocol for the right target so if you see as a say its traffic coming off a windows box that's probably not normal or looking at a marketing user right they're never going to use SSH they're probably never going to use IRC so don't use IRC or SSH as a communication protocol and you know how you find that out by doing your

reconnaissance if you want to get a little more advanced you can use you know other special techniques split data exfiltration across multiple protocols on one on one hand you'll you'll send it out over HTTP cookies on the other hand you'll split a file send the other half of the file out over IRC that puts it makes a lot harder for an analyst to you know put the pack put the information back together and say here's what they stole it's a lot easier to do whenever you can provide a unique session identifier but you have to be able to hide the fact that its unique session identifiers that make sense at that point on your seats who served you'll

just be able to rebuild them by joining the session identifiers you can even send both information to two different servers and then reassemble it on another and then get the most out of your etsy hose change your CT server two points of Facebook I mean as the data gets sent over information let's get it's going to be see seen as you know request sent to facebook com not request sent to evil see to server calm it's it's not one hundred percent effective and you know some automated tools might catch at some not but humans make errors a lot of times they're just going to see hostname facebook com okay that's legitimate and continue scanning on utilize the

weaknesses in humans right another key is to aim higher expand its scope of your targets cheap key targets that these apt groups or tow rating is infrastructure stop looking just that you know clients and servers look at routers switches firewalls if you own those you own everything because you can completely control the flow of communication between your target hit him where it hurts source control management I mean looking at you know are they using any applications that they've developed for internal usage are the system administrators hosting an hour an internal get server and it the scripts that are using you should be attacking everything in your pen des don't just focus on that you'll just

focus on one thing and then watering hole attacks this isn't as applicable penetration testers but you know look it because you're restricted by anything that's in scope so you want to look at internal services being used internet portals helpdesk portals file shares edit those you know hide your malware within those four black hats attack whatever do your recon figure out what slice and services they're using figure out if any of them are vulnerable own it oh no in the story and finally get really creative with some supply chain attacks there was a story a few years ago about a guy that targeted the system administrator during a penetration test by sending him a US keyboard that had a keylogger hidden

inside of it and it was one of the state-of-the-art logitech once Ellison mechanical keyboard thank you for being a valued logitech customer as as a we've decided to send you this gift as a promotion soon administrators everyone loves free stuff they're going to take use of it take advantage of it and now all his key strokes are being sent out that's awesome utilize that another key characteristic of these government groups is that they're intercepting routers and delivery to tart locations and in planning mauer before they arrive nope tampering with mail is illegal but who cares also aim lower firmware based attacks hard drive attacks rootkits their way harder to do but they're really incredibly awesome and they allow

for much much longer persistence so we take a look at a program like NSA's i r8 monk it's used by their tailored access operations groups and it you know provides application persistence by targeting the MBR at that point even if you wipe the OS it doesn't matter it the computers still owned so the next key point is to throw the trail on your tail there's a lot of power and based analysis that goes into you know identifying who an operator is writing style gives a lot away there's an application called the if you go to the Hemingway Act where you can do is you can take a block of text pasted into it and it'll say you should probably change

these it essentially hemingway out looks at your writing style and says this is way too advanced for 5th graders you can dump the sentence down eliminate the Sun and stun this down done this down change that around and suddenly it doesn't look like you wrote it anymore change your identity use multiple handles for multiple campaigns don't use your one handle for everything that can be traced back to you it's easy fake name generator calm click generate click randomized and now you're a whole new person and don't cross contaminate your handles if you can have a public handle that you do for IT research right to security research whatever you know hey you'll release your your advisories that you discover

over that but if you're hacking stuff on your night job don't use the same handle for that so if you guys have any questions I there's the best place contact me or over jabber or Twitter um you know it would be after the top but you guys have any questions now I will put that on my blog but that's a great point

because they post think that that's like a huge red flag the dns server result even better be dns server so because that's rarely ever detected even better even better that that goes back to the point i was saying expand your targets control infrastructure and you control everything right questions even there so yeah thanks for sending my top and this has been enjoy b-sides

you