SNOWGLOBE: From Discovery to Attribution

Similar documents

* o SNOWGLOBE: From Discovery to Attribution. Overall Classification: TOP SECRET II COMINT II REL TO CAN, AUS. GBR, NZL, USA. l + l UNCLASSIFIED 1

SANS Institute First Five Quick Wins

CSEC Cyber Threat Capabilities

VISA SECURITY ALERT December 2015 KUHOOK POINT OF SALE MALWARE. Summary. Distribution and Installation

Computer Security: Principles and Practice

Alert (TA14-212A) Backoff Point-of-Sale Malware

05 June 2015 A MW TLP: GREEN

Penetration Testing Report Client: Business Solutions June 15 th 2015

Pre-Installation Guide

Technote 20 Using MSIE to FTP into an AcquiSuite

iscsi Security (Insecure SCSI) Presenter: Himanshu Dwivedi

Password Reset Server Installation Guide Windows 8 / 8.1 Windows Server 2012 / R2

CSEC SIGINT Cyber Discovery Summary of the current effort

IPS Attack Protection Configuration Example

APT Advanced Persistent Threat Time to rethink?

FREQUENTLY ASKED QUESTIONS

Installation Guide. Novell Storage Manager for Active Directory. Novell Storage Manager for Active Directory Installation Guide

Enterprise Incident Response: Network Intrusion Case Studies and Countermeasures

Targeted attacks: Tools and techniques

EC-Council CAST CENTER FOR ADVANCED SECURITY TRAINING. CAST 619 Advanced SQLi Attacks and Countermeasures. Make The Difference CAST.

Pre-Installation Guide

Post-Access Cyber Defense

Implementation Guide. Version 10

Send to Network Folder. Embedded Digital Sending

NetBrain Security Guidance

Speeding up PDF display in Acrobat

Fighting Advanced Threats

HP Business Availability Center

Installation and Upgrade Guide

Folder Proxy + OWA + ECP/EAC Guide. Version 2.0 April 2016

Smart Card Authentication. Administrator's Guide

Transferring Your Internet Services

Security Maintenance Practices. IT 4823 Information Security Administration. Patches, Fixes, and Revisions. Hardening Operating Systems

The Trivial Cisco IP Phones Compromise

HP IMC User Behavior Auditor

Endpoint Protection Administrator Guide

A more comprehensive version of this material was published in the October issue of the Virus Bulletin magazine [3].

HP Operations Orchestration Software

VEEAM ONE 8 RELEASE NOTES

QuickCRM Mobile. Mobile Access to SugarCRM. User Manual. Version: 2.6

Software Version 1.0 ConnectKey TM Share to Cloud April Xerox ConnectKey Share to Cloud User / Administrator s Guide

Cloud Help for Community Managers...3. About Jive Anywhere...4. Jive Anywhere System Requirements...5. Managing Jive Anywhere...6

Cleaning Encrypted Traffic

Installing an Omnicast System Omnicast version 3.5

Driving Success in 2013: Enabling a Smart Protection Strategy in the age of Consumerization, Cloud and new Cyber Threats. Eva Chen CEO and Co-Founder

Mobile device and application management. Speaker Name Date

Downloading and Mass Deploying Applications

T his feature is add-on service available to Enterprise accounts.

WHITEPAPER. Nessus Exploit Integration

Secret Server Installation Windows 8 / 8.1 and Windows Server 2012 / R2

LATITUDE Patient Management System

White Paper BMC Remedy Action Request System Security

Implementing Security Update Management

APPLICATION SECURITY: FROM WEB TO MOBILE. DIFFERENT VECTORS AND NEW ATTACK

Department of Veterans Affairs VistA Integration Adapter Release Enhancement Manual

Novell ZENworks 10 Configuration Management SP3

MCTS Guide to Microsoft Windows 7. Chapter 7 Windows 7 Security Features

Secure Messaging Server Console... 2

How to prevent computer viruses in 10 steps

Cybercrime myths, challenges and how to protect our business. Vladimir Kantchev Managing Partner Service Centrix

Office 365. Service Overview with a focus on Identity Federation and Directory Synchronization. Jono Luk, Program Manager jluk@microsoft.

How To Manage Storage With Novell Storage Manager 3.X For Active Directory

BlackBerry Enterprise Server Resource Kit

Bio-inspired cyber security for your enterprise

Active Directory Integration with Blue Coat

From Georgia, with Love Win32/Georbot. Is someone trying to spy on Georgians?

CLASSIFICATION: TOP SECRET // COMINT // REL FVEY

Specific recommendations

User Service and Directory Agent: Configuration Best Practices and Troubleshooting

Install SQL Server 2014 Express Edition

Kaspersky Fraud Prevention: a Comprehensive Protection Solution for Online and Mobile Banking

Audit Management Reference

WebAdmin Guide Manage Filtering with the Netsweeper Policy Server and the Client Filter

EMBEDDED WEB SERVER CONFIGURATION TO ENABLE AUTOSEND AND OUTGOING FOR HP QUICKPAGE

DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER

Oracle Enterprise Single Sign-on Logon Manager. Installation and Setup Guide Release E

GOOD GUYS VS BAD GUYS: USING BIG DATA TO COUNTERACT ADVANCED THREATS. Joe Goldberg. Splunk. Session ID: SPO-W09 Session Classification: Intermediate

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

IBM Security Access Manager for Enterprise Single Sign-On V8.2 Implementation Exam.

Windows Server Update Services 3.0 SP2 Step By Step Guide

Where every interaction matters.

Smart Card Authentication Client. Administrator's Guide

Getting Started With SAM Director SAM Director User Guide

To install Multifront you need to have familiarity with Internet Information Services (IIS), Microsoft.NET Framework and SQL Server 2008.

Setting Up Resources in VMware Identity Manager

INDUSTRIAL CONTROL SYSTEMS CYBER SECURITY DEMONSTRATION

SNARE Agent for Windows v Release Notes

Windows passwords security

Popular Android Exploits

Mobile Device Management Version 8. Last updated:

Websense Support Webinar: Questions and Answers

Requirements Document for ROI Print Assessment/Print Manager

Radware Security Research. Reverse Engineering a Sophisticated DDoS Attack Bot. Author: Zeev Ravid

Integration Guide. SafeNet Authentication Service. Using SAS as an Identity Provider for Drupal

Transcription:

Communications Security Centre de la sécurité SNOWGLOBE: From Discovery to Attribution CSECCNT/Cyber Cl SIGDEV 2011 Cyber Thread Préserver la sécurité du Canada par la supériorité de l'information vvdi IclQcl UNCLASSIFIED 1

l + l Communications Security Centre de la sécurité OVERVIEW Préserver la sécurité du Canada par la supériorité de l'information UNCLASSIFIED / n 11*1 Canada 2

1 * 1 Communications Security Centre de la sécurité Overview Discovery Development Victimology Attribution SNOWGLOBE. Questions and Comments Préserver la sécurité du Canada oar la supériorité de l'information UNCLASSIFIED Canada

l + l Communications Security Centre de la sécurité DISCOVERY I Discovery Development Victimology Attribution SNOWGLOBE Questions Préserver la sécurité du Canada par la supériorité de l'information UNCLASSIFIED Canada

Overall Classification: TOP SECRET II COMINTII REL TO CAN, AUS, GBR, NZL, USA I ^ I Communications Security Centre de la sécurité Discovery Discovered in November 2009 Existing CNE Access WARRIORPRIDE as a sensor - REPLICANTFARM for anomaly detection XML info from implant Signature-based detection of anomalous activity and known techniques Noticed: Command-line to create password protected RAR - Always the same password Retrieved files associated with activity - Identified unknown malware through reverse engineering Collecting email from specific, targeted accounts "Felt like" a Fl-collecting tool Pointed to first discovered LP Provided intial comms analysis to allow signature deployment in passive collection Préserver la sécurité du Canadapar la supériorité de l'informatioi v d l IdQcl TOP SECRET // COMINT // REL TO CAN^AUS, GBR, NZL, L

^ Communications Security Centre de la sécurité DEVELOPMENT Discovery Development Victimology Attribution SNOWGLOBE Questions Préserver la sécurité du Canada par la supériorité de l'information UNCLASSIFIED 6 Canada

Overall Classification: TOP SECRET II COMINTII REL TO CAN, AUS, GBR, NZL, USA I ^ I Communications Security Centre de la sécurité Implant SNOWBALLS - Found and identified wmimgmt.exe and wmimgmt.dll (later called the SNOWBALL implant). - Creates a service -> loads wmimgmt.exe -> injects wmimgmt.dll into IE. - Later upgraded SNOWBALL to SNOWBALL 2 Very similar beaconing. SNOWMAN - More sophisticated implant, discovered mid-2010 - Less is known about SNOWMAN, but efforts against it continue. Préserver la sécurité du Canadapar la supériorité de I'informatioi v d l IdQcl TOP SECRET // COMINT // REL TO CAN,LAUS, GBR, NZL, L

l + l Communications Security Establishment Canada Centre de la sécurité des télécommunications Canada SNOWBALL Beacons Content crc= 491ffa 2e746f245 26085 78761f6fbe02 4293 flag qkrnp2arnaqyhdl7ge99nzry qjrnpn9lb6346kdp%2fiw44 6rlKHkgpWjupDerZrnyg5%2 FX7oWH3bfArnYvClraLupS M%2BqGeuP%2BV4eDk%2 F4S%2Fi7rnYzLuQr4fe5520 gcwyrjiu2iz6x06uwqbbjou Z%2B9KlhNHAv5algd%2B plcw94n7o2fiyulfh%2frml Y3Csdy Oi5CrnuYrri80YXz7 oknlqbagzqqlkqfoiltqn 7rngdW%2FxYGBwpP2j6 %2BUu9Ctg8jGoseeh9% 2BY4sqansyziKqJn%2FO b3c6ylbehp5dcs4aqjyvn %2BL6n9dbuxOfKlo2NqN uc7rjnutmbvywihyz61% 2FDYgO%2FYhICZ%2F% 2BzS58Get4W%2Bwb3N 84Scw4L4hraE2LrnM%2F MiASOne3uzE6NruOYfo3v TRivSC40T8l6ue953Xr4ql gjd9ldzf7mtotuxbhupe99 K9IfX2oL70qe4ldPgxJWN wrhcjouqlqtk96pfvyyyrri 4rn9IrnD2Zj4yqvRlo%2Blh dkqizqs47q%2fnnd3wy 7r3PLIkOeV a 32-byte checksum beacon size in bytes Meaning/decrypt Description field, Values can be: flag, segment, len Login/Domain (owner): SYSTEM/AUTORITE NT (user) Computer name: EXPORT Organization (country): (France) OS version (SP): 5.1 (Service Pack 3) Default browser: iexplore.exe IE version: Mozilla/4.0 (compatible; MSIE 6,0; Win32) Timeout: 360G(nnin)480Ci(max) First launch: 07\30\2009 12:29:37 Last launch : 11\20\20G9 10:32:42 Mode: Service Rights: Admin UAC: N/A ID: 08184 User-Agent: Mozilla/4.0 (compatible; MSI 6.0; Windows NT 5.1;.NET CLR 1.0.3705;.NET CLR 1.1.4322) Préserver la sécurité du Canadapar la supériorité de l'informatioi TOP SECRET // COMINT /n ii*i Canada TO CANßAUS, GBR, NZL, L

l + l Communications Security Establishment Canada Centre de la sécurité des télécommunications Canada Passive Collection EONBLUE - Global Access capability deployed across collection programs, including SPECIALSOURCE and CANDLEGLOW (FORNSAT). - Provides passive cyber-threat detection. - Allowed us to find additional infrastructure by using signatures for known SNOWGLOBE beacons Traditional - As always, a huge asset - With passive access, we were able to see an operator log in to an LP Single-token authentication + weak hash = breakthrough. Seeing the operator log in provided enough to get into the LPs for ourselves. Préserver la sécurité du Canadapar la supériorité de I'informatioi v d l IdUcl TOP SECRET // COMINT // REL TO CAN,1AUS, GBR, NZL, L

l + l Communications Security Establishment Canada Centre de la sécurité des télécommunications Canada Infrastructure Most infrastructure hosted in FVEY nations US, Canada, UK, Czech Republic, Poland, Norway Two types of infrastructure: - Parasitic outbase.php or register.php LP nested in a directory under root domain Unsure if this infrastructure is acquired via exploitation, some sort of special-source access, or some combination of the two This type seems to be found primarily, but not exclusively, on French-language sites - Free hosting outbase.php or register.php LP directly under root Préserver la sécurité du Canadapar la supériorité de I'informatioi v d l IdUcl TOP SECRET // COMINT // REL TO CAN,1AUS, GBR, NZL, L

l + l Communications Security Establishment Canada Centre de la sécurité des télécommunications Canada Infrastructure Most infrastructure hosted in FVEY nations US, Canada, UK, Czech Republic, Poland, Norway Two types of infrastructure: - Parasitic outbase.php or register.php LP nested in a directory under root domain Unsure if this infrastructure is acquired via exploitation, some sort of special-source access, or some combination of the two This type seems to be found primarily, but not exclusively, on French-language sites - Free hosting outbase.php or register.php LP directly under root Préserver la sécurité du Canadapar la supériorité de I'informatioi v d l IdUcl TOP SECRET // COMINT // REL TO CAN,1AUS, GBR, NZL, L

l + l Communications Security Establishment Canada Centre de la sécurité des télécommunications Canada Infrastructure: C2 / H li*i Préserver la a sécurité du canadapar Canadapar la supériorité de l'inrormatioi l'informatioi v d l IdQcl TOP SECRET // COMINT // REL TO CANJAUS, GBR, NZL, L

l + l Communications Security Centre de la sécurité Infrastructure: C2 pvaacpjiit! IH Repository 1.3,1 mfjc! pdi : j. i ff^'j.f x&f mhi F-- wfys ill.fa^ is* bhxja b} Omtif rj> hr.11 ntnu...-. I HHMNPI MP vm FrM La fi J. & Kc<) I tw,11 I H Ésrtù ry "TÉ u.. SfAHHaWf id. [ + 1 Till I W Ht iuh ij I C*My <>» KïM«l( 3W-4K4 - - I. -[ aeie/et/a* - ff.njn I- - iki itdmwu.pk /C /U - u J--Ì- ill l'bt-bd_iu.t'««l Lïk t 1 yi>jr par La 1 -d-l la ni-rmur rwaiogi. _, ptru La md 1 Ç*-> 23f4 butani C>» t-l g «TEHP^aLL pde I * I I 3IHIB/M/» " OT AT :CTf HAP. 3. W CToprrL-pht lai IfUrJWI JU-cwd«Haihal lffi Jbiiq 7IJG3 5tuTmr* nthiw Tnu EAE -7 fur twlp Enludtlaa copf Cuuut TUif OM-tMitj af C \ TUil aanth.tfl of C'Y r.fc-«aivd \AftaLn.i«-fc w «.-tw3-r\ pdf Lb jom3 Sùr.c.3 rrfib'ijtt l lfaarr«\ AEah L.i*mi»V air TOP SECRET II COMINT II REL TO CAN, AUS, GBR, NZL, USA / H 11*1 Préserver la a sécurité du canadapar Canadapar la supériorité de rinrormatioi l'informatioi v d l IdQcl TOP SECRET // COMINT // REL TO CANJAUS, GBR, NZL, L

I ^ I Communications Security y Centre de la sécurité VICTIMOLOGY IDiscovery Development Victimology Attribution SNOWGLOBE Questions r i n r l o Préserver la sécurité du Canada par la supériorité de l'information VyCLi ìfxkafx. UNCLASSIFIED 14

j*. Communications Security Centre de la sécurité Victimology: Iran Iranian MFA Iran University of Science and Technology # Atomic Energy Organization of Iran Data Communications of Iran Iranian Research Organization for Science Technology, Imam Hussein University Malek-E-Ashtar University Préserver la sécurité du Canadapar la supériorité de I'informatioi v d l I d Q c l TOP SECRET // COMINT // REL TO CAN^US, GBR, NZL, L

1 * 1 Communications Security Centre de la sécurité Victimology: Global Five Eyes - Possible targeting of a French-language Canadian media organization Europe - Greece Possibly associated with European Financial Association - France - Norway - Spain Africa - Ivory Coast - Algeria Canada Préserver la sécurité du Canadapar la supériorité de l'informatioi. ji H COMINT h REL T 0 CAN.1AUS, GBR, NZL, L

l + l Communications Security Establishment Canada Centre de la sécurité des télécommunications Canada ATTRIBUTION Discovery Development Victimology Attribution SNOWGLOBE Questions Préserver la sécurité du Canada par la supériorité de l'information UNCLASSIFIED 17

Overall Classification: TOP SECRET II COMINTII REL TO CAN, AUS, GBR, NZL, USA j*. Communications Security Centre de la sécurité ntrass.exe - DLL Loader uploaded to a victim as part of tasking seen in collection - Internal Name: Babar - Developer username: titi Babar is a popular French children's television show Titi is a French diminutive for Thiery, or a colloquial term for a small person Préserver la sécurité du Canadapar la supériorité de I'informatioi v d l IdQcl TOP SECRET // COMINT // REL TO CAN,LAUS, GBR, NZL, L

Overall Classification: TOP SECRET II COMINTII REL TO CAN, AUS, GBR, NZL, USA I ^ I Communications Security Centre de la sécurité Attribution: Language ko used instead of kb - a quirk of the French technical community English used throughout C2 interface, BUT phrasing and word choice are not typical of a native English speaker - An attempt at obfuscation? Locale option of artifact within spear-phishing attack set to "fr FR" _ Préserver la sécurité du Canadapar la supériorité de I'informatioi v d l IdQcl TOP SECRET // COMINT // REL TO CAN,LAUS, GBR, NZL, L

1*1 Overall Classification: TOP SECRET II COMINTII REL TO CAN, AUS, GBR, NZL, USA Communications Security Centre de la sécurité Attribution: Intelligence Priorities Iranian science and technology - Notably, the Atomic Energy Organization of Iran - Nuclear research European supranational organizations - European Financial Association Former French colonies - Algeria, Ivory Coast French-speaking organizations/areas - French-language media organization Doesn't fit cybercrime profile Préserver la sécurité du Canadapar la supériorité de l'informatioi v d l IdQcl TOP SECRET // COMINT // REL TO CAN^AUS, GBR, NZL, L

Communications Security y Centre de la sécurité SNOWGLOBE. Discovery Development Victimology Attribution SNOWGLOBE Questions Préserver la sécurité du Canada par la supériorité de l'information Canada 21

l + l Communications Security Centre de la sécurité SNOWGLOBE. CSEC assesses, with moderate certainty, SNOWGLOBE to be a state-sponsored CNO effort, put forth by a French intelligence agency Préserver la sécurité du Canadapar la supériorité de l'informatioi TOP SECRET // COMINT / n 11*1 Canada TO CAN2MJS, GBR, NZL, L

Overall Classification: TOP SECRET IICOMINTII REL TO CAN, AUS, GBR, NZL, USA I ^ I Communications Security / Centre de la sécurité SNOWGLOBE Program C2 nodes worldwide (including Canada, US, UK) - Free hosting - Compromised 3 implants - SNOWBALL 1 - SNOWBALL 2 - SNOWMAN Victims in Spain, Greece, Norway, France, Algeria, Cote d'ivoire - Intense focus on Iranian science and technology organizations Likely French intelligence - Specific agency unknown J'A 1 Préserver la sécurité du Canadapar la supériorité de l'informatioi I d U c l TOP SECRET // COMINT // REL TO CAN2AUS, GBR, NZL, L

l + l Communications Security Establishment Canada Centre de la sécurité des télécommunications Canada What We Don't Know Any persona details How they get their non-free LPs - Exploitation? - Special source? Last hop (operator to infrastructure) - Believed to be Tor-based... Which agency within the French intelligence community might be responsible - Who's driving the intelligence requirements Efforts against the SNOWMAN crypt continue Préserver la sécurité du Canadapar la supériorité de I'informatioi v d l IdUcl TOP SECRET // COMINT // REL TO CAN,1AUS, GBR, NZL, L

l + l Communications Security Centre de la sécurité QUESTIONS AND COMMENTS Discovery Development Victimology Attribution SNOWGLOBE Questions Préserver la sécurité du Canada par la supériorité de l'information Canada UNCLASSIFIED 25