By: Nick Biasini, Craig Williams
While threats like ransomware are steadily increasing due to increased profit and stealth, more traditional threats still exist for threat actors that fear no repercussions. The actors behind SSHPsychos are a great example of how old, well understood, vectors can still be dangerous when the threat actor seems to have little to no regard for stealth or operational security and no fear of reprisal.
In today's threat economy, there's tons of money to be made by compromising systems. With the growth of bitcoin and the adoption of anonymizing networks like Tor, adversaries are able to quickly gain access to their ill-gotten gains while still remaining largely anonymous without lots of middle men in the path. This allows the adversary to not only get money quickly, but also to monetize to the fullest extent without having to give portions away. We will spend a little time discussing each of these threats in detail, including how they have evolved over the last six months.
In order to protect networks and end users from today’s threat actors, it is important for communications service providers to better understand the biggest threats in the last few months: the Angler Exploit Kit, ransomware, and the SSH Psychos.
Earlier this year, Cisco singled out the Angler Exploit Kit as the one to watch among known exploit kits observed in the wild because of its innovative use of Flash, Java, Microsoft Internet Explorer, and Silverlight vulnerabilities. In 2015, Angler stands as the leader in exploit kit sophistication and effectiveness. The exploit kit’s authors’ recent concentration on, and quick work to take advantage of, vulnerabilities in Adobe Flash is an example of their commitment to innovation. On average, 40 percent of users who encounter an Angler Exploit Kit landing page on the web are compromised. This means Angler can identify a known Flash (or other) vulnerability that it can exploit. It then downloads the payload to the user’s machine.
Angler authors have also taken an interesting approach to the exploit kit’s landing page. Historically these landing pages consisted largely of random strings of text. Angler authors have changed that drastically by incorporating text from Jane Austen’s Sense and Sensibility into web landing pages. Adding passages of classic text to an exploit kit landing page is a more effective obfuscation technique than the traditional approach of using random text. Antivirus and other security solutions are more likely to categorize the web page as legitimate after “reading” such text.
Adversaries have employed two key strategies for driving users to the exploit kit: malvertising (malicious online advertising) and malicious iFrames embedded in random compromised websites. Together these strategies create a consistent stream of web traffic to these pages.
Evasion is a key differentiator in allowing Angler to compromise users effectively. “Domain shadowing” is one example of evasion techniques its authors have recently employed. Domain shadowing is a technique where exploit authors compromise a domain name registrant account to register a sub-domain under the legitimate domain to compromise users.
In addition to domain shadowing, the Angler Exploit Kit uses multiple IP addresses to make detection more difficult. The amount of IP addresses being used varies widely between a handful, less than five, to as many as 30 in a given day. Angler usually delivers an encrypted payload, which is often the ransomware variant, CryptoWall. If not initially blocked, this payload can be identified only retrospectively, and time to detection of the threat can take days.
In today’s flourishing malware economy, cryptocurrencies like bitcoin and anonymization networks such as Tor are making it even easier for miscreants to enter the malware market and quickly begin generating revenue.