Cisco Security is honoured to be a supporting partner for the Black Hat USA 2019 Network Operations Center (NOC) for the third year; joining conference producer Informa Tech (formerly UBM) and its other security partners: RSA Security, Palo Alto Networks, Ruckus, CenturyLink and Gigamon. Cisco provided DNS visibility and architecture intelligence with Cisco Umbrella and Cisco Investigate; and automated malware analysis and threat intelligence with Cisco Threat Grid, backed by Cisco Talos Intelligence and Cisco Threat Response.
Like other Black Hat conferences, the mission of the NOC is to build the conference network that is secure, stable and accessible for the training events, briefings, sponsors and attendees. This requires a robust connection to the Internet (CenturyLink and Gigamon), firewall protection (Palo Alto Networks), segmented wireless network (Ruckus) and network full packet capture & forensics and SIEM (RSA NetWitness); with Cisco providing cloud-based security and intelligence support. The trainers, briefers and sponsors need to be able to access and demonstrate malicious code and network activity; without infecting attendees or other networks, or experiencing an outage. It is a balancing act that the NOC team enjoys creating at each conference.
Black Hat USA 2019 activity in the NOC was exciting from the first day and it never let up through the week. NOC leaders Neil Wyler (@grifter801) and Bart Stump (@thestump3r) give an out briefing at the end of each conference, on some of the highlights of the security incidents and network metrics; and the security partners each have the ability to blog about some of their findings, with the approval of Black Hat public relations.
Use https and VPNs…
Part of the NOC mission is to protect the users from themselves and to educate the community. On the first day of operations, a PDF was sent to the Threat Grid malware analysis platform from NetWitness. In the thumbnails of the live analysis, I saw what appeared to be a Wells Fargo mortgage statement. I clicked into the Glovebox where the live file could be examined.
The RSA NetWitness and Palo Alto Networks (PAN) Firewall teams were alerted. The PAN team found the .PDF file was downloaded over port 80 to a training class room from a platform that allowed a user to setup a private Dropbox/Box type shared folder in the cloud. However, https was not enabled and all of the data transfer was in the clear. The RSA team was able to reconstruct the packets and observe the plaintext password. With the mortgage account information, the PAN team was able to find the Twitter and PhotoBucket accounts of the user on the Internet and their information security business.
With this information, the PAN team was authorized by the NOC leadership to put up a captive portal for the user, to warn them the next time they connected to the network, that they were passing personal information in the clear. The user saw the warning and clicked through it, without changing their security settings. So, the NOC leader Neil was briefed and went to the classroom to personally inform the student the extent of the personal data and passwords that were being transmitted in the clear. It became a humorous highlight of the conference out briefing.
In a related incident, a user was sending sensitive human resources files in clear text emails. Using the same investigative techniques, the RSA and PAN teams were able to identify the user by name and classroom, and the NOC leadership went to advise them to change the setting on their Outlook email account from http to https.
Lessons learned: Use https and a VPN on a public Wi-Fi network.
So many unique malware samples
There were a number of malware classes that required executables to be downloaded. They were extracted by the NetWitness Packets Malware Analysis and sent to Threat Grid for automated analysis, if the hash has never been seen before…in other words it de-duplicates the files before submission to Threat Grid.
We could see the peaks in the submissions during the training days.
For example, several Metasploit Framework toolkits were downloaded with unique hash values. Metasploit is a collection of tools, exploits and payloads to assist in offensive security exercises. It has a wide variety of payloads that provide remote access capabilities to targets once access has been gained via exploitation of commonly used software. These payloads can be exported to portable executables which can in turn be used to infect machines without requiring initial exploitation.
We also saw the activity of a command shell class, with dozens of unique hash values, illustrating how easy it is to create new files to escape 1-1 hash detection.
Between midnight and 1am on the 2nd day of training, a data exfiltration class came online and downloaded dozens of unique hash exploit kits with random alpha-numeric names.
We also saw a number of instances where Potentially Unwanted Application (PUA) Dealply (also known as Ikarus) was slipped into installers. It is a newer PUA that is in a family of adware that gets distributed through freeware programs and software bundlers. Once installed, Dealply shows advertising pop-ups in the web browser, prompts the user to install fake software updates, modifies default browser settings, and may also collect and transmit various marketing-related information about the user. Dealply was found to be included in packages such as camstudio_0127815701.exe, Setup_ImgBurn_2.5.8.0_dlm_1629102111.exe, idafree50_2113446264.exe and (Hydra) setup_1540910788.exe.
For the first time at Black Hat USA, captured webpage notifications to users who connected to the BH network and were found to be infected with malware. The notifications were done by moving affected users into a group within the PAN Firewall.
Will trade cryptomining for porn
The NOC team also is now alerting users whose devices are seen communicating with cryptomining domains and/or passing clear text passwords. If the attendee wants to cryptomining, that is fine; however, some sites do so without consent.
We saw many cryptomining domains during the conference. However, on the last day of the trainings, I noticed a unique domain that was flagged as both Pornography and Cryptomining.
Source: blogs.cisco.com
