CyberWire Daily - Stormy weather in the Office 365 cloud. [Research Saturday]
Episode Date: October 20, 2018Security firm Lastline recently took a close look at threats to the Office 365 cloud environment, taking advantage of the insights they gain protecting their clients. Andy Norton is director of thre...at intelligence at Lastline, and he joins us to describe their findings. The research can be found here: https://www.lastline.com/blog/malspam-malscape-snapshot-malicious-activity-in-the-office-365-cloud/ Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface with public-facing IPs
that are exploited by bad actors more easily than ever with AI tools. It's time to rethink your
security. Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making
apps and IPs invisible, eliminating lateral movement, connecting users only to specific apps,
not the entire network, continuously verifying every request based on identity and context.
Simplifying security management with AI-powered automation.
And detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
We typically, as the name might give it away, are often the last line of checks that an object or a
URL or a file might go through before being delivered
to the ultimate recipient. That's Andy Norton. He's the Director of Threat Intelligence at LastLine.
The research we're discussing today is titled Malscape Snapshot, Malicious Activity in the
Office 365 Cloud. Andy Norton co-authored the research with his colleague Stefano Ortolani.
Many of our customers have been migrating over to email cloud environments. So basically what
initiated this research was a number of malicious detections that we were seeing for our customers
that are using the Office 365 cloud. So that was basically the reason why we
did some investigation into the type of threat that we were seeing. And there's some history here,
looking at Office 365 mailboxes. This is a prime target. Yeah, absolutely. I think not only is sort
of, you know, the adoption to cloud email becoming, you know becoming very prevalent. But that also goes hand in hand
with the fact that email credentials are often sort of the corangules or the keys to the kingdom.
So people targeting the theft of email credentials in the cloud environment,
it has become one of the most common types of attacks that we're seeing.
Now, just from a basic descriptive point of view, can you tell us what is mal-spam?
Mal-spam is basically unsolicited email that is non-targeted in nature. So there's an element
of it being bulk, but the payload is malicious and leads to further risk on behalf of the organization.
So spam itself might just be a delivery of a website for pharmaceuticals, or it could be
something for dating, but there's no potential for that threat to migrate to an intrusion.
for that threat to migrate to an intrusion.
With mouse spam, if the user interacts with that email,
there is a potential for someone to place a malicious object, to steal data, and to actually come back
and look to do further harm to that organization.
So mouse spam takes infections
and gives the propensity to lead to a full-on intrusion.
But again, it's sort of a shotgun approach. They're not targeting individuals, they're
sending out to a broad range of people out there. Yes, we do see them going to numbers of
organizations. What is interesting about it though is in order for it to be successful, a lot of the attributes of the spam needs to be morphed in one way or another.
So whilst they are not targeting individuals, the file that gets sent will be unique.
The hash of the URL will be unique.
The IP address of the command and control infrastructure will be
one-time use disposable. So they've sort of taken some of the inherent strengths of targeted attacks
and they've developed it for a more broader audience. Well, let's dig in here to what you've
found. A lot of what you're dealing with here started with TrickBot and GantCrab. Can you take
us through what's going on with these?
Yeah, so what we see now is the attacks themselves have sort of multiple warheads,
for want of a better description. They're not sort of single, one-shot attacks. So TrickBot
is the element of the infrastructure of the attack that allows for secondary payloads to be delivered onto
the system. And in this particular attack, it was a ransomware payload, Gancrab version three,
that was put onto the system, or was the final payload. I think one of the interesting things
about this type of attack is that we are very much drawn to the ultimate visibility that the
threat has with us. So there's very much, you know, the user, the organization would visibly
see the ransomware note of the Gancrab payload, but would be unaware of the other type of modules
that TripBot was also putting into the system. system. Let's dig into that some. Can you describe to us what's going on?
Sure. So what we see happening is that the first element, TrickBot, will put probably a password
stealing or data theft banking Trojan element onto the system that immediately steals all of the web passwords, email passwords, Windows local credentials, and exfiltrates them,
and then installs the ransomware payload. So when the organization comes to remediate,
the best advice you get for remediation with ransomware is to either restore from the last
known good backup or do a re-image of the system.
So the organization then goes through that incident response process
and brings back the system to a clean state.
However, the actual other intent of the attack was to exfiltrate the usernames and passwords,
and it allows that organization to be vulnerable from a secondary attack,
which would be credential-led.
So it's sort of almost ransomware as misdirection.
Exactly. And I'm certain that with other campaigns that that is the goal.
It's actually to distract the organization or convince the organization to apply an inappropriate incident response.
Now, some interesting notes about TrickBot, about the way that it formats its messages.
There's a pattern here and sort of a social engineering element to the way they get people's attention.
Yes. So there's two aspects to this.
So firstly, we have disparity in the way that we protect ourselves from attacks to study the genetics of executable files
and now are applying very strong levels of security to.exes. But what you'll find is that
prevention won't actually solve the problem of cybercrime. It actually will change the problem.
And that's why we're seeing now more file types in use.
People are moving away from the reliance on a.exe to be part of the attack.
So with TrickBot, they used basically JavaScript files,
which are prevalent in every web page
or an awful lot of emails with attachments
have JavaScript built into them.
And then was able to, once the user interacted with the JavaScript,
we launched a PowerShell script, which again has been default installed on Windows
since Windows 7, which then goes and gets the payload.
And the other thing that was interesting about this was it wasn't sort of,
the theme wasn't really work-related was it wasn't sort of the theme wasn't really, you know, work related. It wasn't, you know, HR related. Here's my CV.
It wasn't finance related. You know, here's my, you know, purchase order or my invoice.
It was actually targeting the individual's personal life. So it was like, you know,
here's a new picture of you. You know, how could you take this picture of me? So it was very much structured around sort of the personal life of the victim.
Right, and a certain amount of vagueness to them as well,
to, I guess, spark someone's curiosity.
Exactly.
Yeah.
Also interesting, I thought, was the file name structure.
They use a.jpg,.zip.
I think certainly most people consider a.jpg.zip. I think certainly most people consider a.jpg,
I think most people think about as being comparatively benign.
Indeed.
Again, it's sort of a double bluff
because the actual file extension is the zip.
Right.
The other thing that's interesting is it looks like the file name
is sort of structured in the way that a digital
camera might take a photo and give it a unique identifier. Right. So if the message says,
I'm about to publish this photo and the file structure looks like something you'd be accustomed
to with a photo, again, another way to lure you in. Exactly. It's just improving their click rate.
Right. So one of the things you dug in here was this notion of how Microsoft handles
false positives and false negatives. Can you take us through that?
Yeah. So I think it's not just specific to Microsoft. I think it's anyone that
is operating email services, whether that
be on-premise or in the cloud. And essentially, it's always been sort of a guiding rule with email,
which is not to cause an undue amount of false positives. And that's because if you quarantine
a business-critical email, or if you delete a business-crit or if you delete a business critical email,
that can have extremely high business impact on an organization of the level of suffering a
malicious infection and a subsequent intrusion. So email providers tend to be less tolerant of
false positives. And of course, that induces the fact that you can get false negatives. So you do
get malicious things coming through simply because they're sitting in that gray area.
And the email provider doesn't want to quarantine or block the email from traveling to the user,
to the recipient. Yeah. Now the Gant Crab malware here, you discussed version two and three,
and ways that they made themselves undetectable.
Can you describe that for us?
Yeah, so Gancrab is being actively developed.
We've now moved on to a version 4.
And to some extent, this links back to the executable argument of it being a weak link in the attacker's campaign.
So Gancrab uses a reflective loading technique,
and this is also relevant to attacks which live off the land.
So instead of it trying to put a new file onto the disk of the system,
which would initiate an antivirus scan,
it loads itself into a known good system file and operates from there. So that
as far as AV checks are concerned, it's possibly whitelisted or known good file, which is running
on the system. So there is no new file for AV to inspect. And it has a pretty broad range of
capabilities. Yes, indeed. There were a number of capabilities. So we identify capabilities as behaviors.
So whilst you can polymorph many, many aspects of an attack, what you can't do is change the
underlying nature of it. And those natures are displayed in terms of behaviors. The way that it wanted to run on the system was very evasive.
It was able to make changes to the system.
Of course, it wanted to communicate back to its command and control,
so there were a number of different behaviors associated with it.
What's important to point out there is identifying those behaviors
is very important to doing the correct triage of a particular attack.
What you'll see is because AI has been so involved from doing static analysis, the byproduct of that is extremely generic naming nomenclature for those threats. So you'll see things like unsafe or malware confidence 100 or
Trojan generic or file rep malware, which is great, but it doesn't help the security analyst
apply an elevated level of incident response to attacks which do steal credentials or do
log into Outlook and start sending mails. So behavior is very important.
Behavioral analysis is very important for making sure that once you get to a threat,
you make sure there is no possibility of it coming back and doing harm in the future.
Now, another thing that you looked at in your research here was the Emotet mal-spam.
Describe to us what you found here.
Yeah, so Emotet is a very successful payload campaign that we see not just in Office 365,
but across all vertical industries. It's constantly updating the way that it manages
to infect systems. We're going to release some research in the future.
So we think blacklisting or list-based or threat intel-based security
is about 50% effective at stopping Emotet.
Again, it is a modular system.
So the way that one organization would remediate Emotet
might be very different to another organization
because you might get different modules. Emotet was the attack which recently took out the Matsu
government in Alaska. It's, I think, like 500 machines. It's cost them over a million dollars
to remediate. One of the things that Emotet is additionally able to do is bring in a third-party payload. And again, it brought in a ransomware payload.
And this could be to prevent the incident responders from doing correct remediation of the
full capability of the attack. So what are the take-homes for you? What are the lessons that
we've learned from this research? I think specifically here, two-factor
authentication is becoming more and more important. It very much should be the go-to
safeguard for protecting credentials. Once you've got someone's email username and password,
you can get into many, many different systems. For example, if you have my Gmail password and you use my credential
to log into Amazon and Amazon says, what's the password? And you don't know what it is. You can
force a code to be sent to my email account, which will then allow you to log into my Amazon
and buy things in my name. So having two-factor authentication stops a lot of those channels
for harm. Also, one of the other things which has become outdated is a best practice.
And it says, do not open attachments from someone you don't know. It assumes that it's okay to open
attachments from someone you do know. And we need to move beyond this advice now. It's easy to spoof
someone's address. It's easy to do account takeover. If you have got their username and
password, you are effectively those people. So the best advice now is trust no URL or attachment.
Organizations should provide a level of behavioral analysis that scans all URLs
and all attachments before being delivered to the recipient and take the burden of security away
from the user and put it back on the technology. And then the final thing, which is apply,
stick with it. It's been used in enterprise and internal networks for a long time now,
It's been used in enterprise and internal networks for a long time now, which is defense in depth.
Use multiple different types of technologies so it's broad and also use a number of different vendors or makers so that you don't build in a blind spot or a weakness into the security.
So that best practice needs to translate to the cloud, not just internal networks.
So if you are using Office 365, the bad guys will also have accounts, test accounts.
They will be checking to see whether their malware is able to subvert existing Microsoft defenses. So you will need third-party add-ons if your level of risk warrants ensuring that the data you have remains confidential, integral, and available when you need it.
Yeah, I'm intrigued by one of the things you have here in your research, which is this notion of detonating everything that comes through.
It's certainly an evocative notion. Can you describe to us, what do you mean by that?
Okay, so basically detonating means getting the URLs and attachments to reveal their intent in an instrumented environment, which we could liken to a detonation chamber. So we put the
object in, we want to see what it does, So we encourage the file to carry out all of its actions inside an instrumented environment.
Once we see that, we then know what will happen to the actual user's device if we release this file.
So we can say, okay, well, this is doing reflective loading.
This is sending your Windows credential to a site in the cloud somewhere.
It is trying to detect sandboxes.
It's trying to shut down the antivirus from getting updates.
Those behaviors, we don't want to release this object into the internal environment.
So that's the idea behind detonation.
Calling in the bomb squad ahead of time.
Exactly.
Yeah. And then so from a user's point of view, they get the all clear that this file, this link, whatever it might be,
has been through a certain level of scrutiny before it's even hit my mailbox.
That's exactly right.
box. That's exactly right. Yeah. So we're taking the burden of having cyber resilience away from the user and we're putting it into technology where there can be no debate about whether a
file is good or bad. It reveals its intention in the instrumented environment. I think we're very
much under pressure. I think security analysts have a tough job knowing how to remediate correctly. I think prevention, whilst is an ideal solution, will just change the problem and the bad guys will come up with new ideas.
on behalf of the bad guys, I think we do need to adopt better technology and better best practices.
So I think if we can get those three messages across, I think it's been worthwhile doing.
Our thanks to Lastline's Andy Norton for joining us.
The research is titled Malscape Snapshot, Malicious Activity in the Office 365 Cloud.
We'll have a link in the show notes. You can also find it on the Lastline website. And now a message from Black Cloak. Did you know the
easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
The Cyber Wire Research Saturday is proudly produced in Maryland
out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Bond, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Valecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard,
Peter Kilpie, and I'm Dave Bittner. Thanks for listening.