The end of 2016 saw the return of a familiar attack campaign that wipes the disk of any infected computer. Dubbed Shamoon 2, it appears to related to the 2012 Shamoon campaign that targeted an organization in Saudi Arabia and made use of a disk wiper called DistTrack. Disttrack is a multipurpose tool that exhibits worm-like behavior by attempting to spread to other systems on a local network using stolen administrator credentials. More importantly, its claim to fame is the ability to destroy data and to render infected systems unusable. The attack four years ago resulted in 30,000 or more systems being damaged to oil company Saudi Aramco. Shamoon 2 was scheduled to execute its wiping activities on November 17, 2016. No one has identified the threat actors behind either the original attack campaign or this new one, but the they appear to have targeted a second Saudi Arabian organization, with the payload set to execute on November 29, 2016. This new campaign targeted the labor ministry and a chemicals firm. Luckily for the organizations, the malware was discovered and defused before the scheduled execution dates. There is no information as to how the malware was delivered to the targeted organizations, but it is likely that the threat actors performed reconnaissance on the target networks during a previous intrusion to map the networks and identify systems to deliver the malicious payload to.
Analysis of both attacks reveals that the threat actors used stolen credentials to stage their attacks, and these credentials were likely obtained during a separate precursor attack. Whether theft occurs with credentials left exposed, default passwords, or admin “left behind” credentials, detecting credential theft and when these credentials are put into use is extremely difficult, because they are legitimate credentials, stolen from local credential stores or out of memory. A look at the Verizon Data Breach Investigation Report shows Stolen Credentials as one of the top intrusion methods going back several years. While there are some methods an organization can use to attempt to detect stolen credential reuse, very few organizations have the capability to accurately detect this activity.
Most options for detecting stolen credential attacks are based on behavioral learning and are prone to false positives. The attackers use this to their advantage as they can generate many low-level alerts to test their access. These, uncorrelated, could be easily missed amongst the 1000s of alerts typically seen by a security analyst. The Attivo Networks ThreatMatrix™ Detection and Response platform takes a different approach to defeating these types of attacks. The ThreatMatrix platform is ideally suited for providing visibility to likely attack paths, detecting both internal reconnaissance activity and the use of stolen credentials through its ThreatPath™, BOTsink™, and ThreatStrike™ solutions.
The ThreatPath solution provides visibility into likely paths an attacker will take to establish a foothold and escalate their attack. This is built from a topographical view of misconfigured systems and exposed credentials. This insight empowers organizations to proactively identify where their risks are and shut down these “onramps”.
The Attivo BOTsink solution stands guard inside an organization’s network, using high-interaction deception and decoy technology to lure attackers into engaging and revealing themselves. Through misdirection of an attacker, organizations gain the advantage of time to detect, analyze, and stop the attack. Detection occurs across all attack phases including reconnaissance and lateral movement. When attackers conduct reconnaissance activities inside a target network, they are relying on systems to respond back to their probes. With the BOTsink engagement servers deployed throughout the network, these probes will touch those decoys, who will respond back, giving the attackers a false sense of what the network looks like, and acting as viable targets for their attack activities. The early detection that this provides the organization is priceless, as is the potential to deflect attacks from production assets to the engagement servers. As the attackers move laterally throughout the network and interact with more decoys, the organization gains more insight into their tactics, techniques, and procedures, information that will help craft an appropriate response as well as strengthen the organization’s security posture.
Most attacks start with entrance at the end-point. The Attivo ThreatStrike solution is designed specifically for deception-based end-point threat detection. Deception credentials are placed on end-points and servers that appear to be employee credentials, application and other data. This bait sets “breadcrumbs” or “lures” that lead attackers to an engagement server where their attack activities can be analyzed and a substantiated alert raised. With deception credentials seeded throughout the environment, when the attackers compromise an end-point and steals the credentials stored therein, they will also steal deceptive credentials which will lead them to the deception environment, giving the organization early detection of the theft. Additionally, if organizations utilize a SIEM and the attackers attempt to exfiltrate the credentials, or use them on production assets, the organization will also get alerted. This gives the organizations a way to detect when stolen credentials are reused in the environment, or exfiltrated.
Even if an organization had not invested in attack path visibility, both the early detection of reconnaissance and lateral movement, and the ability to detect stolen credential reuse, would have provided early detection of the attack activities that comprised the Shamoon 2 campaign. Distributed Deception Platforms are changing the playing field for attackers and have been recognized by Gartner and several other analyst firms for its efficiency in detection in-network attack activities. Attivo Networks technology, specifically has been awarded for the comprehensiveness and maturity of the ThreatMatrix Platform for in-network threat detection, attack forensic analysis, and continuous threat response.
Organizations of all sizes and industries are now actively adopting deception technology to increase their readiness to combat advanced threats such as the Shamoon campaigns. By adopting the Attivo ThreatMatrix platform they have gained efficient and accurate visibility into threats within their environment and, as a result, been able to reduce their time to detection as well as time to respond.