S1E04: Illuminating the Adversary
State of the Hack
English - June 11, 2018 20:51 - 34 minutes - 23.5 MB - ★★★★★ - 28 ratingsTechnology News Tech News fireeye mandiant cybersecurity malware hacker Homepage Download Apple Podcasts Google Podcasts Overcast Castro Pocket Casts RSS feed
In May we were joined by Andrew Thompson (@QW5kcmV3) of FireEye’s
Adversary Pursuit team. We explore the evolution and current state of
cloud services OAuth abuse, how we do technical intelligence &
attribution, and some war stories from the past few weeks of
responding to intrusions that matter.
“Shining a Light on OAuth Abuse”: we explore the history of OAuth
abuse in-the-wild and the uptick in third-party applications with
full, offline access to cloud service user data without the need for
credentials and bypassing two-factor authentication for 90 days. We
discuss APT28’s 2016 campaign, the May 2017 “Eugene Popov” worm, and
our red team’s use of the methods – tracing the origins back to a 2014
blog post by Andrew Cantino (@tectonic). There is an interesting
history of cloud service providers responding to this activity. Our
own Doug Bienstock (@doughsec) released the PwnAuth tool to allow
organizations to test their user awareness and ability to monitor for
this activity.
-- Shining a Light on OAuth Abuse with PwnAuth:
https://www.fireeye.com/blog/threat-research/2018/05/shining-a-light-o
n-oauth-abuse-with-pwnauth.html
-- History of OAuth social engineering attacks:
https://twitter.com/ItsReallyNick/status/926086495450095617
-- OAuth Hunting Scripts: https://github.com/dmb2168/OAuthHunting
“How FireEye Tracks Threats”: we get to know Andrew Thompson and chat
with him about how his team clusters, merges, and graduates threat
groups. We discuss modeling in the graph database and our preference
for primary source data – from Mandiant responses, Managed Defense
events, and our product telemetry data – with examples like APT10 and
how collections feed the intel picture. We discuss the tension between
IR and intelligence team members working together on engagements.
Andrew gives a few cool recent examples of illuminating adversary
infrastructure. He also says “unc groups” a few times which is new
public ground for FireEye…
“Threat Activity Round-up”: We chat about #VPNfilter and the uptick in
network device (and critical infrastructure) targeting. We give
insight into our on-going Community Protection Event for VPNfilter and
some in-the-wild intrusions. Glyer drops some knowledge on 2016
telemetry on this activity. We chat about WMI activity – WMIEXEC being
used by APT10 & APT20, WMI persistence by some targeted groups, and
the downstream push of previously sophisticated methods like
SystemUptime in WMI. We chat quickly about public reporting on the
same threat actors behind the ICS attack framework Triton now
targeting multiple safety instrumentation systems (SIS). We close with
Andrew talking about how his team finds attacker infrastructure before
it’s used.
-- VPNfilter techniques in-the-wild:
https://twitter.com/stvemillertime/status/1001114757280256001
-- History of the WMI SystemUptime method:
https://twitter.com/ItsReallyNick/status/995468901495566336
-- QUADAGENT Iranian infrastructure prior to use:
https://twitter.com/QW5kcmV3/status/999809240314376192
State of the Hack is FireEye’s monthly broadcast series, hosted by
Christopher Glyer (@cglyer) and Nick Carr (@itsreallynick), that
discusses the latest in information security, cyber espionage, attack
trends, and tales from the front lines of responding to targeted
intrusions.