S1E04: Illuminating the Adversary
In May we were joined by Andrew Thompson (@QW5kcmV3) of FireEye’s Adversary Pursuit team. We explore the evolution and current state of cloud services OAuth abuse, how we do technical intelligence & attribution, and some war stories from the past few weeks of responding to intrusions that matter.
“Shining a Light on OAuth Abuse”: we explore the history of OAuth abuse in-the-wild and the uptick in third-party applications with full, offline access to cloud service user data without the need for credentials and bypassing two-factor authentication for 90 days. We discuss APT28’s 2016 campaign, the May 2017 “Eugene Popov” worm, and our red team’s use of the methods – tracing the origins back to a 2014 blog post by Andrew Cantino (@tectonic). There is an interesting history of cloud service providers responding to this activity. Our own Doug Bienstock (@doughsec) released the PwnAuth tool to allow organizations to test their user awareness and ability to monitor for this activity. -- Shining a Light on OAuth Abuse with PwnAuth: https://www.fireeye.com/blog/threat-research/2018/05/shining-a-light-on-oauth-abuse-with-pwnauth.html -- History of OAuth social engineering attacks: https://twitter.com/ItsReallyNick/status/926086495450095617 -- OAuth Hunting Scripts: https://github.com/dmb2168/OAuthHunting
“How FireEye Tracks Threats”: we get to know Andrew Thompson and chat with him about how his team clusters, merges, and graduates threat groups. We discuss modeling in the graph database and our preference for primary source data – from Mandiant responses, Managed Defense events, and our product telemetry data – with examples like APT10 and how collections feed the intel picture. We discuss the tension between IR and intelligence team members working together on engagements. Andrew gives a few cool recent examples of illuminating adversary infrastructure. He also says “unc groups” a few times which is new public ground for FireEye…
“Threat Activity Round-up”: We chat about #VPNfilter and the uptick in network device (and critical infrastructure) targeting. We give insight into our on-going Community Protection Event for VPNfilter and some in-the-wild intrusions. Glyer drops some knowledge on 2016 telemetry on this activity. We chat about WMI activity – WMIEXEC being used by APT10 & APT20, WMI persistence by some targeted groups, and the downstream push of previously sophisticated methods like SystemUptime in WMI. We chat quickly about public reporting on the same threat actors behind the ICS attack framework Triton now targeting multiple safety instrumentation systems (SIS). We close with Andrew talking about how his team finds attacker infrastructure before it’s used. -- VPNfilter techniques in-the-wild: https://twitter.com/stvemillertime/status/1001114757280256001 -- History of the WMI SystemUptime method: https://twitter.com/ItsReallyNick/status/995468901495566336 -- QUADAGENT Iranian infrastructure prior to use: https://twitter.com/QW5kcmV3/status/999809240314376192
State of the Hack is FireEye’s monthly broadcast series, hosted by Christopher Glyer (@cglyer) and Nick Carr (@itsreallynick), that discusses the latest in information security, cyber espionage, attack trends, and tales from the front lines of responding to targeted intrusions.