Cisco Talos’ Craig Williams on the hunt for bugs and abnormal behavior
Look at some of the biggest cybersecurity incidents in the last year and one threat intelligence organization tends to pop up: Talos.
Researchers from Talos, a division of networking giant Cisco, have helped expose VPNFilter, the massive botnet that loomed over Ukraine and tracked cybercriminals who have used mobile device management servers to distribute malware.
On the sidelines of the Black Hat and DEF CON conference in Las Vegas this month, CyberScoop sat down with Craig Williams, Talos’ director of outreach, to get his take on some of these high-profile threats and how he approaches the craft of investigating malware campaigns.
Like most other threat intelligence units, Talos has to manage a critical relationship with law enforcement, deciding when to loop-in the public sector as it comes across all different kinds of attacks. Williams provides some insight into how Talos handles these interactions, which can often be as complex as the malware he pores over daily.
This conversation has been lightly edited for length and clarity.
CyberScoop: In breaching Reddit in June, hackers were able to intercept the SMS that employees used for two-factor authentication. While SMS is obviously still better than having no second factor at all, the Reddit incident prompted a discussion in the security community of the limits of SMS. What’s your assessment?
Craig Williams: Two-factor over SMS is becoming less and less secure. I think what we’re going to see is the pattern of once people get the idea of how to [exploit] it, and that becomes more and more public, we’re going to see more and more abuse.
SMS is a first step; you shouldn’t stop there. [Hardware tokens or app authenticators] are clearly better.
We’ve seen multiple instances now where people were able to infiltrate data centers and talk phone companies into either cloning a SIM or giving up details to get the attacker to be able to clone a SIM.
CS: What would you attribute that abuse of SMS to?
Williams: I think it’s just people trying to social-engineer phone companies, and as I said, when they become successful, they keep doing it. And they find insiders who are willing to take money [in exchange] for insider information.
It’s one of those areas where I think due to the way that MDM [mobile device management] servers can be abused, and they can abuse phones, it’s going to continue to get worse. Particularly as people build kits for it and make it easier for other people to use.
CS: So you’re seeing attackers build exploit kits for MDM servers?
Williams: There are open source tools out there. People are setting those up as servers and then spamming. So that’s becoming more and more popular. I think the problem is, as an industry, we don’t have great visibility on it. Because think about it: In order to find these servers, we either have to see the email [and] identify it as a potential MDM email, which is difficult; or, scan the internet for these servers and be able to fingerprint the header somehow. So it’s not easy to do.
CS: Are you doing any new research on these types of MDM attacks?
Williams: Yes. We’re trying to find better ways to look into it. Because if you look at the way Android and iOS handle those types of servers, they’re very different. So I want to look at malware that’s attacking both and see how it’s the same, see how it’s different. Maybe there’s one way that’s better, and just do some research there, because I don’t think anybody has done it, except maybe Apple or Google, and I’m sure they don’t want to share their secret sauce.
CS: Talos worked with law enforcement and the nonprofit Cyber Threat Alliance to raise awareness of the threat from VPNFilter, the 500,000-router-strong botnet that the FBI disrupted in May. Walk us through how you approached that disclosure.
Williams: VPNFilter was a really dangerous scenario. Obviously, it was something that we didn’t want to rush out the door, something that we had researched for weeks and we were understanding the capabilities. And the reason this was different from most malware that we deal with is it had a self-destruct mechanism. A lot of people got confused and were like, “Oh it’s a kill switch, like WannaCry.”
WannaCry’s kill switch just turned off the malware. [VPNFilter] had a literal self-destruct mechanism where it would erase the firmware. So we’re talking about half a million network devices that would literally just be bricked – instantly. What happened was right before the one-year anniversary of the NotPetya attack, and [before] the Ukraine Constitution Day and the European soccer championship, we saw a 400-times increase in attack traffic — just in Ukraine.
Immediately, we think they’re setting up another attack on the anniversary of NotPetya, or for the soccer game, or for Constitution Day. And so that forced our hand. And so we immediately started reaching out to law enforcement contacts, to groups like The Cyber Threat Alliance, to help them not only understand what the threat was and how it worked, but the consequences.
CS: Did your outreach take anybody in the government by surprise? What was their level of awareness?
Williams: I think anytime you deal with a government intelligence agency, they’re never going to let you know their level of awareness. They’re always going to be like, “Thank you. May I have more intel?”
When it comes down to it, I would be shocked if they weren’t aware of it because it was so widely deployed. Maybe we were able to fill in a lot of the details for them because we have such expertise in reverse engineering and all the different architectures.
Normally, we don’t bother with attribution, but what we did want to do was dissuade them from detonating the malware. Because there are two actions they can take when caught. They can go silent and play dead, or they could have detonated the self-destruct mechanism and wiped out the devices, covering their tracks. And so when we told people we believed it was actors [using custom malware associated with] APT 28, we’re basically saying, “Hey, if your bank gets robbed, it’s Steve.” It gives them a big incentive to not follow through with the plans of robbing the bank.
CS: Another big malware campaign this year was Olympic Destroyer, a wiper attack that hit IT systems supporting the Olympic Games in South Korea and which U.S. intelligence officials reportedly pinned on Russian military hackers. The malware included a number of decoys to confuse researchers trying to do attribution. What was seminal about this malware campaign?
Williams: Olympic Destroyer was really the first piece of malware to do massive false flags. They implanted four different countries’ APT code in the malware, basically making fun of the security companies trying to do attribution based off a single malware sample. A malware sample is not like handwriting or a fingerprint. It’s literally a static photo.
False flags aren’t new. We’ve seen them before. But this was a case of the attackers openly taunting the security community.
CS: Can you explain Talos’ process for analyzing malware? What combination of it is using proprietary tools and what combination is open-source?
Williams: It’s everything. It’s proprietary, open-source, commercial stuff that we sell, etc.
When I was running our first malware lab in Austin in 2008, I figured out that we could use our Cisco security agent and Norton Ghost to build a [rudimentary] sandbox. That was the first sandbox we had in the malware lab. And now we have ones that work way better. But when we don’t have a tool that we need, we’ll just hack something together. And then if it works well, we’ll get something even better together.
CS: Federal officials might be jealous of all the threat intelligence that you have.
Williams: We work very closely with law enforcement and have really good relationships with them.
CS: At what point does malicious activity that you’re observing reach a threshold where you need to alert law enforcement?
Williams: It has to have a global impact, or if we think it’s something that law enforcement needs to be involved in.
When you look at it, 10 years of experience kicks in, and you just know: This is different, this is the next-level thing. Like when we looked at VPNFilter and we noticed that it was designed with all of the functions, modularly — that it was likely designed by a team of coders, each writing a tiny portion. That’s what nation-states do. That’s how they design it, so no one person knows how it works. So if somebody does decide to go rogue, it doesn’t matter, the amount of damage they can cause [is minimal].
CS: But aren’t nation-state groups often not reaching for their top-drawer stuff right now? They’re not necessarily pulling out the zero-days.
Williams: True, but usually the payloads are reasonably complex.
CS: Do you ever come across APT behavior that you think might be one of the “Five Eyes” (from Australia, Canada, New Zealand, United Kingdom or United States)?
Williams: If we did find something that maybe was from the Five Eyes, and we showed it to them, I doubt they would say, ‘Hey that’s ours.’
[Regardless], if we see somebody hacking somebody else, we’re going to try to stop them. At the end of the day, we’re out there to protect our users.
CS: Doesn’t malware used by the Five Eyes look different than malware from the Chinese or Russians?
Williams: There are so many external parties that write tools like this, you’re never going to be able to say it’s “X,” accurately. You’re just going to be able to say, “Somebody spent a ton of money designing this.”
CS: What about VPNFilter? You were able to do some attribution in that case.
Williams: That was because we found code overlap. And copying in broken code — it doesn’t necessarily mean they’re the same actors, but it means they share a code base. So same organization, same criminals.
CS: For many, securing the IT supply chain is a ceaseless and near-intractable task. What’s your take? What’s a good mindset for hunting for computer vulnerabilities?
Williams: Every single computer has bugs. The question is: How deeply are you going to look for them? Are you going to find the ones that people can find in 30 days? Are you going to find the ones that take years? Because there’s nothing that’s 100 percent secure. That does not exist. Anybody who says otherwise is lying, or just misleading you.
So you have to go find that low hanging-fruit, you have to go find the [vulnerabilities] of least complexity, so that it’s much, much harder to exploit or influence these systems.
You’re never going to be able to audit every line of code and say it’s perfect. Instead, you start looking for abnormal behavior. You look for obvious bugs. If you have time, you look for the more complex type of bugs. But the vast majority of the supply-chain attacks that we’ve seen have been people being able to penetrate the build system — pushing down a backdoor update, or something like that. Because when they do that, they walk right through a firewall because you’re allowing it.