On this episode of State of the Hack, we are joined by Andrew Thompson of FireEye’s Adversary Pursuit team. We explore the evolution and current state of cloud services OAuth abuse, how we do technical intelligence and attribution, and some war stories from the past few weeks of responding to intrusions that matter.
Episode Recap and More Information
"Shining a Light on OAuth Abuse": We explore the history of in-the-wild OAuth abuse and the uptick in third-party applications with full, offline access to cloud service user data for 90 days without the need for credentials and bypassing two-factor authentication. We discuss APT28’s 2016 campaign, the May 2017 “Eugene Popov” worm, and our red team’s use of the methods – tracing the origins back to a 2014 blog post by Andrew Cantino (@tectonic). There is an interesting history of cloud service providers responding to this activity. Our own Doug Bienstock (@doughsec) released the PwnAuth tool to allow organizations to test their user awareness and ability to monitor for this techique.
- Shining a Light on OAuth Abuse with PwnAuth
- History of OAuth social engineering attacks
- OAuth Hunting Scripts
"How FireEye Tracks Threats": We get to know Andrew Thompson (@QW5kcmV3) and chat with him about how his team clusters, merges, and graduates threat groups. We discuss modeling in the graph database and our preference for primary source data – from Mandiant responses, Managed Defense events, and our product telemetry data – with examples such as APT10 and how collections feed the intel picture. We discuss the tension between incident response and intelligence team members working together on engagements. Andrew gives a few cool recent examples of illuminating adversary infrastructure.
"Threat Activity Round-up": We chat about VPNfilter and the uptick in network device (and critical infrastructure) targeting. We give insight into our ongoing Community Protection Event for VPNfilter and some in-the-wild intrusions. Glyer drops some knowledge on 2016 telemetry on this activity. We chat about Windows Management Instrumentation (WMI) activity – WMIEXEC being used by APT10 and APT20, WMI persistence by some targeted groups, and the downstream push of previously sophisticated methods such as SystemUptime in WMI. We chat quickly about public reporting on the same threat actors behind the ICS attack framework TRITON now targeting multiple safety instrumentation systems (SIS). We close with Andrew talking about how his team finds attacker infrastructure before it’s used.
- VPNfilter techniques in-the-wild
- History of the WMI SystemUptime method
- QUADAGENT Iranian infrastructure prior to use
State of the Hack is FireEye's monthly broadcast series, hosted by Christopher Glyer (@cglyer) and Nick Carr (@itsreallynick), that discusses the latest in information security, cyber espionage, attack trends, and tales from the front lines of responding to targeted intrusions. If you want to experience the magic, you can watch all State of the Hack episodes now. All episodes are also available as podcasts.