Executive Summary:

In May 2019, the cybersecurity team at Barac identified an Advanced Persistant Threat (APT) targeting a global financial institution using very advanced encryption to evade detection. The structure, complexity and certain characteristics of the compromise led the team to believe the threat was likely to have originated in North Korea. We spoke about the attack in a previous blog post:

Key information:

  • We confirmed that the attack used certificates signed by a North Korean group
  • The entire attack had been architected to work under the radar of the highly sophisticated security controls used by the financial institution’s head office
  • In particular, the compromise used multiple websites and encryption to obfuscate the C+C (Command and Control) traffic and therefore evade these security controls
  • A highly secure connection using TLS and a strong cipher were employed
  • The attack was detected using the Barac behavioural analytics model, which scans the metadata of encrypted traffic looking for patterns, anomalies and suspicious behaviour, all without the need for decryption
  • Once the threat was identified, the Barac team worked in conjunction with the bank to conduct detailed investigations of the entire attack and to test for additional sophisticated breaches.

The attack in detail

This was a very sophisticated and clever attack. The attack used encryption and adopted common traffic patterns and profiles to mask its action. The victim was a large leading financial institution, with several subsidiaries that cover Southern Africa.

The institution’s security controls dictated that all traffic exiting the business needed to be encrypted. The attackers understood this and used the same approach, hiding the C+C traffic within encrypted traffic flows so everything appeared normal. The attackers also used a number of fake (spoofed / mangled) websites in Bulgaria for the C+C structure. This meant that the traffic flows appeared to be directed to legitimate sites.

Nevertheless, the Barac ETV platform flagged these sessions as risky. The ETV is able to look at multiple metrics – taking into account how these metrics interact over time – in order to create an accurate risk score for the encrypted traffic flows. Using this approach, it can flag how small, often easy-to-miss, anomalies in encrypted traffic metadata could actually signal a sophisticated threat.

Here are some of the metrics that caused the encrypted traffic leaving the bank’s infrastructure to be scored as high-risk:

  • The Domain Name Server (DNS) risk score was high because its name appeared to have been spoofed
  • There was also a problem with the DNS registry; while it was registered in Bulgaria, the certificates were signed in North Korea
  • The sessions were open for exactly the same duration and the levels of outgoing / ingoing traffic were unusually high; these characteristics can be an indicator of a C+C call home message and the exfiltration of data
  • The cipher suite proposed and used in the attack were always the same moderate ciphers, which were not common in the normal traffic flows.

Indicators of Compromise (IOC)

It is important to note that Barac monitors encrypted traffic through a combination of TLS metadata and traffic information using behavioural analytics models. In this instance, the attackers used sophisticated techniques to be able to hide within the bank’s encrypted traffic, and it is the correlation of the indicators shown below that detected the APT.

Barac was able to detect the following signatures:

DNS and IP information:

At Barac, we use advanced DNS scoring using machine learning to detect any abnormality or problem. The DNS is scored between 0 and 1 and the higher the score , the more  dangerous the DNS:

IP address

DNS Name

DNS Scoring

31.7.174.XX

business.bulgarita.net

0.81984

31.7.174.XX

shop.shopafi.net

0.84628

31.6.61.XX

shop.shopafi.net

0.84628

31.6.61.XX

business.bulgarita.net

0.81984

Certificate information:

One certificate was used for the attack.

The date of the attack was the 25/05/2019:

Start Certificate

End Certificate

Certificate Information

23/05/2019

22/05/2020

bulgarita NK corp

23/05/2019

22/05/2020

Shopafi NK corp

TLS metadata information

We also noticed that the TLS information was always the same, showing that the C+C server had been configured the same way but across different servers:

  • Cipher Suite proposed: 49196,49199,49188,49187,49192,49191,49162,157,156,61,60,53,47,10
  • Elliptic Curve: 65281,23-24-25,0
  • Cipher Chosen: 61
  • X509_Country_Name: Bulgaria
  • Session information:

IP Address

Number of sessions

Session Size (Mb)

Ratio outgoing packets

31.7.174.XX

4

2.63

0.88

31.7.174.XX

3

2.61

0.89

31.6.61.XX

3

2.64

0.88

31.6.61.XX

5

2.59

0.87

Ratio of outgoing packets: This indicated  the ratio of outbound packets compared to the total number of packets.

The malicious C+C looks like the following graph:

The reason Barac found this highly sophisticated attack was due to our understanding of normal traffic flows and highlighting traffic flows outside this norm., This may sound simple, but in fact we use over 150 different metrics and look at their interactions and changes relative to each other over time to be able to detect these attacks.