30
APTs, Cyber-attacks, Cybercrime, Cyber warfare and Cyber threats exposed Marcus Murray & Hasain Alshakarti Truesec Security Team, MVP-Enterprise Security x2

Cyber attacks, Cybercrime, Cyber warfare and Cyber threats exposed!

Embed Size (px)

DESCRIPTION

More info on http://techdays.be.

Citation preview

Page 1: Cyber attacks, Cybercrime, Cyber warfare and Cyber threats exposed!

APTs, Cyber-attacks, Cybercrime, Cyber warfare and Cyber threats exposed

Marcus Murray & Hasain AlshakartiTruesec Security Team, MVP-Enterprise Security x2

Page 2: Cyber attacks, Cybercrime, Cyber warfare and Cyber threats exposed!

Marcus Murray Hasain Alshakarti

Page 3: Cyber attacks, Cybercrime, Cyber warfare and Cyber threats exposed!

The threat landscape is changing..

It used to be kids hacking for fun…..

Page 4: Cyber attacks, Cybercrime, Cyber warfare and Cyber threats exposed!

Not anymore....

Page 5: Cyber attacks, Cybercrime, Cyber warfare and Cyber threats exposed!

Most countries have “cyber capabilities” today..

Page 6: Cyber attacks, Cybercrime, Cyber warfare and Cyber threats exposed!

The ”Mandiant report”

Page 7: Cyber attacks, Cybercrime, Cyber warfare and Cyber threats exposed!

Unit 61398 is partially situated on Datong Road (大同路 ) in Gaoqiaozhen (高桥镇 ), which is located in the Pudong New Area (浦东新区 ) of Shanghai (上海 ). The central building in this compound is a 130,663 square foot facility that is 12 stories high and was built in early 2007.

* Mandiant APT1 report 2013

Page 8: Cyber attacks, Cybercrime, Cyber warfare and Cyber threats exposed!

We estimate that Unit 61398 is staffed by hundreds, and perhaps thousands of people based on the size of Unit 61398’s physical infrastructure.

Page 9: Cyber attacks, Cybercrime, Cyber warfare and Cyber threats exposed!

“Unit 61398 requires its personnel to be trained in computer security and computer network operations and also requires its personnel to be proficient in the English language.”

* Mandiant APT1 report 2013

Page 10: Cyber attacks, Cybercrime, Cyber warfare and Cyber threats exposed!

“They have systematically stolen hundreds of terabytes of data from at least 141 organizations, and has demonstrated the capability and intent to steal from dozens of organizations simultaneously”*

* Mandiant APT1 report 2013

Page 11: Cyber attacks, Cybercrime, Cyber warfare and Cyber threats exposed!

“Among other large-scale thefts of intellectual property, we have observed them stealing 6.5 terabytes of compressed data from a single organization over a ten-month time period.”

* Mandiant APT1 report 2013

Page 12: Cyber attacks, Cybercrime, Cyber warfare and Cyber threats exposed!

Attack processLateral

Movement

Maintain presence

Escalate privileges

Internal Recon

Initial recon

Initial compromize

Establish foothold

Complete mission

Page 13: Cyber attacks, Cybercrime, Cyber warfare and Cyber threats exposed!

Attack process

Page 14: Cyber attacks, Cybercrime, Cyber warfare and Cyber threats exposed!

Initial reconAttacker

Page 15: Cyber attacks, Cybercrime, Cyber warfare and Cyber threats exposed!

Initial reconAttacker

Page 16: Cyber attacks, Cybercrime, Cyber warfare and Cyber threats exposed!

Initial compromize

Web Srv Mail Srv

File SrvDC Mail Srv

Client

UserAdmin

Client

Attacker

Page 17: Cyber attacks, Cybercrime, Cyber warfare and Cyber threats exposed!

Establish foothold

Web Srv Mail Srv

File SrvDC Mail Srv

Client

UserAdmin

Client

C & C SRV Attacker

Page 18: Cyber attacks, Cybercrime, Cyber warfare and Cyber threats exposed!

What about antivirus?

Trojan.exe Newtrojan.exeAvhide

Attacker

Av-test

Page 19: Cyber attacks, Cybercrime, Cyber warfare and Cyber threats exposed!
Page 20: Cyber attacks, Cybercrime, Cyber warfare and Cyber threats exposed!
Page 21: Cyber attacks, Cybercrime, Cyber warfare and Cyber threats exposed!

Lateral movement

Web Srv Mail Srv

File SrvDC Mail Srv

Client

UserAdmin

Client Attacker

Page 22: Cyber attacks, Cybercrime, Cyber warfare and Cyber threats exposed!

Complete mission

Web Srv Mail Srv

File SrvDC Mail Srv

Client

UserAdmin

Client

Attacker

Attacker

Page 23: Cyber attacks, Cybercrime, Cyber warfare and Cyber threats exposed!

What about network detection?

Page 24: Cyber attacks, Cybercrime, Cyber warfare and Cyber threats exposed!

Complete mission

Harvest data• intellectual property• business contracts• negotiations,• policy papers• internal memoranda• etc.

Compress and collect• Rar+pwd• etc.

Attacker

Page 25: Cyber attacks, Cybercrime, Cyber warfare and Cyber threats exposed!

Channel over MSN

Page 26: Cyber attacks, Cybercrime, Cyber warfare and Cyber threats exposed!

Channel over Google calendar

Page 27: Cyber attacks, Cybercrime, Cyber warfare and Cyber threats exposed!

FQDN used..About half of APT1’s known zones were named according to three themes: • News• Technology• Business.

aoldaily.comaunewsonline.comcanadatvsite.comcanoedaily.comcnndaily.comcnndaily.netcnnnewsdaily.comdefenceonline.netfreshreaders.netgiftnews.orgissnbgkit.net

reutersnewsonline.comrssadvanced.orgsaltlakenews.orgsportreadok.nettodayusa.orgusapappers.comusnewssite.comyahoodaily.com

mediaxsds.netmyyahoonews.comnewsesport.comnewsonet.netnewsonlinesite.comnewspappers.orgnytimesnews.netoplaymagzine.comphoenixtvus.compurpledaily.com

Page 28: Cyber attacks, Cybercrime, Cyber warfare and Cyber threats exposed!

Origins of attacks..

Page 29: Cyber attacks, Cybercrime, Cyber warfare and Cyber threats exposed!

Marcus Murray Hasain Alshakarti

Page 30: Cyber attacks, Cybercrime, Cyber warfare and Cyber threats exposed!

Thank you for listening!