Your SlideShare is downloading. ×
Target attack (hkust gold edition)(public version)
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Target attack (hkust gold edition)(public version)


Published on

Published in: Technology

1 Comment
  • Please feel free to reference my slide if needed BUT please acknowledge, credit and reference it, thanks, mate.

    Otherwise, if I know about it, hehehe :D
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. Target Attack (HKUST Gold version) Anthony LAI {Founder, Researcher}
  • 2. What is VXRL? Valkyrie-X Security Research Group • Voluntary, officially registered, non-commercial and hobbyist group; • Focus on Web hacking, reverse engineering/exploitation, malware analysis, forensics analysis, offensive security and attack analysis; • Connect to and collaborate with researchers for research opportunity; • Emphasise skills and knowledge sharing; • “Offensive, Creative and Fun”
  • 3. Conference and CTF participation
  • 4. Breaking News: VX@Blackhat USA 2014
  • 5. About APT Attribution and DNS Profiling
  • 6. Our research, talks and workshop - Network Forensics Kungfu Workshop, DFRWS Europe 2014 (Amsterdam) - APT Attack and Network Forensics Framework, APWG eCrime 2014 - APT Espionage Case Studies, IEEE Malware 2011 - Facebook Forensics, published in US government site, workshop done for TCD and HTCIA.
  • 7. Our research, talks and workshop - China is a victim, too. :) - AVTokyo 2013.5 - APT Clustering and Attacker Profiling: DEFCON 19, HITCON, SYSCAN Taipei - DDoS Kungfu - DEFCON 20, AVTokyo - Chinese Malware analysis and Internet Censorship- Blackhat USA 2010 & DEF CON 18 - Operation Saving Private Records - Webapp Security “Fengshui”
  • 8. Who am I? Focus on penetration test, threat analysis and code audit and give private corporate training Threat advisor and pentest team mentor in various MNCs CFP Speaker: Blackhat USA, DEFCON 18-20, Codegate, AVTokyo, Hack In Taipei, APWG, DFRWS, HTCIA APAC Passionate over Capture The Flag games, reverse engineering and exploitation Research interest: threat correlation, attacker profiling and payload analysis SANS GREM, GCFA and GWAPT mentor; (ISC)2 ISLA APAC Sr. InfoSec Professional Award
  • 9. Agenda What is target attack? Attack symptoms (illustrated with case #1) Our main dish case studies More …..
  • 10. Target Attack or APT?! Target Attack (a.k.a Advanced Persistent Threat (APT)) is defined as “a long term pattern of targeted, sophisticated attack”
  • 11. Target Attack or APT?! Consistent with more adversaries (e.g. nation states or terrorist groups with highly sophisticated levels of expertise and resources that seek to establish permanent footholds in organizations for purposes of impeding aspects of the organizational missions.
  • 12. Reference National Institute of Science and Technology. 2011. Information Security Risk. [ONLINE] Available at:http://csrc.nist. gov/publications/nistpubs/800-39/SP800-39- final.pdf.
  • 13. Attack Symptoms Step 1: Sending speared phishing email Spoof your fellows, reporters, groupmate, etc.
  • 14. Attack Symptoms Step 2: Aha, with an attachment The attachment could be a doc, docx, xlsx, xls, ppt, pptx, zip, rar, 7z, pdf files, or shortcut file.
  • 15. Attack Symptoms Step 3: When a target opens it, several exploits are launched: For this case, CVE-2012-0158
  • 16. Attack Symptoms Step 4: Persistence and Connection to Botnet C2 server
  • 17. Attack Symptoms Step 5: Monitoring: Escalate or Retreat Operator will interact and monitor the compromised target’s machine. If there is no relevant and high value of intelligence, he/she considers uninstalling the payload. On the contrary, he/she may load more advanced payload(s) to the target.
  • 18. Overall Observation <CENSORED>
  • 19. Observation Similar observation from FireEye Date: 22 May 2014 URL: http://www.infosecurity-magazine. com/view/38532/fireeye-backs- washington-with-new-apt1-data-linking- attacks-to-china/
  • 20. 18 Feb 2013 Mandiant released a report named as “APT1” Report, it claims China PLA 61398 Unit is liable to attack at least 141 US organizations and companies. Report: News:
  • 21. APT1 Report Summary Highlights of the report include: ● APT1 is believed to be the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department, which is most commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398. ● APT1 has systematically stolen hundreds of terabytes of data from at least 141 organizations. ● APT1 focuses on compromising organizations across a broad range of industries in English-speaking countries. ● APT1 maintains an extensive infrastructure of computer systems around the world. ● In over 97% of the 1,905 times Mandiant observed APT1 intruders connecting to their attack infrastructure, APT1 used IP addresses registered in Shanghai and systems set to use the Simplified Chinese language. ● The size of APT1’s infrastructure implies a large organization with at least dozens, but potentially hundreds of human operators. ● In an effort to underscore that there are actual individuals behind the keyboard, Mandiant is revealing three personas that are associated with APT1 activity. ● Mandiant is releasing more than 3,000 indicators to bolster defenses against APT1 operations.
  • 22. APT1 Report HKUST? Oh yeah!
  • 23. APT1 Report What is HTRAN communication?
  • 24. Okay, HKUST time VXRL tried to search
  • 25. Okay, HKUST time (Y2012)
  • 26. Okay, HKUST time (Y2011) Leak of APT domains URL: http://www.r00tsec. com/2011_08_14_archiv e.html
  • 27. Okay 143.89.*.* history :-)
  • 28. Okay, HKUST time (Y2011) Reference: intelligence/threats/htran/
  • 29. Okay, as alumni, I made query to ITSC: <CENSORED>
  • 30. Okay…..?! <CENSORED>
  • 31. Okay, let us talks about HKUST As an alumni, I made the following query on 11 March 2014: <CENSORED>
  • 32. Okay, Incident Response policy :-) responses/ Alright, no policy at all :)
  • 33. Observation Y2011-Y2012: Noone knows about the machine was compromised.
  • 34. Other than the rank, please take care of your information and system, HKUST :-) <CENSORED>
  • 35. Lesson Learnt How about your company? React only when incident strikes? Can you take the reputation loss risk?
  • 36. Recent News 5 PLAs wanted by FBI http://www.nytimes. com/2014/05/20/us/us-to-charge- chinese-workers-with-cyberspying. html?_r=0 FBI Most Wanted
  • 37. Counter comments against APT1 Report Ran2, VXRL: Some comments from the report is not sufficient raised by Ran2 URL:
  • 38. In fact, China is also a victim :-) China is a victim, too :) @ AVTokyo 2013.5 Conference - Darkfloyd x Zetta URL:
  • 39. Targeted by Fangongheike
  • 40. Thank you for your listening Email: Darkfloyd[at] Twitter: @anthonation