Target Attack
(HKUST Gold version)
Anthony LAI
{Founder, Researcher}
What is VXRL?
Valkyrie-X Security Research Group
• Voluntary, officially registered, non-commercial and
hobbyist group;
• ...
Conference and CTF participation
Breaking News: VX@Blackhat USA 2014
About APT Attribution and DNS
Profiling
Our research, talks and workshop
- Network Forensics Kungfu Workshop, DFRWS
Europe 2014 (Amsterdam)
- APT Attack and Netwo...
Our research, talks and workshop
- China is a victim, too. :) - AVTokyo 2013.5
- APT Clustering and Attacker Profiling: DE...
Who am I?
Focus on penetration test, threat analysis and code audit and give private
corporate training
Threat advisor and...
Agenda
What is target attack?
Attack symptoms (illustrated with case #1)
Our main dish case studies
More …..
Target Attack or APT?!
Target Attack (a.k.a Advanced Persistent
Threat (APT)) is defined as “a long term pattern
of target...
Target Attack or APT?!
Consistent with more adversaries (e.g. nation
states or terrorist groups with highly
sophisticated ...
Reference
National Institute of Science and Technology.
2011. Information Security Risk. [ONLINE]
Available at:http://csrc...
Attack Symptoms
Step 1: Sending speared phishing email
Spoof your fellows, reporters, groupmate, etc.
Attack Symptoms
Step 2: Aha, with an attachment
The attachment could be a doc, docx, xlsx, xls,
ppt, pptx, zip, rar, 7z, p...
Attack Symptoms
Step 3: When a target opens it, several exploits
are launched:
For this case, CVE-2012-0158
Attack Symptoms
Step 4: Persistence and Connection to Botnet
C2 server
Attack Symptoms
Step 5: Monitoring: Escalate or Retreat
Operator will interact and monitor the
compromised target’s machin...
Overall Observation
<CENSORED>
Observation
Similar observation
from FireEye
Date: 22 May 2014
URL: http://www.infosecurity-magazine.
com/view/38532/firee...
18 Feb 2013
Mandiant released a report named as “APT1” Report, it
claims China PLA 61398 Unit is liable to attack at least...
APT1 Report Summary
Highlights of the report include:
● APT1 is believed to be the 2nd Bureau of the People’s Liberation A...
APT1 Report
143.89.xxx.xxx? HKUST? Oh yeah!
APT1 Report
What is HTRAN communication?
Okay, HKUST time
VXRL tried to search 143.89.xxx.xxx:
Okay, HKUST time (Y2012)
Okay, HKUST time (Y2011)
Leak of APT domains
URL:
http://www.r00tsec.
com/2011_08_14_archiv
e.html
Okay 143.89.*.* history :-)
Okay, HKUST time (Y2011)
Reference:
http://pastebin.com/yKSQd5Z5
http://www.secureworks.com/cyber-threat-
intelligence/thr...
Okay, as alumni, I made query to
ITSC:
<CENSORED>
Okay…..?!
<CENSORED>
Okay, let us talks about HKUST
As an alumni, I made the following query on 11
March 2014:
<CENSORED>
Okay, Incident Response policy :-)
http://itsc.ust.hk/services/it-security/incident-
responses/
Alright, no policy at all ...
Observation
Y2011-Y2012: Noone knows about the
machine was compromised.
Other than the rank, please take care of
your information and system, HKUST :-)
<CENSORED>
Lesson Learnt
How about your company?
React only when incident strikes?
Can you take the reputation loss risk?
Recent News
5 PLAs wanted by
FBI
http://www.nytimes.
com/2014/05/20/us/us-to-charge-
chinese-workers-with-cyberspying.
htm...
Counter comments against APT1
Report
Ran2, VXRL:
Some comments from the report is not
sufficient raised by Ran2
URL: http:...
In fact, China is also a victim :-)
China is a victim, too :) @ AVTokyo 2013.5 Conference - Darkfloyd x Zetta
URL: http://...
Targeted by Fangongheike
Thank you for your listening
Email: Darkfloyd[at]vxrl.org
Twitter: @anthonation
Target attack (hkust gold edition)(public version)
Target attack (hkust gold edition)(public version)
Upcoming SlideShare
Loading in …5
×

Target attack (hkust gold edition)(public version)

1,019 views

Published on

Published in: Technology
  • Please feel free to reference my slide if needed BUT please acknowledge, credit and reference it, thanks, mate.

    Otherwise, if I know about it, hehehe :D
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

Target attack (hkust gold edition)(public version)

  1. 1. Target Attack (HKUST Gold version) Anthony LAI {Founder, Researcher}
  2. 2. What is VXRL? Valkyrie-X Security Research Group • Voluntary, officially registered, non-commercial and hobbyist group; • Focus on Web hacking, reverse engineering/exploitation, malware analysis, forensics analysis, offensive security and attack analysis; • Connect to and collaborate with researchers for research opportunity; • Emphasise skills and knowledge sharing; • “Offensive, Creative and Fun”
  3. 3. Conference and CTF participation
  4. 4. Breaking News: VX@Blackhat USA 2014
  5. 5. About APT Attribution and DNS Profiling
  6. 6. Our research, talks and workshop - Network Forensics Kungfu Workshop, DFRWS Europe 2014 (Amsterdam) - APT Attack and Network Forensics Framework, APWG eCrime 2014 - APT Espionage Case Studies, IEEE Malware 2011 - Facebook Forensics, published in US government site, workshop done for TCD and HTCIA.
  7. 7. Our research, talks and workshop - China is a victim, too. :) - AVTokyo 2013.5 - APT Clustering and Attacker Profiling: DEFCON 19, HITCON, SYSCAN Taipei - DDoS Kungfu - DEFCON 20, AVTokyo - Chinese Malware analysis and Internet Censorship- Blackhat USA 2010 & DEF CON 18 - Operation Saving Private Records - Webapp Security “Fengshui”
  8. 8. Who am I? Focus on penetration test, threat analysis and code audit and give private corporate training Threat advisor and pentest team mentor in various MNCs CFP Speaker: Blackhat USA, DEFCON 18-20, Codegate, AVTokyo, Hack In Taipei, APWG, DFRWS, HTCIA APAC Passionate over Capture The Flag games, reverse engineering and exploitation Research interest: threat correlation, attacker profiling and payload analysis SANS GREM, GCFA and GWAPT mentor; (ISC)2 ISLA APAC Sr. InfoSec Professional Award
  9. 9. Agenda What is target attack? Attack symptoms (illustrated with case #1) Our main dish case studies More …..
  10. 10. Target Attack or APT?! Target Attack (a.k.a Advanced Persistent Threat (APT)) is defined as “a long term pattern of targeted, sophisticated attack”
  11. 11. Target Attack or APT?! Consistent with more adversaries (e.g. nation states or terrorist groups with highly sophisticated levels of expertise and resources that seek to establish permanent footholds in organizations for purposes of impeding aspects of the organizational missions.
  12. 12. Reference National Institute of Science and Technology. 2011. Information Security Risk. [ONLINE] Available at:http://csrc.nist. gov/publications/nistpubs/800-39/SP800-39- final.pdf.
  13. 13. Attack Symptoms Step 1: Sending speared phishing email Spoof your fellows, reporters, groupmate, etc.
  14. 14. Attack Symptoms Step 2: Aha, with an attachment The attachment could be a doc, docx, xlsx, xls, ppt, pptx, zip, rar, 7z, pdf files, or shortcut file.
  15. 15. Attack Symptoms Step 3: When a target opens it, several exploits are launched: For this case, CVE-2012-0158
  16. 16. Attack Symptoms Step 4: Persistence and Connection to Botnet C2 server
  17. 17. Attack Symptoms Step 5: Monitoring: Escalate or Retreat Operator will interact and monitor the compromised target’s machine. If there is no relevant and high value of intelligence, he/she considers uninstalling the payload. On the contrary, he/she may load more advanced payload(s) to the target.
  18. 18. Overall Observation <CENSORED>
  19. 19. Observation Similar observation from FireEye Date: 22 May 2014 URL: http://www.infosecurity-magazine. com/view/38532/fireeye-backs- washington-with-new-apt1-data-linking- attacks-to-china/
  20. 20. 18 Feb 2013 Mandiant released a report named as “APT1” Report, it claims China PLA 61398 Unit is liable to attack at least 141 US organizations and companies. Report: http://intelreport.mandiant.com/ News:http://blog.ifeng.com/article/23454037.html
  21. 21. APT1 Report Summary Highlights of the report include: ● APT1 is believed to be the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department, which is most commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398. ● APT1 has systematically stolen hundreds of terabytes of data from at least 141 organizations. ● APT1 focuses on compromising organizations across a broad range of industries in English-speaking countries. ● APT1 maintains an extensive infrastructure of computer systems around the world. ● In over 97% of the 1,905 times Mandiant observed APT1 intruders connecting to their attack infrastructure, APT1 used IP addresses registered in Shanghai and systems set to use the Simplified Chinese language. ● The size of APT1’s infrastructure implies a large organization with at least dozens, but potentially hundreds of human operators. ● In an effort to underscore that there are actual individuals behind the keyboard, Mandiant is revealing three personas that are associated with APT1 activity. ● Mandiant is releasing more than 3,000 indicators to bolster defenses against APT1 operations.
  22. 22. APT1 Report 143.89.xxx.xxx? HKUST? Oh yeah!
  23. 23. APT1 Report What is HTRAN communication?
  24. 24. Okay, HKUST time VXRL tried to search 143.89.xxx.xxx:
  25. 25. Okay, HKUST time (Y2012)
  26. 26. Okay, HKUST time (Y2011) Leak of APT domains URL: http://www.r00tsec. com/2011_08_14_archiv e.html
  27. 27. Okay 143.89.*.* history :-)
  28. 28. Okay, HKUST time (Y2011) Reference: http://pastebin.com/yKSQd5Z5 http://www.secureworks.com/cyber-threat- intelligence/threats/htran/
  29. 29. Okay, as alumni, I made query to ITSC: <CENSORED>
  30. 30. Okay…..?! <CENSORED>
  31. 31. Okay, let us talks about HKUST As an alumni, I made the following query on 11 March 2014: <CENSORED>
  32. 32. Okay, Incident Response policy :-) http://itsc.ust.hk/services/it-security/incident- responses/ Alright, no policy at all :)
  33. 33. Observation Y2011-Y2012: Noone knows about the machine was compromised.
  34. 34. Other than the rank, please take care of your information and system, HKUST :-) <CENSORED>
  35. 35. Lesson Learnt How about your company? React only when incident strikes? Can you take the reputation loss risk?
  36. 36. Recent News 5 PLAs wanted by FBI http://www.nytimes. com/2014/05/20/us/us-to-charge- chinese-workers-with-cyberspying. html?_r=0 FBI Most Wanted http://www.fbi.gov/wanted/cyber
  37. 37. Counter comments against APT1 Report Ran2, VXRL: Some comments from the report is not sufficient raised by Ran2 URL: http://espionageware.blogspot.hk
  38. 38. In fact, China is also a victim :-) China is a victim, too :) @ AVTokyo 2013.5 Conference - Darkfloyd x Zetta URL: http://www.slideshare.net/anthonylai1668/avtokyo-2014-0xdfzetta
  39. 39. Targeted by Fangongheike
  40. 40. Thank you for your listening Email: Darkfloyd[at]vxrl.org Twitter: @anthonation

×