2011 Wintel Targeted Attacks and a Post-Windows Environment APT Toolset

461 views

Published on

Examining dominant APT themes and looking forward to prevalent mobile and tablet related attacks and offensive technologies.APT-related Flash exploits appeared in high volume at the time. (Unfortunately, slideshare doesn't do Powerpoint animation.)

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
461
On SlideShare
0
From Embeds
0
Number of Embeds
7
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Slide #6Duration: 1.5 minOn this slide you can see common IT security policy mistakes. The biggest mistake is to ignore network shares access rights. There might be an open share on internal file server or on end-user work desktop. (Question to the audience): Does anybody of you ever shared file directory from you work computer (desktop or laptop)? I.e. to transfer files to your co-worker computer.(Next question): Did you open it for unlimited users or just for dedicated person? Did you disable it later or just forgot?Sooner or later this can be a great source of malware redistribution in your organization. Looks now that the slide, this mistake is responsible for about 35% of incidents!There was an interesting case in one of the School Districts in the USA. The customer has several thousand end-users connected to the CSD network. Most of them are school student computers, beginning from 3rd grade. The network included few file share servers with unlimited access to everyone. So, everyone got infected after malware infected this network resource. The students could not do their class work, tests and lab work at school for at least few weeks.Now about missing security patches. Modern malware takes advantage of existing vulnerabilities. The network with even a single patch can be faced a serious risk. This is a common issue that we see mostly in Small organization, where number of end-users is less than 500. They either do not have enough expertise or ignoring patching completely.Partially protected environment means that Antimalware solution is installed on part of the network, leaving other resource unprotected.We have got some incidents related to firmware vulnerabilities. There was a software vulnerability in some DSL Router device. The impact of it was huge – possible lawsuit.And the last mistake is to believe that tools and software downloaded from the Web are always good software.
  • Slide #6Duration: 1.5 minOn this slide you can see common IT security policy mistakes. The biggest mistake is to ignore network shares access rights. There might be an open share on internal file server or on end-user work desktop. (Question to the audience): Does anybody of you ever shared file directory from you work computer (desktop or laptop)? I.e. to transfer files to your co-worker computer.(Next question): Did you open it for unlimited users or just for dedicated person? Did you disable it later or just forgot?Sooner or later this can be a great source of malware redistribution in your organization. Looks now that the slide, this mistake is responsible for about 35% of incidents!There was an interesting case in one of the School Districts in the USA. The customer has several thousand end-users connected to the CSD network. Most of them are school student computers, beginning from 3rd grade. The network included few file share servers with unlimited access to everyone. So, everyone got infected after malware infected this network resource. The students could not do their class work, tests and lab work at school for at least few weeks.Now about missing security patches. Modern malware takes advantage of existing vulnerabilities. The network with even a single patch can be faced a serious risk. This is a common issue that we see mostly in Small organization, where number of end-users is less than 500. They either do not have enough expertise or ignoring patching completely.Partially protected environment means that Antimalware solution is installed on part of the network, leaving other resource unprotected.We have got some incidents related to firmware vulnerabilities. There was a software vulnerability in some DSL Router device. The impact of it was huge – possible lawsuit.And the last mistake is to believe that tools and software downloaded from the Web are always good software.
  • Slide #6Duration: 1.5 minOn this slide you can see common IT security policy mistakes. The biggest mistake is to ignore network shares access rights. There might be an open share on internal file server or on end-user work desktop. (Question to the audience): Does anybody of you ever shared file directory from you work computer (desktop or laptop)? I.e. to transfer files to your co-worker computer.(Next question): Did you open it for unlimited users or just for dedicated person? Did you disable it later or just forgot?Sooner or later this can be a great source of malware redistribution in your organization. Looks now that the slide, this mistake is responsible for about 35% of incidents!There was an interesting case in one of the School Districts in the USA. The customer has several thousand end-users connected to the CSD network. Most of them are school student computers, beginning from 3rd grade. The network included few file share servers with unlimited access to everyone. So, everyone got infected after malware infected this network resource. The students could not do their class work, tests and lab work at school for at least few weeks.Now about missing security patches. Modern malware takes advantage of existing vulnerabilities. The network with even a single patch can be faced a serious risk. This is a common issue that we see mostly in Small organization, where number of end-users is less than 500. They either do not have enough expertise or ignoring patching completely.Partially protected environment means that Antimalware solution is installed on part of the network, leaving other resource unprotected.We have got some incidents related to firmware vulnerabilities. There was a software vulnerability in some DSL Router device. The impact of it was huge – possible lawsuit.And the last mistake is to believe that tools and software downloaded from the Web are always good software.
  • Slide #6Duration: 1.5 minOn this slide you can see common IT security policy mistakes. The biggest mistake is to ignore network shares access rights. There might be an open share on internal file server or on end-user work desktop. (Question to the audience): Does anybody of you ever shared file directory from you work computer (desktop or laptop)? I.e. to transfer files to your co-worker computer.(Next question): Did you open it for unlimited users or just for dedicated person? Did you disable it later or just forgot?Sooner or later this can be a great source of malware redistribution in your organization. Looks now that the slide, this mistake is responsible for about 35% of incidents!There was an interesting case in one of the School Districts in the USA. The customer has several thousand end-users connected to the CSD network. Most of them are school student computers, beginning from 3rd grade. The network included few file share servers with unlimited access to everyone. So, everyone got infected after malware infected this network resource. The students could not do their class work, tests and lab work at school for at least few weeks.Now about missing security patches. Modern malware takes advantage of existing vulnerabilities. The network with even a single patch can be faced a serious risk. This is a common issue that we see mostly in Small organization, where number of end-users is less than 500. They either do not have enough expertise or ignoring patching completely.Partially protected environment means that Antimalware solution is installed on part of the network, leaving other resource unprotected.We have got some incidents related to firmware vulnerabilities. There was a software vulnerability in some DSL Router device. The impact of it was huge – possible lawsuit.And the last mistake is to believe that tools and software downloaded from the Web are always good software.
  • Slide #6Duration: 1.5 minOn this slide you can see common IT security policy mistakes. The biggest mistake is to ignore network shares access rights. There might be an open share on internal file server or on end-user work desktop. (Question to the audience): Does anybody of you ever shared file directory from you work computer (desktop or laptop)? I.e. to transfer files to your co-worker computer.(Next question): Did you open it for unlimited users or just for dedicated person? Did you disable it later or just forgot?Sooner or later this can be a great source of malware redistribution in your organization. Looks now that the slide, this mistake is responsible for about 35% of incidents!There was an interesting case in one of the School Districts in the USA. The customer has several thousand end-users connected to the CSD network. Most of them are school student computers, beginning from 3rd grade. The network included few file share servers with unlimited access to everyone. So, everyone got infected after malware infected this network resource. The students could not do their class work, tests and lab work at school for at least few weeks.Now about missing security patches. Modern malware takes advantage of existing vulnerabilities. The network with even a single patch can be faced a serious risk. This is a common issue that we see mostly in Small organization, where number of end-users is less than 500. They either do not have enough expertise or ignoring patching completely.Partially protected environment means that Antimalware solution is installed on part of the network, leaving other resource unprotected.We have got some incidents related to firmware vulnerabilities. There was a software vulnerability in some DSL Router device. The impact of it was huge – possible lawsuit.And the last mistake is to believe that tools and software downloaded from the Web are always good software.
  • Slide #6Duration: 1.5 minOn this slide you can see common IT security policy mistakes. The biggest mistake is to ignore network shares access rights. There might be an open share on internal file server or on end-user work desktop. (Question to the audience): Does anybody of you ever shared file directory from you work computer (desktop or laptop)? I.e. to transfer files to your co-worker computer.(Next question): Did you open it for unlimited users or just for dedicated person? Did you disable it later or just forgot?Sooner or later this can be a great source of malware redistribution in your organization. Looks now that the slide, this mistake is responsible for about 35% of incidents!There was an interesting case in one of the School Districts in the USA. The customer has several thousand end-users connected to the CSD network. Most of them are school student computers, beginning from 3rd grade. The network included few file share servers with unlimited access to everyone. So, everyone got infected after malware infected this network resource. The students could not do their class work, tests and lab work at school for at least few weeks.Now about missing security patches. Modern malware takes advantage of existing vulnerabilities. The network with even a single patch can be faced a serious risk. This is a common issue that we see mostly in Small organization, where number of end-users is less than 500. They either do not have enough expertise or ignoring patching completely.Partially protected environment means that Antimalware solution is installed on part of the network, leaving other resource unprotected.We have got some incidents related to firmware vulnerabilities. There was a software vulnerability in some DSL Router device. The impact of it was huge – possible lawsuit.And the last mistake is to believe that tools and software downloaded from the Web are always good software.
  • Slide #8Duration: 10 secThis was general information. Now,few practical examples. The first is Zbot outbreak: root cause, risk to the business, suggestions.
  • Slide #6Duration: 1.5 minOn this slide you can see common IT security policy mistakes. The biggest mistake is to ignore network shares access rights. There might be an open share on internal file server or on end-user work desktop. (Question to the audience): Does anybody of you ever shared file directory from you work computer (desktop or laptop)? I.e. to transfer files to your co-worker computer.(Next question): Did you open it for unlimited users or just for dedicated person? Did you disable it later or just forgot?Sooner or later this can be a great source of malware redistribution in your organization. Looks now that the slide, this mistake is responsible for about 35% of incidents!There was an interesting case in one of the School Districts in the USA. The customer has several thousand end-users connected to the CSD network. Most of them are school student computers, beginning from 3rd grade. The network included few file share servers with unlimited access to everyone. So, everyone got infected after malware infected this network resource. The students could not do their class work, tests and lab work at school for at least few weeks.Now about missing security patches. Modern malware takes advantage of existing vulnerabilities. The network with even a single patch can be faced a serious risk. This is a common issue that we see mostly in Small organization, where number of end-users is less than 500. They either do not have enough expertise or ignoring patching completely.Partially protected environment means that Antimalware solution is installed on part of the network, leaving other resource unprotected.We have got some incidents related to firmware vulnerabilities. There was a software vulnerability in some DSL Router device. The impact of it was huge – possible lawsuit.And the last mistake is to believe that tools and software downloaded from the Web are always good software.
  • Slide #6Duration: 1.5 minOn this slide you can see common IT security policy mistakes. The biggest mistake is to ignore network shares access rights. There might be an open share on internal file server or on end-user work desktop. (Question to the audience): Does anybody of you ever shared file directory from you work computer (desktop or laptop)? I.e. to transfer files to your co-worker computer.(Next question): Did you open it for unlimited users or just for dedicated person? Did you disable it later or just forgot?Sooner or later this can be a great source of malware redistribution in your organization. Looks now that the slide, this mistake is responsible for about 35% of incidents!There was an interesting case in one of the School Districts in the USA. The customer has several thousand end-users connected to the CSD network. Most of them are school student computers, beginning from 3rd grade. The network included few file share servers with unlimited access to everyone. So, everyone got infected after malware infected this network resource. The students could not do their class work, tests and lab work at school for at least few weeks.Now about missing security patches. Modern malware takes advantage of existing vulnerabilities. The network with even a single patch can be faced a serious risk. This is a common issue that we see mostly in Small organization, where number of end-users is less than 500. They either do not have enough expertise or ignoring patching completely.Partially protected environment means that Antimalware solution is installed on part of the network, leaving other resource unprotected.We have got some incidents related to firmware vulnerabilities. There was a software vulnerability in some DSL Router device. The impact of it was huge – possible lawsuit.And the last mistake is to believe that tools and software downloaded from the Web are always good software.
  • 2011 Wintel Targeted Attacks and a Post-Windows Environment APT Toolset

    1. 1. 2011 Wintel Targeted Attacks and a Post-Windows Environment APT ToolsetExtending the APT infiltration into new technologiesSAS 2012Kurt Baumgartner, Senior Security ResearcherGlobal Research and Analysis Teamkurt.baumgartner@kaspersky.com
    2. 2. The Infiltration2011 and Prior Targeted attacks and subsets “The APT” v “APT” v “APTs”? „It‟s a “who”, not a “how”‟ General targeted attack activity, the APT and targets 2011 attack details and IoC Post windows world? Attacks 2012 and beyond
    3. 3. The APT Infiltration2011 and Prior Timelines! Corporate organizations are now defending themselves against nation states? Note – chart leaves out NGO‟s like Tibet‟s Government in Exile, the Falun Gong, various political and non-profit orgs, etc "State of the Hack: It‟s the End of the Year as We Know It 2011", Mandiant, http://www.mandiant.com/presentations/state_of_the_hack_its_the_end_of_the_year_as_we_know_it_-_2011/
    4. 4. The Infiltration2011 – Persistent? Relentless
    5. 5. The Infiltration2011 Offensive Security R&D Investment Indications of Attack Investment Flash – simple fuzzing, one bit adjustment (fairly low) Mitsubishi Heavy Industries – low RSA – medium (0day along with Poison Ivy?) Lockheed Martin – medium (another 0day + RAT?) Google – fairly low (IEPeers 0day) Tibetans, Uyghurs – low Undisclosed law firms – low Beltway think tanks – low Massive Fortune 50 Energy Firms – low Various overseas political groups – low Human rights groups – low Setting up, rotating, maintaining thousands of C2 – fair effort Email automation – low Translators/social engineers and schemers – fair effort
    6. 6. Targeted Attacks and InfiltrationEmail as a Vector of Attack – Schemes, Automation• Phishing with better bait – themes of relevant geographical, timely conference discussions, familiar interests, urgenct geopolitical interests, shared financial interests• Automated schemes and changing work hours to fit targets
    7. 7. Targeted Attacks - “Steal Everything”Exploitation – Examining the attackers’ work 2011 Exploitation – Adobe Flash, Adobe Reader, Mozilla Firefox, Microsoft Office documents and Windows system components Let‟s discuss one of their favorites from this past year (CVE-2011-0611) Malicious pdf ??? PdfStreamDumper http://sandsprite.com/blogs/index.php?uid=7&pid=57 Flash Player Debugger (Flash Player Projector content debugger) http://www.adobe.com/support/flashplayer/downloads.html Fdb.exe Flex SDK http://opensource.adobe.com/wiki/display/flexsdk/Downloads SWFTools with SWFDump, although a Flash Decompiler might help Olly and patience – there is no crash Xvi32 or another hexeditor, .AS structures will be obfuscated and mangled Note – Adobe code can be a lot like Microsoft code - unexpected structures result in unexpected runtime behaviors
    8. 8. Targeted Attacks - “Steal Everything”Exploitation – Examining the attackers’ work Laying out the 2 Actionscripts with static and dynamic analysis replaceString on obfuscated code strings call hexToBin on the concatenated strings 8.swf/Mainline.as calls loadBytes on the *de-obfuscated* “ddd.swf” and loads it to run, it is this badly mangled file that triggers the exploit for CVE-2011-0611 ddd.swf attacks authplay.dll with its own actionscript custom function called on a confused object type Object type confusion is the name of the game, failure in authplay flow verification Heap spray and a chunked multi-stage shellcode deobfuscation stub, kernel32 decomposed api call hash resolution and use (_lcreat, _lwrite, _lread, _lseek) provides ROP with over 50 links, drops dll from pdf content to %temp%, LoadLibrary(AdobeARM.dll) writes out rudll.dll, registers it as 6to4 Servicedll, loads into svchost.exe http://www.fortiguard.com/sites/default/files/CanSecWest2011_Flash_ActionScript.pdf
    9. 9. Targeted Attacks - “Steal Everything”Post Exploitation - Data Collection, Lateral Movement, Exfiltration 365day and folks that don‟t update  “anyone who has an interest in security has already updated” Really? Effective but stale exploitation vs 0day and “original research” or the “author” RATs, backdoors, spyware Data thievery Communications - encrypted? Comments Crew – Shady? Low investment - Pass-the-Hash utils, WCE New Active Directory vulnerability Archivers (rar), 7z, available source POSTs, FTP, outbound obfuscated communications
    10. 10. Targeted Attacks - “Steal Everything”Post Exploitation – Why “these” tools? 2011 Backdoors – Poison Ivy, Agent, Agent, Agent2… Why Poison Ivy? Where is it from? ChaseNET хакер “forums” founded by previous Evil Eye Software Th3ChaS3r Members included ksv, shapeless, Heike, Digerati (busted in Operation Bot Roast II because of mistaken C2 config file update)… ShapeLeSS joined ChaseNET as 18 year old Swedish kid in late October 2005, coded Poison Ivy Codius assumes the project years later, continues to distribute it for free SDK allows for new plugins and development, max size 7kb Connections? No. Continued development today? No. Stable, available, and FREE builder? Yes. Free SDK? Yes. Free crypters? Yes. Quantifiable tool? Reliable? Yes. Low investment? Yes.
    11. 11. Targeted Attacks – Identifying DetailsIndicators of Compromise Indicators of Compromise – indicators? artifacts? OpenIOC open source project IoC Editor IoC Finder Isn‟t that what AV provides? Only it is based on XML format without the performance considerations? http://openioc.org/
    12. 12. Targeted Attacks – Identifying DetailsOpenIOC? IoC examples ~ Stuxnet
    13. 13. A Post Windows Environment ToolsetTablets are everywhere
    14. 14. Targeted Attacks in a Post-Windows WorldAbused Platforms Android and iOS dominate the market Smartphones and tablets Blackberry(?) Windows Phone(?) Starting with the .mil space… 2011 – DISA STIG Android v2.2 Dell Mobile Good Technology “Secure Browser” includes encryption capabilities with a fallback to Safari Webkit Dell Native Browser Attacks start with .gov/.mil? Sign of the times…
    15. 15. Targeted Attacks in a Post-Windows WorldOriginating research Offensive security and “original research”? Increased investment… HTML5 features and native support in browsers Increased attack surface Cache poisoning, clickjacking, data leakage Attacking remote client-side BoF? http://www.slideshare.net/seguridadapple/attacking-the-webkit-heap-or-how-to- write-safari-exploits Flash for mobile replaced with HTML5 and AIR
    16. 16. Thank YouKurt Baumgartner, Senior Security ResearcherGlobal Research and Analysis Teamkurt.baumgartner@kaspersky.com

    ×