A look at the methodology and techniques or hackers, cyber criminals and state sponsored attackers. Explores the kill chain, Geo political instability and the dark web.
6. Hacking and exposure
Gaining unauthorized access to and publicly exposing in plain view on the
Internet large amounts of confidential data with the goal of causing
monetary and reputational damages to the targeted entity.
Distributed denial-of-service (DDoS)
usually infected with a Trojan or other form of malware to flood a
targeted system, usually one or more web servers of a website
DDoS attacks are the hacktivist’ cyber attack weapon of choice.
• They do not require actual hacking knowledge or skill.
• Many “off-the-shelf” tools are available right on the Internet
Doxing
Gathering and exposing valuable personal information of public figures
such as politicians and celebrities to the benefit of the hacktivist, and to
react or take action in a way that favours the hacktivist’ ideology.
Hacktavism
8. The top five cybercrime specialties, courtesy of the FBI, are:
· Coders who write malware and exploit data theft tools
· Vendors who trade stolen data, malware kits and footprints into compromised networks
· Criminal IT guys who maintain criminal IT infrastructure like servers and bulletproof ISPs
· Hackers who seek and exploit application, system and network vulnerabilities
· Fraudsters who create and social engineering ploys like phishing and domain squatting.
• Botnet
• Fast Flux Networks
• Social Engineering
• Denial-of-Service attacks
• Skimmers
• SPAM
Cyber Crime
9. Cyber Crime
Cybercriminals developed sophisticated crime ware kits (Zeus, Citadel, Eleonor, Phoenix)
• Easy to use development tools
• Service level agreements – CaaS (Crimeware as a Service)
• Evasion and anti detection built in
10. Cyber Crime – going mobile
Trend of the year: mobile banking
Trojans
2013 was marked by a rapid rise in the
number of Android banking Trojans
Botnet targeting Android smartphone
users who bank at financial
institutions in the Middle East
11. Cyber Crime – going mobile
In 2013 Cybercriminals made use of some exceptionally sophisticated methods to infect mobile
devices.
• Infecting popular websites - water holes.
• Distribution via botnets by sending out text messages
17. Kill Chain - Reconnaissance
• Target is analyzed and scoped to identify potential attack vectors
• Open source Intelligence:
• Social media, conferences, company directories, public records
• Public web site mapping
• Server scanning and fingerprintingg
19. Kill Chain - Delivery
Common Attack vectors:
• Common vulnerability (e.g.
SQL injection)
• Zero-day exploits
• USB keys
• Insider threat
• Physical access to devices
• Interactive social engineering
• “Spear Phishing”*
20. Spear Phishing
From: Greg
To: Jussi
Subject: need to ssh into rootkit
im in europe and need to ssh into the server. can
you drop open up firewall and allow ssh through
port 59022 or something vague? and is our root
password still 88j4bb3rw0cky88 or did we change
to 88Scr3am3r88 ? thanks
22. • Backdoors implemented as
Windows service
• Usually “hide in plain sight”
• Use a simple command set
• Dwell time is a measure of
time that an intruder has on
the network
• Takes on average 18 days to
respond and remove an
intrusion
Kill Chain - Exploitation
23. Once inside a network, malware “beacons” out to a Command and
Control (C2) servers
• C2 servers are either compromised or rented
• Traffic is usually HTTP, HTTPS or DNS and mimics common protocols
Kill Chain - Command & Control
24. Covert channels - DNS tunnelling
DNS TUNNELLING TOOLS
OzymanDNS
Dns2tcp
Iodine
Heyoka
DNSCat
NSTX
DNScapy
MagicTunnel, Element53, VPN-over-DNS
(Android)
VPN over DNS
• DNS tunnels are commonly used to carry out covert file transfers, C&C server traffic and web browsing
• Botnets can use DNS tunnelling to act as a covert channel, and these covert channels are very hard to detect
Covert Storage Channels – Stenography, unused parts of packets
Timing Covert Channels – Modulating resources and response time (accurate clock)
26. • Attacker performs internal reconnaissance
• User enumeration
• Analysis and monitoring of host user activity
• Dump of internal and external websites
• Scan of connected systems
• “Net use” and reverse shell commands
• Password logging
• Pass-the-hash*
Kill Chain - Lateral Movement
27. Pass the hash
• “Hash” refers to a cached credential
• Usually not the “clear text” credential
• Hash is treated as the actual credential internally by most systems
• Then use hashes to move “laterally” through the network
• Network/domain privileged account - Game over
28. Kill Chain - Exfiltration
• Identifies targeted assets for exfiltration
• Move data to Staging servers
• Positions itself for persistent presence
• Maintains hold of key high-privilege accounts
• Remains resident on only a selection of systems
31. Snake
Back in 2008 an unknown malicious file was discovered and auto-classified as “Agent.BTZ” which infected
US military networks.
Reverse engineering showed that snake is a more advanced variant of Agent.BTZ.
It is a rootkit using complex techniques for evading host defences utilising cover channels over
Links to Red October and other cyber espionage campaigns
33. The Dark Side
Dark net
Deep web
Dark market
Malicious marketplace
In 2001
• Deep Web was 400 to 550 times larger than the commonly defined World Wide Web.
• The deep Web 7,500 terabytes of information compared to 19 terabytes in the surface Web.
• Contained nearly 550 billion individual documents compared to the one billion of the surface Web.
• More than 200,000 deep Web sites existed
• Deep Web site is not well known to the Internet-searching public.
35. The Dark Side
To date, three main networks are used to grant anonymity on both
the client and server side: TOR, I2P, and Freenet.
36. Dark market
Tor .onion domains
There are many different techniques in use, but Tor’s onion
router network is probably the easiest one to get started
with. The .onion domains are not part of the ICANN registry and
will not resolve until you are running Tor.
The combined effect leaves this form of Internet far beyond any
kind of government control or regulation.
I2P2 Network and .i2p Domains
I2P works in a very similar way to Tor, although more flexible
• Email
• Anonymous websites
• Blogging and forums
• Website hosting
• File sharing
• Decentralized file storage
37. Dark Market
Prices of Different Types of Goods
Site name Address Type of good Cost Normalized
Cost (US$)
Cloned credit cards http://mxdcyv6gjs3tvt
5u.onion/products.
html
EU/US credit cards €40 US$54
NSD CC Store http://4vq45ioqq5cx
7 u32.onion
EU/US credit cards US$10 US$10
Carders Planet http://wihwaoykcdzab
add.onion/
EU/US credit cards US$60–150 US$60–150
HakPal http://pcdyurvcdiz66
qjo.onion/
PayPal accounts 1 BTC for US$1,000 US$126 for
US$1,000
Onion identity http://abbujjh5vqtq7
7 wg.onion/
Fake IDs/passports €1,000–1,150 (ID)
€2,500–4,000
(passport)
US$1,352–1,555 (ID)
US$3,380–5,400
(passport)
U.S. citizenship http://ayjkg6ombrsah
bx2.onion/silkroad/
home
U.S. citizenship US$10,000 US$10,000
U.S. fake driver’s
licenses
http://en35tuzqmn4l
o fbk.onion/
Fake U.S. driver’s
license
US$200 US$200
U.K. passports http://vfqnd6mieccqy
iit.onion/
U.K. passports £2,500 US$4,000
38. Mapping the hidden services directory: Both TOR and I2P use a domain database built upon a
distributed system known as a “DHT.”
Social site monitoring: Sites like Pastebin are often used to exchange contact information and
addresses for new hidden services
Hidden service monitoring: Most hidden services to date tend to be highly volatile and go
offline very often, maybe to come back online later under a new domain name
Conclusion
• Threats will continue to evolve
• Security breaches are Inevitable
• You need collaboration from people, process & technology
• Visibility and detection are key differentiators – centralise security
• Threat intelligence internal (system monitoring) and external threat landscape
• Survival of the fittest - Share threat Intelligence with your peers
• Continual awareness and education