Downloaded 21 times
![DEP+ASLR=Peace of Mind!
Exploitation
Vulnerability
y
technique
Adobe Products Authplay.dll Code Execution [CVE-2010-3654 ] ROP Shellcode
ROP Shellcode
Adobe Products Authplay dll Code Execution [CVE-2010-2884]
Authplay.dll
Adobe Flash Player, Reader, and Acrobat 'authplay.dll‘ [CVE-2010-1297] ROP Shellcode
Adobe Reader and Acrobat XFA TIFF Support Code Execution
ROP Shellcode
Vulnerability [CVE-2010-0188]
Adobe Reader 'CoolType.dll' TTF Font Vulnerability [CVE-2010-2883] ROP Shellcode
Adobe Reader and Acrobat 'newplayer()' JavaScript Method Vulnerability ROP Shellcode
[CVE-2009-4324]
Insert presenter logo
here on slide master.
See hidden slide 2 for
11 directions](https://image.slidesharecdn.com/ht2-106rsa-111007011703-phpapp01/75/Evolving-Threat-Landscape-11-2048.jpg)
![Coded Agents – with UiPath SDK + LangGraph [Virtual Hands-on Workshop]](https://cdn.slidesharecdn.com/ss_thumbnails/codedagentsdeck-251215155422-5497c599-thumbnail.jpg?width=640&height=640&fit=bounds)
Evolving Threat Landscape
- 1. The Evolving ThreatLandscape Zheng Bu Rahul Kashyap M Af L b McAfee Labs Session ID: HT2-106 Session Classification: Intermediate Insert presenter logo here on slide master. See hidden slide 2 for directions
- 2. Agenda g Vulnerabilities and Exploitation V l biliti d E l it ti Targeted Attacks (APTs) Cybercrime Goes Social Q&A Insert presenter logo here on slide master. See hidden slide 2 for 2 directions
- 3. Vulnerabilities and Exploitation Insert presenter logo here on slide master. See hidden slide 2 for 3 directions
- 4. 2010: Microsoft andAdobe Vulnerabilities Snapshot p Security Patches Security Patches 300 250 200 Microsoft 150 Adobe 100 50 0 2007 2008 2009 2010 Source: McAfee Labs Insert presenter logo here on slide master. See hidden slide 2 for 4 directions
- 5. 2010: High-Profile Zero-DayVulnerabilities g y Steady increase in CVE-2010-0249: MS10-002 HTML Object Memory Corruption attacks targeting client Vulnerability Operation Vulnerability—Operation Aurora software CVE-2010-2883: Adobe SING Tag Buffer Overflow Vulnerability Adobe and Microsoft CVE-2010-2884: Adobe Reader, Flash Player Code Execution were popular exploit Vulnerability V l bilit victims. victims CVE-2010-1297: Adobe Flash Memory Corruption Vulnerability CVE-2010-1885: Windows Help and Support Center Vulnerability CVE-2010-1240: PDF/Launch Attack—Zeus CVE-2010-2568: Windows Shortcut Icon Loading Vulnerability— Stuxnet CVE-2010-2729: Print Spooler Service Impersonation Vulnerability—Stuxnet Insert presenter logo here on slide master. See hidden slide 2 for 5 directions
- 6. Malware Writers LoveAdobe Vulnerabilities Productivity Application Vulnerability Based Malware - 2010 MS Office (Word, Excel, PowerPoint) Adobe Reader, Acrobat Source: MacAfee Labs Insert presenter logo here on slide master. See hidden slide 2 for 6 directions
- 7. Which Adobe AppWas Most Exploited in 2010? The Winner Is Reader! Adobe: Unique Malware Detected in the Wild Adobe Flash Adobe PDF Source: McAfee Labs Insert presenter logo here on slide master. See hidden slide 2 for 7 directions
- 8. Mitigation vs. Exploitation:a Catch-Up Game Stack Overflow Attacks Stack Canary Checks Safe SEH Heap Overflow Attacks Heap Safe Unlink Shellcode Execution Data Execution Prevention DEP/NX Address Space Layout Randomization (ASLR) JIT Spray p y Return Oriented Programming ROP g g Insert presenter logo here on slide master. See hidden slide 2 for 8 directions
- 9. Case Study: CVE-2010-2883 AdobeSING Tag Buffer Overflow Vulnerability g y “Classic” stack overflow Exploit does not overwrite return address Overwrite pointer in the stack to bypass stack protection t ti Source: McAfee Labs Insert presenter logo here on slide master. See hidden slide 2 for 9 directions
- 10. Case Study: CVE-2010-2883 AdobeSING Tag Buffer Overflow Vulnerability g y Use U ROP techniques i h i in the shellcode to bypass DEP+ASLR. Special staged shellcode for this DLL Source: McAfee Labs Insert presenter logo here on slide master. See hidden slide 2 for 10 directions
- 11. DEP+ASLR=Peace of Mind! Exploitation Vulnerability y technique Adobe Products Authplay.dll Code Execution [CVE-2010-3654 ] ROP Shellcode ROP Shellcode Adobe Products Authplay dll Code Execution [CVE-2010-2884] Authplay.dll Adobe Flash Player, Reader, and Acrobat 'authplay.dll‘ [CVE-2010-1297] ROP Shellcode Adobe Reader and Acrobat XFA TIFF Support Code Execution ROP Shellcode Vulnerability [CVE-2010-0188] Adobe Reader 'CoolType.dll' TTF Font Vulnerability [CVE-2010-2883] ROP Shellcode Adobe Reader and Acrobat 'newplayer()' JavaScript Method Vulnerability ROP Shellcode [CVE-2009-4324] Insert presenter logo here on slide master. See hidden slide 2 for 11 directions
- 12. Stealthy Exploitation y p AKA: Harmonious Exploitation(“和谐漏洞利用”) Qualifications No intrusive reconnaissance required Application and platform awareness Robust exploitation No impact on availability of the target service p y g No impact on availability of the target application Bypassing the security mitigations on the target (GS, DEP, ASLR, etc.) Adaptive to Ad ti t complex network environments, scalable, C&C ready, l t k i t l bl d Network Security Inspection Device evasion Insert presenter logo here on slide master. See hidden slide 2 for 12 directions
- 13. Stealthy Exploitation: CaseStudy y p y Exploits that identify Adobe Reader versions Exploits that open a legit l i PDF file on fil successful exploitation Exploits that obfuscate to evade NIPS inspection Insert presenter logo here on slide master. See hidden slide 2 for 13 directions
- 14. Welcome to the“App Store” of Exploit Kits pp p Insert presenter logo here on slide master. See hidden slide 2 for 14 directions
- 15. Crimepack p Features include Tracking website stats Regular updated exploits Geo location tracker OS stats Browser stats Test attack before launching Success rate Insert presenter logo here on slide master. See hidden slide 2 for 15 directions
- 16. Targeted Attacks (Advanced PersistentThreats) ( ) Insert presenter logo here on slide master. See hidden slide 2 for 16 directions
- 17. Case Study: OperationAurora y p A coordinated attack targeting a rapidly growing list of companies, including Google, Adobe, Juniper, Symantec, and others Exploits a zero-day vulnerability in Internet Explorer Lures users to malicious websites, installs Trojan malware on systems, uses Trojan to gain remote access Uses remote access to gain entry to corporate systems, steal intellectual property (including source code), and penetrate user accounts Insert presenter logo here on slide master. See hidden slide 2 for 17 directions
- 18. Operation Aurora: ModusOperandi p p 1 2 3 Attack initiated Attack in progress Attack setup complete User with IE vulnerability Website exploits vulnerability; Malware installed on user’s user s visits website infected with malware (disguised as JPG) system; malware opens back Operation Aurora malware downloaded to user’s system door (using custom protocol acting like SSL) that gives access to sensitive data Insert presenter logo here on slide master. See hidden slide 2 for 18 directions
- 19. Operation Aurora: Exploit p p Original obfuscated exploit Payload has multiple levels of obfuscation to disguise the payload Payload exploits a zero-day y p y vulnerability in Internet Explorer De-obfuscated exploit The attack uses heap spray and downloads a fake image—an XOR’ed binary. The b kd Th backdoor i now is installed and sends out fake SSL traffic Insert presenter logo here on slide master. See hidden slide 2 for 19 directions
- 20. Cybercrime Goes Social Insert presenter logo here on slide master. See hidden slide 2 for 20 directions
- 21. Abusing Social Networks g Fake accounts on sale Accounts can be used to send spam, phishing, fake products/ services, or malicious downloads d l d Prices vary depending on the quality of account Source: McAfee Labs Insert presenter logo here on slide master. See hidden slide 2 for 21 directions
- 22. “Social” Hacktivism 2010had several instances of activist i t f ti i t groups launching protests over the Internet DDoS seems to be the favorite vector Lines bet een between cyberwarfare and hacktivism continue to blur Insert presenter logo Source: McAfee Labs here on slide master. See hidden slide 2 for 22 directions
- 23. Operation Payback p y Insert presenter logo here on slide master. See hidden slide 2 for 23 directions
- 24. Operation Payback p y The attack tool was a modified, public open-source tool called LOIC Created a “social botnet using HIVE mode social botnet” Attack vector is unsophisticated, but has temporary impact on global enterprises Insert presenter logo here on slide master. See hidden slide 2 for 24 directions
- 25. Conclusions Client-sideattacks are on the rise There is no silver bullet for security, all the available known defenses can be bypassed Stealthy exploitation makes attacks more difficult to be detected APTs leverage all of the latest exploitation techniques and are becoming the most severe threats for businesses Social networks have been leveraged by attackers and hacktivists Do not completely rely on security protection from vendors. Use extreme caution when you surf! Insert presenter logo here on slide master. See hidden slide 2 for 25 directions