SlideShare a Scribd company logo

Targeted attacks on major industry sectors in south korea 20171201 cha minseok_avar 2017 beijing_full version

Minseok(Jacky) Cha
Minseok(Jacky) Cha

Targeted Attacks on Major Industry Sectors in South Korea Andariel group, Threat group behind Operation Red Dot, Threat group behind Operation Bitter Biscuit

Internet
1 of 64
Download to read offline
TargetedAttacks on Major Industry Sectors in South Korea CHA Minseok (Jacky Cha, 車珉錫) – Full Version Senior Principal Malware Researcher AhnLab | ASEC | Analysis Team AVAR 2017 (December 7, 2017)
Contents 01 02 03 04 05 06 07 Cyber Attacks in South Korea, 2017 Infection Vector Andariel Group Operation Red Dot Operation Bitter Biscuit Who Is Behind The Attacks? Conclusion
01 Cyber Attacks in South Korea, 2017
© AhnLab, Inc. All rights reserved. 4 VenusLocker Ransomware • SpearPhishing -EmailwritteninKorean * http://www.ahnlab.com/kr/site/securityinfo/secunews/secuNewsView.do?seq=26309
© AhnLab, Inc. All rights reserved. 5 VenusLocker Ransomware • Macro Downloader - ChineseFont?!
© AhnLab, Inc. All rights reserved. 6 Erebus Ransomware • Web hostingcompanyNayana was hit by Erebusransomware -AttackoccurredinJune10,20171:00am -Filesin153servershavebeenencrypted.5,496websiteswereaffected.Paidover$1Million -2similarattacksinNovember(DifferentLinuxRansomware) * Source:http://securityaffairs.co/wordpress/60281/malware/erebus-ransomware-hit-south-korea.html&http://english.etnews.com/20171109200001& http://ciobiz.etnews.com/news/article.html?id=20171129120027
© AhnLab, Inc. All rights reserved. 7 ATM Hacking • ATM Hacking(byAndarielGroup) - 230,000credit cardsin totalwere leaked (September2016 ~ February 2017) -IllegalwithdrawalsthroughATMsinChina,ThailandandTaiwan -4suspectsarrested→obtainedtheprivatefinancialdatafromamiddlemanwhoclaimedhegottheinformationfroma NorthKorean -MalwareusedinthisattackwasverysimilartothemalwareusedintheKoreanMNDhacking * Source:http://english.yonhapnews.co.kr/news/2017/09/06/0200000000AEN20170906007600315.html&http://www.itworld.co.kr/news/106281
© AhnLab, Inc. All rights reserved. 8 Cryptocurrency Exchange Platform Hacked • Cryptocurrency ExchangePlatformHacked -MaliciousHanguldocument(HWP)fileasattackvector -Customerdataleaked -maybebythethreatgroupbehindOperationRedDot * Source:http://uk.businessinsider.com/south-korean-bitcoin-exchange-bithumb-hacked-ethereum-2017-7& http://www.hani.co.kr/arti/economy/it/801322.html
© AhnLab, Inc. All rights reserved. 9 Supply Chain Attack • SupplyChainAttack - BackdoorfoundinNetsarangservermanagementsoftware * Source:https://securelist.com/shadowpad-in-corporate-networks/81432& http://www.netsarang.co.kr/news/security_exploit_in_july_18_2017_build.html
© AhnLab, Inc. All rights reserved. 10 Travel Agency Breached • South Korea’sLargestTravelAgencyHacked - * Source:https://coinjournal.net/south-koreas-largest-travel-agency-breached-hacker-demands-bitcoin-payment/& http://www.hanatour.com/asp/custcenter/bb-20000.asp
© AhnLab, Inc. All rights reserved. Activity groups/APTs in South Korea 2007 2013 2014 2015 2016 2017 Icefog OP Red Dot (Escad, Loader) Andariel (Rifdoor, GhostRat, Phandoor, Andarat) Dllbot Xwdoor OP Black Mine (Bmdoor) 2011 OP Bitter Biscuit (Bisonal, Dexbia) OP Happy Dragon 2018 Kimsuky 2012 Plugx (Korplug)
02 Infection Vector
© AhnLab, Inc. All rights reserved. 13 Infection Vector Watering hole (ActiveX) Email (Spear Phishing) Update IT Management system C2 Vulnerability Attack Update Server Supply Chain / IT Maintenace Services Listening Port Web Server Send file transfer commands Listening Port Port Scanning Vulnerability Attacks
03 Andariel Group
© AhnLab, Inc. All rights reserved. 15 Andariel • Andariel -PresumedtobeanotherLazarusspinoff -DarkSeoul(2013),OperationBlackMine(2014-2015) -OperationGhostRifle==OperationAnonymousPhantom==OperationGoldenAxe==CampaignRifle -Targets:DefenseIndustry,CyberSecurityCompanies,PoliticalInstitutions,MND(MinistryofNationalDefense),Finance Sector,EnergyResearchInstitutionetc. -AttackVectors:SpearPhishing,WateringHole(Active-Xvulnerability),ITManagementSystemVulnerability, SupplyChainAttack -Malware:Andarat,Bmdoor,GhostRat,Rifdoor,Phandoor -AhnLabpublishedthewhitepaper inJuly,2017 -FSI(FinancialSecurityInstitute) publishedthewhitepaperinAugust,2017
© AhnLab, Inc. All rights reserved. 16 Malware • Theyare usingvariousmalware icon Exploits − Active X − Flash − IT Management System Stealers Tools − Backdoor (Andarat, Bmdoor, GhostRat, Phandoor, Rifdoor, Xtreame) − Keylogger − Mimikatz − OSQL − Privilege Escalation − Putty Link − Proxy Server − Port Scanner − Wiper
© AhnLab, Inc. All rights reserved. Andariel Timeline 2008 2009 2013 2014 2015 2016 3.4 DDoS 3.20Cyber attack (DarkSeoul) & 6.25Cyber Attack 2017 SeoulADEX participants 7.7 DDoS Security breach of majorcompanies MND hacked ATM hacked Financial Sector Breach of Travel Agency Energy Research Institute OperationBlack Mine (Bmdoor) OperationGhost Rifle (Rifdoor) Xwdoor 2011 2012 3.20Cyber-attack (Gatheringinformation) OperationAnonymous Phantom(Phandoor) Security Company Defense Company ActiveX Vulnerabilities Attack Dllbot Korean Government 2018
© AhnLab, Inc. All rights reserved. 18 Infection Vector – ActiveX A • Report ProductAExploit -Scriptfilecreated→downloaded
© AhnLab, Inc. All rights reserved. 19 Infection Vector – ActiveX A • Script -First5bytesdownloadremoved (MZ...)→first5bytesrecoverylost (MZ...)
© AhnLab, Inc. All rights reserved. 20 Infection Vector – IT Management B • ITManagementProductB exploit - V3PScan.exefiledistributedthroughITManagementSystem
© AhnLab, Inc. All rights reserved. 21 Infection Vector – IT Management B • ITManagementProductB Ports -3511:ClientListenPort -3523,3524:FileTransfer * Source:ProductBUserManual (2004)
© AhnLab, Inc. All rights reserved. 22 Infection Vector – IT Management C • ITManagementProductC exploit - TargetIP,DownloadURL,Path -ProductCfiletransfer(Port7224)
© AhnLab, Inc. All rights reserved. 23 Infection Vector – IT Management C • Script -Filedownloadedandrecovered5bytes(MZ) Argv : DownloadURL Argv : RemoteFilePath
© AhnLab, Inc. All rights reserved. 24 2015 - Attack against SeoulADEX 2015 Participants • Defensecompaniessufferfrom hacking attacks - SeoulADEX(Seoul International Aerospace and Defense Exhibition) *Source:http://www.koreatimes.co.kr/www/news/nation/2015/11/116_191362.html
© AhnLab, Inc. All rights reserved. 25 2015 - Attack against SeoulADEX 2015 Participants • AttackagainstSeoulADEX2015Participants(1) - MacroDownloader -> Seoul ADEX Result & visitors list -> disguising as Headquarters of Seoul ADEX
© AhnLab, Inc. All rights reserved. 26 2015 - Attack against SeoulADEX 2015 Participants • AttackagainstSeoulADEX2015Participants(1) -Rifdoordownloaded
© AhnLab, Inc. All rights reserved. 27 2016 - Security Breach of Major Companies • Malware distributedthrough vulnerable ITmanagementsystem vulnerability -Hackedintomorethan140,000computersat160SouthKoreancompaniesandgovernmentagencies -42,608documentswerereportedtohavebeenleaked -Attackbeganin2014andwasdetectedinFebruary2016 *Source:http://www.reuters.com/article/us-northkorea-southkorea-cyber-idUSKCN0YZ0BE
© AhnLab, Inc. All rights reserved. Attacker Major companies and arms manufacturers C2 and storage server to prevent data loss GhostRat 2016 - Security Breach of Major Companies V3PScan.exe was distributed by IT Management System Attack IT Management System B vulnerability
© AhnLab, Inc. All rights reserved. 29 2017 – Financial SectorAttack • Macro Downloader -Disguisedasnewgovernmentdiplomaticadvisorylist -V3UI.exedownloaded
© AhnLab, Inc. All rights reserved. 30 2017 – Financial SectorAttack • Macro Comparison -SeoulADEXattendees(2015)vsFinanceSector(2017)
© AhnLab, Inc. All rights reserved. 31 Malware – GhostRat • customizedGh0st RAT - Sourcecodereleased
© AhnLab, Inc. All rights reserved. 32 Malware - Rifdoor • Rifdoor(Rifle+ Bakcdoor)== Operation Ghost Rifle(2015) -Backdoor(90KB) -PDB:contain‘rifle’ -Addsrandomdata
© AhnLab, Inc. All rights reserved. 33 Backdoor - Phandoor • Phandoor(Phantom.exe+ Backdoor)== OperationAnonymousPhantom(2016-2017) -OriginalfilenamewasPhantom.exe→Phantom.exe+Backdoor=Phandoor -S^!? - Anonymous?
© AhnLab, Inc. All rights reserved. 34 Backdoor - Phandoor • Mystery ‘S^’ -‘S^’foundintheXwdoor(2012)&Phandoor(2016)
© AhnLab, Inc. All rights reserved. 35 Backdoor - Phandoor • SimilarEncodingCodes - Rifdoorvs.Phandoor
© AhnLab, Inc. All rights reserved. 36 Malware - Wiper • Wiper -WhetherWiperisusedinrealattackisnotidentified
04 Operation Red Dot
© AhnLab, Inc. All rights reserved. 38 Operation Red Dot • Operation Red Dot -Period:Fromearly2014~ -Maintargets:DefenseIndustry,Politicalinstitutions,Majorcompanies(Conglomerates),HostingServices,Financial Sector,CryptocurrencyExchange… -Malwares:Escad,Loader -Remark:Thishackinggroupispossibly involvedwiththesecuritybreachofSonyPictures
© AhnLab, Inc. All rights reserved. 39 Operation Red Dot • Relation - * Source:https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf & https://researchcenter.paloaltonetworks.com/2017/08/unit42-blockbuster-saga-continues/
© AhnLab, Inc. All rights reserved. Timeline 2014 2016 20172015 Sony Pictures Hacking Loader(1) x86 Loader(2) Backdoor(2) Backdoor (1)B Escad Loader(1)x64 Loader(2)– Resource Loader(1) Backdoor (1)A Web Hosting Services SeoulADEX Participants Political institutions Major CompanyB Cryptocurrency Exchange Major CompanyA Financial Sector Open Type Font Elevation of Privilege Vulnerability MS16-132 (CVE-2016-7256) HWP Files (with EPS) HWPx Vulnerability (CVE-2015- 6585) Network Isolation Vulnerability Major CompanyA Websites against North Korea Defense Firms
© AhnLab, Inc. All rights reserved. 41 2014 - Security Breach of Sony Pictures SonyPicturesHack - EliminatedSony’scomputerinfrastructure - Leakedconfidentialdata * Source:http://imgur.com/qXNgFVz&Source:https://gist.github.com/anonymous/7b9a0a0ac94065ccfc5b
© AhnLab, Inc. All rights reserved. 42 2015 - Attack against SeoulADEX 2015 Participants •News reported, “Thereis a possibility that thishackinggroupcouldbeconnectedwithSonyPictureshackinggroup” (October2015) *Source:http://www.boannews.com/media/view.asp?idx=48598&kind=0 &http://www.etnews.com/20151007000172
© AhnLab, Inc. All rights reserved. 43 2015 - Attack against SeoulADEX 2015 Participants • AttackagainstSeoulADEX2015Participants(2) - HWPxVulnerability (CVE-2015-6585)->Zero-dayvulnerabilityatthetime -> invitation.hwp
© AhnLab, Inc. All rights reserved. 44 Backdoor - Escad • Malware SampleComparison - SonyPictureshackvs.attackinSouthKorea
© AhnLab, Inc. All rights reserved. 45 Backdoor - Escad • EscadTypeA(SonyPictureshack)
© AhnLab, Inc. All rights reserved. 46 Backdoor - Escad • EscadType B XOR 0x89
05 Operation Bitter Biscuit
© AhnLab, Inc. All rights reserved. 48 Operation Bitter Biscuit • Operation BitterBiscuit -AhnLabreleasedawhitepaperinOctober2017 -OperationBitterBiscuit==HeartBeatAPT@AVAR2012==OperationOrca@VB2017 -ActivitiesinSouthKoreasince2009(2008?) -Targets:Military,DefenseResearchInstitutes,DefenseIndustry,ICT,Manufacturer -InfectionVector:Executablefilesdisguisedasdocumentsfiles&Macro -Malware:Presonal,Bisonal(Biscon,Korlia),Dexbia(Bromall) -Bisonalscontain‘bisonal’,‘bioazih’,‘biaozih’ -Filenames:6ro4.dll, 6to4nt.dll, ahn.exe, AhnSDsv.exe, ahnupdate.exe, AYagent.exe, chrome.exe, conhost.exe, conime.exe, ctfmon.exe, deskmvr.exe, dlg.exe, htrn.dll, hyper.dll, lpk.dll, lsass.exe, mfc.exe, mmc.exe, msacm32.dll, netfxocm.exe, serskt.exe, svcsep.exe, taskmgr.exe, tpcon.exe, tsc.exe, v3update.exe, winhelp.exe
© AhnLab, Inc. All rights reserved. 49 Relation • Operation BitterBiscuit==The HeartBeatAPT== Operation Orca - * Source:https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp_the-heartbeat-apt-campaign&https://camal.coseinc.com/publish/2013Bisonal.pdf& https://blogs.technet.microsoft.com/mmpc/2015/04/13/bioazih-rat-how-clean-file-metadata-can-help-keep-you-safe/&http://www.cert-in.org.in&https://www.virusbulletin.com/conference/vb2017/abstracts/operation- orca-cyber-espionage-diving-ocean-least-six-years/
© AhnLab, Inc. All rights reserved. Timeline 2009 2010 2011 2013 2015 2016 2017 Bisonal Type B The HeartBeat APT Campaign ICT ICT Manufacturer Manufacturer IT Bioazih RAT Blog 2018 Japanese Defense Industry Military Defense Industry ITPresonal 20142012 Attacks on Korean Government Bisonal TypeA MilitarySecurity Research Institute Operation Orca Operation BitterBiscuit
© AhnLab, Inc. All rights reserved. 51 Infection Vector • Executablefiledisguised asdocumentfiles -
© AhnLab, Inc. All rights reserved. 52 Infection Vector • Documentfilescontainingmacros - PoliticalSeminarAgenda
© AhnLab, Inc. All rights reserved. 53 Decoy documents • Invitation& Conference& Resume -
© AhnLab, Inc. All rights reserved. 54 Bisonal • Features - bisonal,bioazih,biaozih
© AhnLab, Inc. All rights reserved. 55 Dexbia (Bromall) • Dexbia(Bromall) - Port C&C
© AhnLab, Inc. All rights reserved. Process Malware Evoultion 01 2011-2012 02 2013-2014 03 2015-2017 • Bisonal, Bioazih Strings.. • Dynamic DNS • Bisonal, Bioazih Strings.. • Encrypting Strings • Dexbia (Bromall) discovered • Dexbia (Bromall) • Packed Bisonal
06 Who Is Behind The Attacks?
© AhnLab, Inc. All rights reserved. 58 Korean?! • GhostRat ManagementKorean Edition - Koreanbutstrange Strings (문자렬 -> 문자열) ??? (maybe when notified) 팁 Tip ??? (typo 암 -> 안) System Setting (체계설정 -> 설정) Secret (비밀 -> 암호 Password)User
© AhnLab, Inc. All rights reserved. 59 Korean?! • Korean?! -C:UsersKGHDownloads(DONE)TROYS(DONE)(done)1charelease(done)(done)1cha(dll)Installer-dll-service- win32ReleaseInstallBD.pdb -KGH-commonKoreannameinitials(?) -1cha-'cha'hasthesamepronunciationforKoreanordinalnumber -C8:thesamepronunciationasaprofanitywiththemeaningofF-wordinKorea.
07 Conclusion
© AhnLab, Inc. All rights reserved. 61 Conclusion • Conclusion -5groupsactiveinSouthKorea-atleast -AndarielGroup,OperationRedDot:Motivationforattackseemstohavechanged (ConfidentialInformation→Monetarybenefit) -SomeofthemknowKoreanverywellandknowKoreancultureandenvironment -TheyattackvulnerabilitiesinKoreansoftwresanddisguisedasKoreanfamoussoftwares -SomeofthemareactiveoutsideofKorea • Cooperation -We need to cooperate to fight them !
© AhnLab, Inc. All rights reserved. 62 Q&A minseok.cha@ahnlab.com / mstoned7@gmail.com http://xcoolcat7.tistory.com, https://www.facebook.com/xcoolcat7 https://twitter.com/xcoolcat7, https://twitter.com/mstoned7
© AhnLab, Inc. All rights reserved. 64 Reference • TargetedAttackson DefenseIndusty (Korean) http://www.ahnlab.com/kr/site/securityinfo/secunews/secuNewsView.do?seq=26565ABC, http://download.ahnlab.com/kr/site/library/%5bAnalysis%5dDefense_Industry_Threats.pdf) • Targeted Attacks on Defense Industry (http://download.ahnlab.com/global/brochure/Tech_Report_Defense%20Industry.pdf) • CyberThreat IntelligenceReport (Korean) (https://www.fsec.or.kr/user/bbs/fsec/21/13/bbsDataView/910.do)

Recommended

Targeted attacks on major industry sectores in south korea 20170927 cha minse...
Targeted attacks on major industry sectores in south korea 20170927 cha minse...Targeted attacks on major industry sectores in south korea 20170927 cha minse...
Targeted attacks on major industry sectores in south korea 20170927 cha minse...Minseok(Jacky) Cha
 
[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...
[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...
[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...CODE BLUE
 
Webinar: Stopping evasive malware - how a cloud sandbox array works
Webinar: Stopping evasive malware - how a cloud sandbox array worksWebinar: Stopping evasive malware - how a cloud sandbox array works
Webinar: Stopping evasive malware - how a cloud sandbox array worksCyren, Inc
 
Webinar: Why evasive zero day attacks are killing traditional sandboxing
Webinar: Why evasive zero day attacks are killing traditional sandboxingWebinar: Why evasive zero day attacks are killing traditional sandboxing
Webinar: Why evasive zero day attacks are killing traditional sandboxingCyren, Inc
 
Webinar: Insights from Cyren's 2016 cyberthreat report
Webinar: Insights from Cyren's 2016 cyberthreat reportWebinar: Insights from Cyren's 2016 cyberthreat report
Webinar: Insights from Cyren's 2016 cyberthreat reportCyren, Inc
 
Webinar: IT security at SMBs: 2016 benchmarking survey
Webinar: IT security at SMBs: 2016 benchmarking surveyWebinar: IT security at SMBs: 2016 benchmarking survey
Webinar: IT security at SMBs: 2016 benchmarking surveyCyren, Inc
 
CrowdCasts Monthly: When Pandas Attack
CrowdCasts Monthly: When Pandas AttackCrowdCasts Monthly: When Pandas Attack
CrowdCasts Monthly: When Pandas AttackCrowdStrike
 
Webinar: Is your web security broken? - 10 things you need to know
Webinar: Is your web security broken? - 10 things you need to knowWebinar: Is your web security broken? - 10 things you need to know
Webinar: Is your web security broken? - 10 things you need to knowCyren, Inc
 

Recommended

Targeted attacks on major industry sectores in south korea 20170927 cha minse...
Targeted attacks on major industry sectores in south korea 20170927 cha minse...Targeted attacks on major industry sectores in south korea 20170927 cha minse...
Targeted attacks on major industry sectores in south korea 20170927 cha minse...Minseok(Jacky) Cha
 
[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...
[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...
[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...CODE BLUE
 
Webinar: Stopping evasive malware - how a cloud sandbox array works
Webinar: Stopping evasive malware - how a cloud sandbox array worksWebinar: Stopping evasive malware - how a cloud sandbox array works
Webinar: Stopping evasive malware - how a cloud sandbox array worksCyren, Inc
 
Webinar: Why evasive zero day attacks are killing traditional sandboxing
Webinar: Why evasive zero day attacks are killing traditional sandboxingWebinar: Why evasive zero day attacks are killing traditional sandboxing
Webinar: Why evasive zero day attacks are killing traditional sandboxingCyren, Inc
 
Webinar: Insights from Cyren's 2016 cyberthreat report
Webinar: Insights from Cyren's 2016 cyberthreat reportWebinar: Insights from Cyren's 2016 cyberthreat report
Webinar: Insights from Cyren's 2016 cyberthreat reportCyren, Inc
 
Webinar: IT security at SMBs: 2016 benchmarking survey
Webinar: IT security at SMBs: 2016 benchmarking surveyWebinar: IT security at SMBs: 2016 benchmarking survey
Webinar: IT security at SMBs: 2016 benchmarking surveyCyren, Inc
 
CrowdCasts Monthly: When Pandas Attack
CrowdCasts Monthly: When Pandas AttackCrowdCasts Monthly: When Pandas Attack
CrowdCasts Monthly: When Pandas AttackCrowdStrike
 
Webinar: Is your web security broken? - 10 things you need to know
Webinar: Is your web security broken? - 10 things you need to knowWebinar: Is your web security broken? - 10 things you need to know
Webinar: Is your web security broken? - 10 things you need to knowCyren, Inc
 
BSides IR in Heterogeneous Environment
BSides IR in Heterogeneous EnvironmentBSides IR in Heterogeneous Environment
BSides IR in Heterogeneous EnvironmentStefano Maccaglia
 
Webinar: A deep dive on ransomware
Webinar: A deep dive on ransomwareWebinar: A deep dive on ransomware
Webinar: A deep dive on ransomwareCyren, Inc
 
You Can't Stop The Breach Without Prevention And Detection
You Can't Stop The Breach Without Prevention And DetectionYou Can't Stop The Breach Without Prevention And Detection
You Can't Stop The Breach Without Prevention And DetectionCrowdStrike
 
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptxChi En (Ashley) Shen
 
CrowdCasts Monthly: Going Beyond the Indicator
CrowdCasts Monthly: Going Beyond the IndicatorCrowdCasts Monthly: Going Beyond the Indicator
CrowdCasts Monthly: Going Beyond the IndicatorCrowdStrike
 
Cyber Security Extortion: Defending Against Digital Shakedowns
Cyber Security Extortion: Defending Against Digital Shakedowns Cyber Security Extortion: Defending Against Digital Shakedowns
Cyber Security Extortion: Defending Against Digital Shakedowns CrowdStrike
 
NDIA 2021 - solar winds overview and takeaways
NDIA 2021 - solar winds overview and takeawaysNDIA 2021 - solar winds overview and takeaways
NDIA 2021 - solar winds overview and takeawaysBryson Bort
 
CoinMiners are Evasive - BsidesTLV
CoinMiners are Evasive - BsidesTLVCoinMiners are Evasive - BsidesTLV
CoinMiners are Evasive - BsidesTLVThomas Roccia
 
Webinar: A deep dive on phishing, today's #1 business threat
Webinar: A deep dive on phishing, today's #1 business threatWebinar: A deep dive on phishing, today's #1 business threat
Webinar: A deep dive on phishing, today's #1 business threatCyren, Inc
 
The Perimeter Security Retreat: Fall Back, Fall Back to the Server
The Perimeter Security Retreat: Fall Back, Fall Back to the ServerThe Perimeter Security Retreat: Fall Back, Fall Back to the Server
The Perimeter Security Retreat: Fall Back, Fall Back to the ServerRahul Neel Mani
 
Mobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the CodeMobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the CodeNowSecure
 
Bear Hunting: History and Attribution of Russian Intelligence Operations
Bear Hunting: History and Attribution of Russian Intelligence OperationsBear Hunting: History and Attribution of Russian Intelligence Operations
Bear Hunting: History and Attribution of Russian Intelligence OperationsCrowdStrike
 
The Mirai Botnet and Massive DDoS Attacks of October 2016
The Mirai Botnet and Massive DDoS Attacks of October 2016The Mirai Botnet and Massive DDoS Attacks of October 2016
The Mirai Botnet and Massive DDoS Attacks of October 2016William Slater III
 
DEFENDING AGAINST THREATS TARGETING THE MAC PLATFORM
DEFENDING AGAINST THREATS TARGETING THE MAC PLATFORMDEFENDING AGAINST THREATS TARGETING THE MAC PLATFORM
DEFENDING AGAINST THREATS TARGETING THE MAC PLATFORMCrowdStrike
 
Unmask anonymous attackers with advanced threat intelligence webinar 6.29 fin...
Unmask anonymous attackers with advanced threat intelligence webinar 6.29 fin...Unmask anonymous attackers with advanced threat intelligence webinar 6.29 fin...
Unmask anonymous attackers with advanced threat intelligence webinar 6.29 fin...SecureAuth
 
Webinar: Botnets - The clone army of cybercrime
Webinar: Botnets - The clone army of cybercrimeWebinar: Botnets - The clone army of cybercrime
Webinar: Botnets - The clone army of cybercrimeCyren, Inc
 
Networking 2016-05-24 - Topic 1- Cybereason Lab Analysis by Brad Green
Networking 2016-05-24 - Topic 1- Cybereason Lab Analysis by Brad Green Networking 2016-05-24 - Topic 1- Cybereason Lab Analysis by Brad Green
Networking 2016-05-24 - Topic 1- Cybereason Lab Analysis by Brad Green North Texas Chapter of the ISSA
 
CrowdCast Monthly: Operationalizing Intelligence
CrowdCast Monthly: Operationalizing IntelligenceCrowdCast Monthly: Operationalizing Intelligence
CrowdCast Monthly: Operationalizing IntelligenceCrowdStrike
 
[CONFidence 2016] Gaweł Mikołajczyk - Making sense out of the Security Operat...
[CONFidence 2016] Gaweł Mikołajczyk - Making sense out of the Security Operat...[CONFidence 2016] Gaweł Mikołajczyk - Making sense out of the Security Operat...
[CONFidence 2016] Gaweł Mikołajczyk - Making sense out of the Security Operat...PROIDEA
 
Mobile Penetration Testing: Episode II - Attack of the Code
Mobile Penetration Testing: Episode II - Attack of the CodeMobile Penetration Testing: Episode II - Attack of the Code
Mobile Penetration Testing: Episode II - Attack of the CodeNowSecure
 
Tick group @avar2019 20191111 cha minseok_publish
Tick group @avar2019 20191111 cha minseok_publishTick group @avar2019 20191111 cha minseok_publish
Tick group @avar2019 20191111 cha minseok_publishMinseok(Jacky) Cha
 
NETSCOUT Threat Intelligence Report: Findings Summary 1st half of 2018
NETSCOUT Threat Intelligence Report: Findings Summary 1st half of 2018 NETSCOUT Threat Intelligence Report: Findings Summary 1st half of 2018
NETSCOUT Threat Intelligence Report: Findings Summary 1st half of 2018 NETSCOUT
 

More Related Content

What's hot

BSides IR in Heterogeneous Environment
BSides IR in Heterogeneous EnvironmentBSides IR in Heterogeneous Environment
BSides IR in Heterogeneous EnvironmentStefano Maccaglia
 
Webinar: A deep dive on ransomware
Webinar: A deep dive on ransomwareWebinar: A deep dive on ransomware
Webinar: A deep dive on ransomwareCyren, Inc
 
You Can't Stop The Breach Without Prevention And Detection
You Can't Stop The Breach Without Prevention And DetectionYou Can't Stop The Breach Without Prevention And Detection
You Can't Stop The Breach Without Prevention And DetectionCrowdStrike
 
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptxChi En (Ashley) Shen
 
CrowdCasts Monthly: Going Beyond the Indicator
CrowdCasts Monthly: Going Beyond the IndicatorCrowdCasts Monthly: Going Beyond the Indicator
CrowdCasts Monthly: Going Beyond the IndicatorCrowdStrike
 
Cyber Security Extortion: Defending Against Digital Shakedowns
Cyber Security Extortion: Defending Against Digital Shakedowns Cyber Security Extortion: Defending Against Digital Shakedowns
Cyber Security Extortion: Defending Against Digital Shakedowns CrowdStrike
 
NDIA 2021 - solar winds overview and takeaways
NDIA 2021 - solar winds overview and takeawaysNDIA 2021 - solar winds overview and takeaways
NDIA 2021 - solar winds overview and takeawaysBryson Bort
 
CoinMiners are Evasive - BsidesTLV
CoinMiners are Evasive - BsidesTLVCoinMiners are Evasive - BsidesTLV
CoinMiners are Evasive - BsidesTLVThomas Roccia
 
Webinar: A deep dive on phishing, today's #1 business threat
Webinar: A deep dive on phishing, today's #1 business threatWebinar: A deep dive on phishing, today's #1 business threat
Webinar: A deep dive on phishing, today's #1 business threatCyren, Inc
 
The Perimeter Security Retreat: Fall Back, Fall Back to the Server
The Perimeter Security Retreat: Fall Back, Fall Back to the ServerThe Perimeter Security Retreat: Fall Back, Fall Back to the Server
The Perimeter Security Retreat: Fall Back, Fall Back to the ServerRahul Neel Mani
 
Mobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the CodeMobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the CodeNowSecure
 
Bear Hunting: History and Attribution of Russian Intelligence Operations
Bear Hunting: History and Attribution of Russian Intelligence OperationsBear Hunting: History and Attribution of Russian Intelligence Operations
Bear Hunting: History and Attribution of Russian Intelligence OperationsCrowdStrike
 
The Mirai Botnet and Massive DDoS Attacks of October 2016
The Mirai Botnet and Massive DDoS Attacks of October 2016The Mirai Botnet and Massive DDoS Attacks of October 2016
The Mirai Botnet and Massive DDoS Attacks of October 2016William Slater III
 
DEFENDING AGAINST THREATS TARGETING THE MAC PLATFORM
DEFENDING AGAINST THREATS TARGETING THE MAC PLATFORMDEFENDING AGAINST THREATS TARGETING THE MAC PLATFORM
DEFENDING AGAINST THREATS TARGETING THE MAC PLATFORMCrowdStrike
 
Unmask anonymous attackers with advanced threat intelligence webinar 6.29 fin...
Unmask anonymous attackers with advanced threat intelligence webinar 6.29 fin...Unmask anonymous attackers with advanced threat intelligence webinar 6.29 fin...
Unmask anonymous attackers with advanced threat intelligence webinar 6.29 fin...SecureAuth
 
Webinar: Botnets - The clone army of cybercrime
Webinar: Botnets - The clone army of cybercrimeWebinar: Botnets - The clone army of cybercrime
Webinar: Botnets - The clone army of cybercrimeCyren, Inc
 
Networking 2016-05-24 - Topic 1- Cybereason Lab Analysis by Brad Green
Networking 2016-05-24 - Topic 1- Cybereason Lab Analysis by Brad Green Networking 2016-05-24 - Topic 1- Cybereason Lab Analysis by Brad Green
Networking 2016-05-24 - Topic 1- Cybereason Lab Analysis by Brad Green North Texas Chapter of the ISSA
 
CrowdCast Monthly: Operationalizing Intelligence
CrowdCast Monthly: Operationalizing IntelligenceCrowdCast Monthly: Operationalizing Intelligence
CrowdCast Monthly: Operationalizing IntelligenceCrowdStrike
 
[CONFidence 2016] Gaweł Mikołajczyk - Making sense out of the Security Operat...
[CONFidence 2016] Gaweł Mikołajczyk - Making sense out of the Security Operat...[CONFidence 2016] Gaweł Mikołajczyk - Making sense out of the Security Operat...
[CONFidence 2016] Gaweł Mikołajczyk - Making sense out of the Security Operat...PROIDEA
 
Mobile Penetration Testing: Episode II - Attack of the Code
Mobile Penetration Testing: Episode II - Attack of the CodeMobile Penetration Testing: Episode II - Attack of the Code
Mobile Penetration Testing: Episode II - Attack of the CodeNowSecure
 

What's hot (20)

BSides IR in Heterogeneous Environment
BSides IR in Heterogeneous EnvironmentBSides IR in Heterogeneous Environment
BSides IR in Heterogeneous Environment
 
Webinar: A deep dive on ransomware
Webinar: A deep dive on ransomwareWebinar: A deep dive on ransomware
Webinar: A deep dive on ransomware
 
You Can't Stop The Breach Without Prevention And Detection
You Can't Stop The Breach Without Prevention And DetectionYou Can't Stop The Breach Without Prevention And Detection
You Can't Stop The Breach Without Prevention And Detection
 
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
 
CrowdCasts Monthly: Going Beyond the Indicator
CrowdCasts Monthly: Going Beyond the IndicatorCrowdCasts Monthly: Going Beyond the Indicator
CrowdCasts Monthly: Going Beyond the Indicator
 
Cyber Security Extortion: Defending Against Digital Shakedowns
Cyber Security Extortion: Defending Against Digital Shakedowns Cyber Security Extortion: Defending Against Digital Shakedowns
Cyber Security Extortion: Defending Against Digital Shakedowns
 
NDIA 2021 - solar winds overview and takeaways
NDIA 2021 - solar winds overview and takeawaysNDIA 2021 - solar winds overview and takeaways
NDIA 2021 - solar winds overview and takeaways
 
CoinMiners are Evasive - BsidesTLV
CoinMiners are Evasive - BsidesTLVCoinMiners are Evasive - BsidesTLV
CoinMiners are Evasive - BsidesTLV
 
Webinar: A deep dive on phishing, today's #1 business threat
Webinar: A deep dive on phishing, today's #1 business threatWebinar: A deep dive on phishing, today's #1 business threat
Webinar: A deep dive on phishing, today's #1 business threat
 
The Perimeter Security Retreat: Fall Back, Fall Back to the Server
The Perimeter Security Retreat: Fall Back, Fall Back to the ServerThe Perimeter Security Retreat: Fall Back, Fall Back to the Server
The Perimeter Security Retreat: Fall Back, Fall Back to the Server
 
Mobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the CodeMobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the Code
 
Bear Hunting: History and Attribution of Russian Intelligence Operations
Bear Hunting: History and Attribution of Russian Intelligence OperationsBear Hunting: History and Attribution of Russian Intelligence Operations
Bear Hunting: History and Attribution of Russian Intelligence Operations
 
The Mirai Botnet and Massive DDoS Attacks of October 2016
The Mirai Botnet and Massive DDoS Attacks of October 2016The Mirai Botnet and Massive DDoS Attacks of October 2016
The Mirai Botnet and Massive DDoS Attacks of October 2016
 
DEFENDING AGAINST THREATS TARGETING THE MAC PLATFORM
DEFENDING AGAINST THREATS TARGETING THE MAC PLATFORMDEFENDING AGAINST THREATS TARGETING THE MAC PLATFORM
DEFENDING AGAINST THREATS TARGETING THE MAC PLATFORM
 
Unmask anonymous attackers with advanced threat intelligence webinar 6.29 fin...
Unmask anonymous attackers with advanced threat intelligence webinar 6.29 fin...Unmask anonymous attackers with advanced threat intelligence webinar 6.29 fin...
Unmask anonymous attackers with advanced threat intelligence webinar 6.29 fin...
 
Webinar: Botnets - The clone army of cybercrime
Webinar: Botnets - The clone army of cybercrimeWebinar: Botnets - The clone army of cybercrime
Webinar: Botnets - The clone army of cybercrime
 
Networking 2016-05-24 - Topic 1- Cybereason Lab Analysis by Brad Green
Networking 2016-05-24 - Topic 1- Cybereason Lab Analysis by Brad Green Networking 2016-05-24 - Topic 1- Cybereason Lab Analysis by Brad Green
Networking 2016-05-24 - Topic 1- Cybereason Lab Analysis by Brad Green
 
CrowdCast Monthly: Operationalizing Intelligence
CrowdCast Monthly: Operationalizing IntelligenceCrowdCast Monthly: Operationalizing Intelligence
CrowdCast Monthly: Operationalizing Intelligence
 
[CONFidence 2016] Gaweł Mikołajczyk - Making sense out of the Security Operat...
[CONFidence 2016] Gaweł Mikołajczyk - Making sense out of the Security Operat...[CONFidence 2016] Gaweł Mikołajczyk - Making sense out of the Security Operat...
[CONFidence 2016] Gaweł Mikołajczyk - Making sense out of the Security Operat...
 
Mobile Penetration Testing: Episode II - Attack of the Code
Mobile Penetration Testing: Episode II - Attack of the CodeMobile Penetration Testing: Episode II - Attack of the Code
Mobile Penetration Testing: Episode II - Attack of the Code
 

Similar to Targeted attacks on major industry sectors in south korea 20171201 cha minseok_avar 2017 beijing_full version

Tick group @avar2019 20191111 cha minseok_publish
Tick group @avar2019 20191111 cha minseok_publishTick group @avar2019 20191111 cha minseok_publish
Tick group @avar2019 20191111 cha minseok_publishMinseok(Jacky) Cha
 
NETSCOUT Threat Intelligence Report: Findings Summary 1st half of 2018
NETSCOUT Threat Intelligence Report: Findings Summary 1st half of 2018 NETSCOUT Threat Intelligence Report: Findings Summary 1st half of 2018
NETSCOUT Threat Intelligence Report: Findings Summary 1st half of 2018 NETSCOUT
 
From stealing confidential data to revenue-generating attacks
From stealing confidential data to revenue-generating attacksFrom stealing confidential data to revenue-generating attacks
From stealing confidential data to revenue-generating attacksMinseok(Jacky) Cha
 
BlueHat v18 || software supply chain attacks in 2018 - predictions vs reality
BlueHat v18 || software supply chain attacks in 2018 - predictions vs realityBlueHat v18 || software supply chain attacks in 2018 - predictions vs reality
BlueHat v18 || software supply chain attacks in 2018 - predictions vs realityBlueHat Security Conference
 
Understanding Your Attack Surface and Detecting & Mitigating External Threats
Understanding Your Attack Surface and Detecting & Mitigating External ThreatsUnderstanding Your Attack Surface and Detecting & Mitigating External Threats
Understanding Your Attack Surface and Detecting & Mitigating External ThreatsUlf Mattsson
 
The Importance of Cybersecurity in 2017
The Importance of Cybersecurity in 2017The Importance of Cybersecurity in 2017
The Importance of Cybersecurity in 2017R-Style Lab
 
2018 Year in Review- ICS Threat Activity Groups
2018 Year in Review- ICS Threat Activity Groups2018 Year in Review- ICS Threat Activity Groups
2018 Year in Review- ICS Threat Activity GroupsDragos, Inc.
 
Cyber Resilency VANCOUVER, BC Nov 2017
Cyber Resilency VANCOUVER, BC Nov 2017 Cyber Resilency VANCOUVER, BC Nov 2017
Cyber Resilency VANCOUVER, BC Nov 2017 Kevin Murphy
 
The State of Application Security: What Hackers Break
The State of Application Security: What Hackers BreakThe State of Application Security: What Hackers Break
The State of Application Security: What Hackers BreakImperva
 
The State of Application Security: What Hackers Break
The State of Application Security: What Hackers BreakThe State of Application Security: What Hackers Break
The State of Application Security: What Hackers BreakImperva
 
CASB: Securing your cloud applications
CASB: Securing your cloud applicationsCASB: Securing your cloud applications
CASB: Securing your cloud applicationsForcepoint LLC
 
Why Federal Systems are Immune from Ransomware...& other Grim Fairy Tales)
Why Federal Systems are Immune from Ransomware...& other Grim Fairy Tales)Why Federal Systems are Immune from Ransomware...& other Grim Fairy Tales)
Why Federal Systems are Immune from Ransomware...& other Grim Fairy Tales)BeyondTrust
 
Evolución de la Ciber Seguridad
Evolución de la Ciber SeguridadEvolución de la Ciber Seguridad
Evolución de la Ciber SeguridadCristian Garcia G.
 
CA_Module_13.pdf
CA_Module_13.pdfCA_Module_13.pdf
CA_Module_13.pdfEhabRushdy1
 
How to protect my cloud workload from Ransomware?
How to protect my cloud workload from Ransomware?How to protect my cloud workload from Ransomware?
How to protect my cloud workload from Ransomware?Raphael Bottino
 
festival ICT 2013: Gli attacchi mirati e la Difesa Personalizzata Trend Micro
festival ICT 2013: Gli attacchi mirati e la Difesa Personalizzata Trend Microfestival ICT 2013: Gli attacchi mirati e la Difesa Personalizzata Trend Micro
festival ICT 2013: Gli attacchi mirati e la Difesa Personalizzata Trend Microfestival ICT 2016
 
The Unexpected Attack Vector: Software Updaters
The Unexpected Attack Vector: Software UpdatersThe Unexpected Attack Vector: Software Updaters
The Unexpected Attack Vector: Software UpdatersPriyanka Aash
 

Similar to Targeted attacks on major industry sectors in south korea 20171201 cha minseok_avar 2017 beijing_full version (20)

Tick group @avar2019 20191111 cha minseok_publish
Tick group @avar2019 20191111 cha minseok_publishTick group @avar2019 20191111 cha minseok_publish
Tick group @avar2019 20191111 cha minseok_publish
 
NETSCOUT Threat Intelligence Report: Findings Summary 1st half of 2018
NETSCOUT Threat Intelligence Report: Findings Summary 1st half of 2018 NETSCOUT Threat Intelligence Report: Findings Summary 1st half of 2018
NETSCOUT Threat Intelligence Report: Findings Summary 1st half of 2018
 
From stealing confidential data to revenue-generating attacks
From stealing confidential data to revenue-generating attacksFrom stealing confidential data to revenue-generating attacks
From stealing confidential data to revenue-generating attacks
 
BlueHat v18 || software supply chain attacks in 2018 - predictions vs reality
BlueHat v18 || software supply chain attacks in 2018 - predictions vs realityBlueHat v18 || software supply chain attacks in 2018 - predictions vs reality
BlueHat v18 || software supply chain attacks in 2018 - predictions vs reality
 
Understanding Your Attack Surface and Detecting & Mitigating External Threats
Understanding Your Attack Surface and Detecting & Mitigating External ThreatsUnderstanding Your Attack Surface and Detecting & Mitigating External Threats
Understanding Your Attack Surface and Detecting & Mitigating External Threats
 
The Importance of Cybersecurity in 2017
The Importance of Cybersecurity in 2017The Importance of Cybersecurity in 2017
The Importance of Cybersecurity in 2017
 
2018 Year in Review- ICS Threat Activity Groups
2018 Year in Review- ICS Threat Activity Groups2018 Year in Review- ICS Threat Activity Groups
2018 Year in Review- ICS Threat Activity Groups
 
Cyber Resilency VANCOUVER, BC Nov 2017
Cyber Resilency VANCOUVER, BC Nov 2017 Cyber Resilency VANCOUVER, BC Nov 2017
Cyber Resilency VANCOUVER, BC Nov 2017
 
The State of Application Security: What Hackers Break
The State of Application Security: What Hackers BreakThe State of Application Security: What Hackers Break
The State of Application Security: What Hackers Break
 
The State of Application Security: What Hackers Break
The State of Application Security: What Hackers BreakThe State of Application Security: What Hackers Break
The State of Application Security: What Hackers Break
 
CASB: Securing your cloud applications
CASB: Securing your cloud applicationsCASB: Securing your cloud applications
CASB: Securing your cloud applications
 
Why Federal Systems are Immune from Ransomware...& other Grim Fairy Tales)
Why Federal Systems are Immune from Ransomware...& other Grim Fairy Tales)Why Federal Systems are Immune from Ransomware...& other Grim Fairy Tales)
Why Federal Systems are Immune from Ransomware...& other Grim Fairy Tales)
 
Evolución de la Ciber Seguridad
Evolución de la Ciber SeguridadEvolución de la Ciber Seguridad
Evolución de la Ciber Seguridad
 
Global Cyber Threat Intelligence
Global Cyber Threat IntelligenceGlobal Cyber Threat Intelligence
Global Cyber Threat Intelligence
 
R u hacked
R u hackedR u hacked
R u hacked
 
CA_Module_13.pdf
CA_Module_13.pdfCA_Module_13.pdf
CA_Module_13.pdf
 
How to protect my cloud workload from Ransomware?
How to protect my cloud workload from Ransomware?How to protect my cloud workload from Ransomware?
How to protect my cloud workload from Ransomware?
 
festival ICT 2013: Gli attacchi mirati e la Difesa Personalizzata Trend Micro
festival ICT 2013: Gli attacchi mirati e la Difesa Personalizzata Trend Microfestival ICT 2013: Gli attacchi mirati e la Difesa Personalizzata Trend Micro
festival ICT 2013: Gli attacchi mirati e la Difesa Personalizzata Trend Micro
 
Infosecurity - CDMX 2018
Infosecurity - CDMX 2018Infosecurity - CDMX 2018
Infosecurity - CDMX 2018
 
The Unexpected Attack Vector: Software Updaters
The Unexpected Attack Vector: Software UpdatersThe Unexpected Attack Vector: Software Updaters
The Unexpected Attack Vector: Software Updaters
 

More from Minseok(Jacky) Cha

2017년 3분기 정보보안 소식 20180107 차민석
2017년 3분기 정보보안 소식 20180107 차민석2017년 3분기 정보보안 소식 20180107 차민석
2017년 3분기 정보보안 소식 20180107 차민석Minseok(Jacky) Cha
 
2017년 1분기 정보보안 소식 20170528 차민석_공개판
2017년 1분기 정보보안 소식 20170528 차민석_공개판2017년 1분기 정보보안 소식 20170528 차민석_공개판
2017년 1분기 정보보안 소식 20170528 차민석_공개판Minseok(Jacky) Cha
 
2016년 4분기 주요 정보보안 소식 20170101 차민석_공개판
2016년 4분기 주요 정보보안 소식 20170101 차민석_공개판2016년 4분기 주요 정보보안 소식 20170101 차민석_공개판
2016년 4분기 주요 정보보안 소식 20170101 차민석_공개판Minseok(Jacky) Cha
 
2016년 3분기 주요 정보보안 소식 20161227 차민석_공개판
2016년 3분기 주요 정보보안 소식 20161227 차민석_공개판2016년 3분기 주요 정보보안 소식 20161227 차민석_공개판
2016년 3분기 주요 정보보안 소식 20161227 차민석_공개판Minseok(Jacky) Cha
 
Power shell 악성코드 동향 20161118_차민석_디지털 포렌식 기술특강 공개판
Power shell 악성코드 동향 20161118_차민석_디지털 포렌식 기술특강 공개판Power shell 악성코드 동향 20161118_차민석_디지털 포렌식 기술특강 공개판
Power shell 악성코드 동향 20161118_차민석_디지털 포렌식 기술특강 공개판Minseok(Jacky) Cha
 
사회기반시설 공격 동향 분석보고서 차민석 20161029_레몬 정보보호 세미나
사회기반시설 공격 동향 분석보고서 차민석 20161029_레몬 정보보호 세미나사회기반시설 공격 동향 분석보고서 차민석 20161029_레몬 정보보호 세미나
사회기반시설 공격 동향 분석보고서 차민석 20161029_레몬 정보보호 세미나Minseok(Jacky) Cha
 
2016년 2분기 주요 정보보안 소식 차민석 20160815_공개판
2016년 2분기 주요 정보보안 소식 차민석 20160815_공개판2016년 2분기 주요 정보보안 소식 차민석 20160815_공개판
2016년 2분기 주요 정보보안 소식 차민석 20160815_공개판Minseok(Jacky) Cha
 
2016년 1분기 주요 정보보안 소식 차민석 20160703_공개판
2016년 1분기 주요 정보보안 소식 차민석 20160703_공개판2016년 1분기 주요 정보보안 소식 차민석 20160703_공개판
2016년 1분기 주요 정보보안 소식 차민석 20160703_공개판Minseok(Jacky) Cha
 
2015년 4분기 주요 정보보안 소식 차민석 20160410_공개판
2015년 4분기 주요 정보보안 소식 차민석 20160410_공개판2015년 4분기 주요 정보보안 소식 차민석 20160410_공개판
2015년 4분기 주요 정보보안 소식 차민석 20160410_공개판Minseok(Jacky) Cha
 
2015년 3분기 주요 정보보안 소식 차민석 20160117_공개판
2015년 3분기 주요 정보보안 소식 차민석 20160117_공개판2015년 3분기 주요 정보보안 소식 차민석 20160117_공개판
2015년 3분기 주요 정보보안 소식 차민석 20160117_공개판Minseok(Jacky) Cha
 
Csi cyber season 1 episode 1 차민석 20160113
Csi cyber season 1 episode 1 차민석 20160113Csi cyber season 1 episode 1 차민석 20160113
Csi cyber season 1 episode 1 차민석 20160113Minseok(Jacky) Cha
 
백신 프로그램의 원리와 동작 차민석 20151117_security plus 발표판
백신 프로그램의 원리와 동작 차민석 20151117_security plus 발표판백신 프로그램의 원리와 동작 차민석 20151117_security plus 발표판
백신 프로그램의 원리와 동작 차민석 20151117_security plus 발표판Minseok(Jacky) Cha
 
0과 1의 비밀을 밝히는 악성코드 분석가 차민석 20151117_security plus 발표판
0과 1의 비밀을 밝히는 악성코드 분석가 차민석 20151117_security plus 발표판0과 1의 비밀을 밝히는 악성코드 분석가 차민석 20151117_security plus 발표판
0과 1의 비밀을 밝히는 악성코드 분석가 차민석 20151117_security plus 발표판Minseok(Jacky) Cha
 
2015년 2분기 주요 정보보안 소식 차민석 공개판_20150810
2015년 2분기 주요 정보보안 소식 차민석 공개판_201508102015년 2분기 주요 정보보안 소식 차민석 공개판_20150810
2015년 2분기 주요 정보보안 소식 차민석 공개판_20150810Minseok(Jacky) Cha
 
2015년 1분기 주요 정보보안 소식 20150512 공개판
2015년 1분기 주요 정보보안 소식 20150512 공개판2015년 1분기 주요 정보보안 소식 20150512 공개판
2015년 1분기 주요 정보보안 소식 20150512 공개판Minseok(Jacky) Cha
 
임베디드 리눅스 악성코드로 본 사물인터넷 보안 차민석 20150406_코드게이트 발표판
임베디드 리눅스 악성코드로 본 사물인터넷 보안 차민석 20150406_코드게이트 발표판임베디드 리눅스 악성코드로 본 사물인터넷 보안 차민석 20150406_코드게이트 발표판
임베디드 리눅스 악성코드로 본 사물인터넷 보안 차민석 20150406_코드게이트 발표판Minseok(Jacky) Cha
 
Embedded linux 악성코드 동향 20150323 v1.0 공개판
Embedded linux 악성코드 동향 20150323 v1.0 공개판Embedded linux 악성코드 동향 20150323 v1.0 공개판
Embedded linux 악성코드 동향 20150323 v1.0 공개판Minseok(Jacky) Cha
 

More from Minseok(Jacky) Cha (17)

2017년 3분기 정보보안 소식 20180107 차민석
2017년 3분기 정보보안 소식 20180107 차민석2017년 3분기 정보보안 소식 20180107 차민석
2017년 3분기 정보보안 소식 20180107 차민석
 
2017년 1분기 정보보안 소식 20170528 차민석_공개판
2017년 1분기 정보보안 소식 20170528 차민석_공개판2017년 1분기 정보보안 소식 20170528 차민석_공개판
2017년 1분기 정보보안 소식 20170528 차민석_공개판
 
2016년 4분기 주요 정보보안 소식 20170101 차민석_공개판
2016년 4분기 주요 정보보안 소식 20170101 차민석_공개판2016년 4분기 주요 정보보안 소식 20170101 차민석_공개판
2016년 4분기 주요 정보보안 소식 20170101 차민석_공개판
 
2016년 3분기 주요 정보보안 소식 20161227 차민석_공개판
2016년 3분기 주요 정보보안 소식 20161227 차민석_공개판2016년 3분기 주요 정보보안 소식 20161227 차민석_공개판
2016년 3분기 주요 정보보안 소식 20161227 차민석_공개판
 
Power shell 악성코드 동향 20161118_차민석_디지털 포렌식 기술특강 공개판
Power shell 악성코드 동향 20161118_차민석_디지털 포렌식 기술특강 공개판Power shell 악성코드 동향 20161118_차민석_디지털 포렌식 기술특강 공개판
Power shell 악성코드 동향 20161118_차민석_디지털 포렌식 기술특강 공개판
 
사회기반시설 공격 동향 분석보고서 차민석 20161029_레몬 정보보호 세미나
사회기반시설 공격 동향 분석보고서 차민석 20161029_레몬 정보보호 세미나사회기반시설 공격 동향 분석보고서 차민석 20161029_레몬 정보보호 세미나
사회기반시설 공격 동향 분석보고서 차민석 20161029_레몬 정보보호 세미나
 
2016년 2분기 주요 정보보안 소식 차민석 20160815_공개판
2016년 2분기 주요 정보보안 소식 차민석 20160815_공개판2016년 2분기 주요 정보보안 소식 차민석 20160815_공개판
2016년 2분기 주요 정보보안 소식 차민석 20160815_공개판
 
2016년 1분기 주요 정보보안 소식 차민석 20160703_공개판
2016년 1분기 주요 정보보안 소식 차민석 20160703_공개판2016년 1분기 주요 정보보안 소식 차민석 20160703_공개판
2016년 1분기 주요 정보보안 소식 차민석 20160703_공개판
 
2015년 4분기 주요 정보보안 소식 차민석 20160410_공개판
2015년 4분기 주요 정보보안 소식 차민석 20160410_공개판2015년 4분기 주요 정보보안 소식 차민석 20160410_공개판
2015년 4분기 주요 정보보안 소식 차민석 20160410_공개판
 
2015년 3분기 주요 정보보안 소식 차민석 20160117_공개판
2015년 3분기 주요 정보보안 소식 차민석 20160117_공개판2015년 3분기 주요 정보보안 소식 차민석 20160117_공개판
2015년 3분기 주요 정보보안 소식 차민석 20160117_공개판
 
Csi cyber season 1 episode 1 차민석 20160113
Csi cyber season 1 episode 1 차민석 20160113Csi cyber season 1 episode 1 차민석 20160113
Csi cyber season 1 episode 1 차민석 20160113
 
백신 프로그램의 원리와 동작 차민석 20151117_security plus 발표판
백신 프로그램의 원리와 동작 차민석 20151117_security plus 발표판백신 프로그램의 원리와 동작 차민석 20151117_security plus 발표판
백신 프로그램의 원리와 동작 차민석 20151117_security plus 발표판
 
0과 1의 비밀을 밝히는 악성코드 분석가 차민석 20151117_security plus 발표판
0과 1의 비밀을 밝히는 악성코드 분석가 차민석 20151117_security plus 발표판0과 1의 비밀을 밝히는 악성코드 분석가 차민석 20151117_security plus 발표판
0과 1의 비밀을 밝히는 악성코드 분석가 차민석 20151117_security plus 발표판
 
2015년 2분기 주요 정보보안 소식 차민석 공개판_20150810
2015년 2분기 주요 정보보안 소식 차민석 공개판_201508102015년 2분기 주요 정보보안 소식 차민석 공개판_20150810
2015년 2분기 주요 정보보안 소식 차민석 공개판_20150810
 
2015년 1분기 주요 정보보안 소식 20150512 공개판
2015년 1분기 주요 정보보안 소식 20150512 공개판2015년 1분기 주요 정보보안 소식 20150512 공개판
2015년 1분기 주요 정보보안 소식 20150512 공개판
 
임베디드 리눅스 악성코드로 본 사물인터넷 보안 차민석 20150406_코드게이트 발표판
임베디드 리눅스 악성코드로 본 사물인터넷 보안 차민석 20150406_코드게이트 발표판임베디드 리눅스 악성코드로 본 사물인터넷 보안 차민석 20150406_코드게이트 발표판
임베디드 리눅스 악성코드로 본 사물인터넷 보안 차민석 20150406_코드게이트 발표판
 
Embedded linux 악성코드 동향 20150323 v1.0 공개판
Embedded linux 악성코드 동향 20150323 v1.0 공개판Embedded linux 악성코드 동향 20150323 v1.0 공개판
Embedded linux 악성코드 동향 20150323 v1.0 공개판
 

Recently uploaded

Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作ys8omjxb
 
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls KolkataVIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
The Intriguing World of CDR Analysis by Police: What You Need to Know.pdf
The Intriguing World of CDR Analysis by Police: What You Need to Know.pdfThe Intriguing World of CDR Analysis by Police: What You Need to Know.pdf
The Intriguing World of CDR Analysis by Police: What You Need to Know.pdfMilind Agarwal
 
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一Fs
 
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一Fs
 
Denver Web Design brochure for public viewing
Denver Web Design brochure for public viewingDenver Web Design brochure for public viewing
Denver Web Design brochure for public viewingbigorange77
 
Complet Documnetation for Smart Assistant Application for Disabled Person
Complet Documnetation for Smart Assistant Application for Disabled PersonComplet Documnetation for Smart Assistant Application for Disabled Person
Complet Documnetation for Smart Assistant Application for Disabled Personfurqan222004
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一z xss
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一Fs
 
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一3sw2qly1
 
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Dana Luther
 
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts servicesonalikaur4
 
Sushant Golf City / best call girls in Lucknow | Service-oriented sexy call g...
Sushant Golf City / best call girls in Lucknow | Service-oriented sexy call g...Sushant Golf City / best call girls in Lucknow | Service-oriented sexy call g...
Sushant Golf City / best call girls in Lucknow | Service-oriented sexy call g...akbard9823
 
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一Fs
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Paul Calvano
 
AlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsAlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsThierry TROUIN ☁
 
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With RoomVIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Roomdivyansh0kumar0
 
Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMagic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMartaLoveguard
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhimiss dipika
 

Recently uploaded (20)

Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
 
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls KolkataVIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
The Intriguing World of CDR Analysis by Police: What You Need to Know.pdf
The Intriguing World of CDR Analysis by Police: What You Need to Know.pdfThe Intriguing World of CDR Analysis by Police: What You Need to Know.pdf
The Intriguing World of CDR Analysis by Police: What You Need to Know.pdf
 
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
 
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
 
Denver Web Design brochure for public viewing
Denver Web Design brochure for public viewingDenver Web Design brochure for public viewing
Denver Web Design brochure for public viewing
 
Complet Documnetation for Smart Assistant Application for Disabled Person
Complet Documnetation for Smart Assistant Application for Disabled PersonComplet Documnetation for Smart Assistant Application for Disabled Person
Complet Documnetation for Smart Assistant Application for Disabled Person
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
 
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一
 
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
 
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
 
Sushant Golf City / best call girls in Lucknow | Service-oriented sexy call g...
Sushant Golf City / best call girls in Lucknow | Service-oriented sexy call g...Sushant Golf City / best call girls in Lucknow | Service-oriented sexy call g...
Sushant Golf City / best call girls in Lucknow | Service-oriented sexy call g...
 
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24
 
AlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsAlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with Flows
 
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With RoomVIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
 
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
 
Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMagic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptx
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhi
 

Targeted attacks on major industry sectors in south korea 20171201 cha minseok_avar 2017 beijing_full version

  • 1. TargetedAttacks on Major Industry Sectors in South Korea CHA Minseok (Jacky Cha, 車珉錫) – Full Version Senior Principal Malware Researcher AhnLab | ASEC | Analysis Team AVAR 2017 (December 7, 2017)
  • 2. Contents 01 02 03 04 05 06 07 Cyber Attacks in South Korea, 2017 Infection Vector Andariel Group Operation Red Dot Operation Bitter Biscuit Who Is Behind The Attacks? Conclusion
  • 3. 01 Cyber Attacks in South Korea, 2017
  • 4. © AhnLab, Inc. All rights reserved. 4 VenusLocker Ransomware • SpearPhishing -EmailwritteninKorean * http://www.ahnlab.com/kr/site/securityinfo/secunews/secuNewsView.do?seq=26309
  • 5. © AhnLab, Inc. All rights reserved. 5 VenusLocker Ransomware • Macro Downloader - ChineseFont?!
  • 6. © AhnLab, Inc. All rights reserved. 6 Erebus Ransomware • Web hostingcompanyNayana was hit by Erebusransomware -AttackoccurredinJune10,20171:00am -Filesin153servershavebeenencrypted.5,496websiteswereaffected.Paidover$1Million -2similarattacksinNovember(DifferentLinuxRansomware) * Source:http://securityaffairs.co/wordpress/60281/malware/erebus-ransomware-hit-south-korea.html&http://english.etnews.com/20171109200001& http://ciobiz.etnews.com/news/article.html?id=20171129120027
  • 7. © AhnLab, Inc. All rights reserved. 7 ATM Hacking • ATM Hacking(byAndarielGroup) - 230,000credit cardsin totalwere leaked (September2016 ~ February 2017) -IllegalwithdrawalsthroughATMsinChina,ThailandandTaiwan -4suspectsarrested→obtainedtheprivatefinancialdatafromamiddlemanwhoclaimedhegottheinformationfroma NorthKorean -MalwareusedinthisattackwasverysimilartothemalwareusedintheKoreanMNDhacking * Source:http://english.yonhapnews.co.kr/news/2017/09/06/0200000000AEN20170906007600315.html&http://www.itworld.co.kr/news/106281
  • 8. © AhnLab, Inc. All rights reserved. 8 Cryptocurrency Exchange Platform Hacked • Cryptocurrency ExchangePlatformHacked -MaliciousHanguldocument(HWP)fileasattackvector -Customerdataleaked -maybebythethreatgroupbehindOperationRedDot * Source:http://uk.businessinsider.com/south-korean-bitcoin-exchange-bithumb-hacked-ethereum-2017-7& http://www.hani.co.kr/arti/economy/it/801322.html
  • 9. © AhnLab, Inc. All rights reserved. 9 Supply Chain Attack • SupplyChainAttack - BackdoorfoundinNetsarangservermanagementsoftware * Source:https://securelist.com/shadowpad-in-corporate-networks/81432& http://www.netsarang.co.kr/news/security_exploit_in_july_18_2017_build.html
  • 10. © AhnLab, Inc. All rights reserved. 10 Travel Agency Breached • South Korea’sLargestTravelAgencyHacked - * Source:https://coinjournal.net/south-koreas-largest-travel-agency-breached-hacker-demands-bitcoin-payment/& http://www.hanatour.com/asp/custcenter/bb-20000.asp
  • 11. © AhnLab, Inc. All rights reserved. Activity groups/APTs in South Korea 2007 2013 2014 2015 2016 2017 Icefog OP Red Dot (Escad, Loader) Andariel (Rifdoor, GhostRat, Phandoor, Andarat) Dllbot Xwdoor OP Black Mine (Bmdoor) 2011 OP Bitter Biscuit (Bisonal, Dexbia) OP Happy Dragon 2018 Kimsuky 2012 Plugx (Korplug)
  • 13. © AhnLab, Inc. All rights reserved. 13 Infection Vector Watering hole (ActiveX) Email (Spear Phishing) Update IT Management system C2 Vulnerability Attack Update Server Supply Chain / IT Maintenace Services Listening Port Web Server Send file transfer commands Listening Port Port Scanning Vulnerability Attacks
  • 15. © AhnLab, Inc. All rights reserved. 15 Andariel • Andariel -PresumedtobeanotherLazarusspinoff -DarkSeoul(2013),OperationBlackMine(2014-2015) -OperationGhostRifle==OperationAnonymousPhantom==OperationGoldenAxe==CampaignRifle -Targets:DefenseIndustry,CyberSecurityCompanies,PoliticalInstitutions,MND(MinistryofNationalDefense),Finance Sector,EnergyResearchInstitutionetc. -AttackVectors:SpearPhishing,WateringHole(Active-Xvulnerability),ITManagementSystemVulnerability, SupplyChainAttack -Malware:Andarat,Bmdoor,GhostRat,Rifdoor,Phandoor -AhnLabpublishedthewhitepaper inJuly,2017 -FSI(FinancialSecurityInstitute) publishedthewhitepaperinAugust,2017
  • 16. © AhnLab, Inc. All rights reserved. 16 Malware • Theyare usingvariousmalware icon Exploits − Active X − Flash − IT Management System Stealers Tools − Backdoor (Andarat, Bmdoor, GhostRat, Phandoor, Rifdoor, Xtreame) − Keylogger − Mimikatz − OSQL − Privilege Escalation − Putty Link − Proxy Server − Port Scanner − Wiper
  • 17. © AhnLab, Inc. All rights reserved. Andariel Timeline 2008 2009 2013 2014 2015 2016 3.4 DDoS 3.20Cyber attack (DarkSeoul) & 6.25Cyber Attack 2017 SeoulADEX participants 7.7 DDoS Security breach of majorcompanies MND hacked ATM hacked Financial Sector Breach of Travel Agency Energy Research Institute OperationBlack Mine (Bmdoor) OperationGhost Rifle (Rifdoor) Xwdoor 2011 2012 3.20Cyber-attack (Gatheringinformation) OperationAnonymous Phantom(Phandoor) Security Company Defense Company ActiveX Vulnerabilities Attack Dllbot Korean Government 2018
  • 18. © AhnLab, Inc. All rights reserved. 18 Infection Vector – ActiveX A • Report ProductAExploit -Scriptfilecreated→downloaded
  • 19. © AhnLab, Inc. All rights reserved. 19 Infection Vector – ActiveX A • Script -First5bytesdownloadremoved (MZ...)→first5bytesrecoverylost (MZ...)
  • 20. © AhnLab, Inc. All rights reserved. 20 Infection Vector – IT Management B • ITManagementProductB exploit - V3PScan.exefiledistributedthroughITManagementSystem
  • 21. © AhnLab, Inc. All rights reserved. 21 Infection Vector – IT Management B • ITManagementProductB Ports -3511:ClientListenPort -3523,3524:FileTransfer * Source:ProductBUserManual (2004)
  • 22. © AhnLab, Inc. All rights reserved. 22 Infection Vector – IT Management C • ITManagementProductC exploit - TargetIP,DownloadURL,Path -ProductCfiletransfer(Port7224)
  • 23. © AhnLab, Inc. All rights reserved. 23 Infection Vector – IT Management C • Script -Filedownloadedandrecovered5bytes(MZ) Argv : DownloadURL Argv : RemoteFilePath
  • 24. © AhnLab, Inc. All rights reserved. 24 2015 - Attack against SeoulADEX 2015 Participants • Defensecompaniessufferfrom hacking attacks - SeoulADEX(Seoul International Aerospace and Defense Exhibition) *Source:http://www.koreatimes.co.kr/www/news/nation/2015/11/116_191362.html
  • 25. © AhnLab, Inc. All rights reserved. 25 2015 - Attack against SeoulADEX 2015 Participants • AttackagainstSeoulADEX2015Participants(1) - MacroDownloader -> Seoul ADEX Result & visitors list -> disguising as Headquarters of Seoul ADEX
  • 26. © AhnLab, Inc. All rights reserved. 26 2015 - Attack against SeoulADEX 2015 Participants • AttackagainstSeoulADEX2015Participants(1) -Rifdoordownloaded
  • 27. © AhnLab, Inc. All rights reserved. 27 2016 - Security Breach of Major Companies • Malware distributedthrough vulnerable ITmanagementsystem vulnerability -Hackedintomorethan140,000computersat160SouthKoreancompaniesandgovernmentagencies -42,608documentswerereportedtohavebeenleaked -Attackbeganin2014andwasdetectedinFebruary2016 *Source:http://www.reuters.com/article/us-northkorea-southkorea-cyber-idUSKCN0YZ0BE
  • 28. © AhnLab, Inc. All rights reserved. Attacker Major companies and arms manufacturers C2 and storage server to prevent data loss GhostRat 2016 - Security Breach of Major Companies V3PScan.exe was distributed by IT Management System Attack IT Management System B vulnerability
  • 29. © AhnLab, Inc. All rights reserved. 29 2017 – Financial SectorAttack • Macro Downloader -Disguisedasnewgovernmentdiplomaticadvisorylist -V3UI.exedownloaded
  • 30. © AhnLab, Inc. All rights reserved. 30 2017 – Financial SectorAttack • Macro Comparison -SeoulADEXattendees(2015)vsFinanceSector(2017)
  • 31. © AhnLab, Inc. All rights reserved. 31 Malware – GhostRat • customizedGh0st RAT - Sourcecodereleased
  • 32. © AhnLab, Inc. All rights reserved. 32 Malware - Rifdoor • Rifdoor(Rifle+ Bakcdoor)== Operation Ghost Rifle(2015) -Backdoor(90KB) -PDB:contain‘rifle’ -Addsrandomdata
  • 33. © AhnLab, Inc. All rights reserved. 33 Backdoor - Phandoor • Phandoor(Phantom.exe+ Backdoor)== OperationAnonymousPhantom(2016-2017) -OriginalfilenamewasPhantom.exe→Phantom.exe+Backdoor=Phandoor -S^!? - Anonymous?
  • 34. © AhnLab, Inc. All rights reserved. 34 Backdoor - Phandoor • Mystery ‘S^’ -‘S^’foundintheXwdoor(2012)&Phandoor(2016)
  • 35. © AhnLab, Inc. All rights reserved. 35 Backdoor - Phandoor • SimilarEncodingCodes - Rifdoorvs.Phandoor
  • 36. © AhnLab, Inc. All rights reserved. 36 Malware - Wiper • Wiper -WhetherWiperisusedinrealattackisnotidentified
  • 38. © AhnLab, Inc. All rights reserved. 38 Operation Red Dot • Operation Red Dot -Period:Fromearly2014~ -Maintargets:DefenseIndustry,Politicalinstitutions,Majorcompanies(Conglomerates),HostingServices,Financial Sector,CryptocurrencyExchange… -Malwares:Escad,Loader -Remark:Thishackinggroupispossibly involvedwiththesecuritybreachofSonyPictures
  • 39. © AhnLab, Inc. All rights reserved. 39 Operation Red Dot • Relation - * Source:https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf & https://researchcenter.paloaltonetworks.com/2017/08/unit42-blockbuster-saga-continues/
  • 40. © AhnLab, Inc. All rights reserved. Timeline 2014 2016 20172015 Sony Pictures Hacking Loader(1) x86 Loader(2) Backdoor(2) Backdoor (1)B Escad Loader(1)x64 Loader(2)– Resource Loader(1) Backdoor (1)A Web Hosting Services SeoulADEX Participants Political institutions Major CompanyB Cryptocurrency Exchange Major CompanyA Financial Sector Open Type Font Elevation of Privilege Vulnerability MS16-132 (CVE-2016-7256) HWP Files (with EPS) HWPx Vulnerability (CVE-2015- 6585) Network Isolation Vulnerability Major CompanyA Websites against North Korea Defense Firms
  • 41. © AhnLab, Inc. All rights reserved. 41 2014 - Security Breach of Sony Pictures SonyPicturesHack - EliminatedSony’scomputerinfrastructure - Leakedconfidentialdata * Source:http://imgur.com/qXNgFVz&Source:https://gist.github.com/anonymous/7b9a0a0ac94065ccfc5b
  • 42. © AhnLab, Inc. All rights reserved. 42 2015 - Attack against SeoulADEX 2015 Participants •News reported, “Thereis a possibility that thishackinggroupcouldbeconnectedwithSonyPictureshackinggroup” (October2015) *Source:http://www.boannews.com/media/view.asp?idx=48598&kind=0 &http://www.etnews.com/20151007000172
  • 43. © AhnLab, Inc. All rights reserved. 43 2015 - Attack against SeoulADEX 2015 Participants • AttackagainstSeoulADEX2015Participants(2) - HWPxVulnerability (CVE-2015-6585)->Zero-dayvulnerabilityatthetime -> invitation.hwp
  • 44. © AhnLab, Inc. All rights reserved. 44 Backdoor - Escad • Malware SampleComparison - SonyPictureshackvs.attackinSouthKorea
  • 45. © AhnLab, Inc. All rights reserved. 45 Backdoor - Escad • EscadTypeA(SonyPictureshack)
  • 46. © AhnLab, Inc. All rights reserved. 46 Backdoor - Escad • EscadType B XOR 0x89
  • 48. © AhnLab, Inc. All rights reserved. 48 Operation Bitter Biscuit • Operation BitterBiscuit -AhnLabreleasedawhitepaperinOctober2017 -OperationBitterBiscuit==HeartBeatAPT@AVAR2012==OperationOrca@VB2017 -ActivitiesinSouthKoreasince2009(2008?) -Targets:Military,DefenseResearchInstitutes,DefenseIndustry,ICT,Manufacturer -InfectionVector:Executablefilesdisguisedasdocumentsfiles&Macro -Malware:Presonal,Bisonal(Biscon,Korlia),Dexbia(Bromall) -Bisonalscontain‘bisonal’,‘bioazih’,‘biaozih’ -Filenames:6ro4.dll, 6to4nt.dll, ahn.exe, AhnSDsv.exe, ahnupdate.exe, AYagent.exe, chrome.exe, conhost.exe, conime.exe, ctfmon.exe, deskmvr.exe, dlg.exe, htrn.dll, hyper.dll, lpk.dll, lsass.exe, mfc.exe, mmc.exe, msacm32.dll, netfxocm.exe, serskt.exe, svcsep.exe, taskmgr.exe, tpcon.exe, tsc.exe, v3update.exe, winhelp.exe
  • 49. © AhnLab, Inc. All rights reserved. 49 Relation • Operation BitterBiscuit==The HeartBeatAPT== Operation Orca - * Source:https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp_the-heartbeat-apt-campaign&https://camal.coseinc.com/publish/2013Bisonal.pdf& https://blogs.technet.microsoft.com/mmpc/2015/04/13/bioazih-rat-how-clean-file-metadata-can-help-keep-you-safe/&http://www.cert-in.org.in&https://www.virusbulletin.com/conference/vb2017/abstracts/operation- orca-cyber-espionage-diving-ocean-least-six-years/
  • 50. © AhnLab, Inc. All rights reserved. Timeline 2009 2010 2011 2013 2015 2016 2017 Bisonal Type B The HeartBeat APT Campaign ICT ICT Manufacturer Manufacturer IT Bioazih RAT Blog 2018 Japanese Defense Industry Military Defense Industry ITPresonal 20142012 Attacks on Korean Government Bisonal TypeA MilitarySecurity Research Institute Operation Orca Operation BitterBiscuit
  • 51. © AhnLab, Inc. All rights reserved. 51 Infection Vector • Executablefiledisguised asdocumentfiles -
  • 52. © AhnLab, Inc. All rights reserved. 52 Infection Vector • Documentfilescontainingmacros - PoliticalSeminarAgenda
  • 53. © AhnLab, Inc. All rights reserved. 53 Decoy documents • Invitation& Conference& Resume -
  • 54. © AhnLab, Inc. All rights reserved. 54 Bisonal • Features - bisonal,bioazih,biaozih
  • 55. © AhnLab, Inc. All rights reserved. 55 Dexbia (Bromall) • Dexbia(Bromall) - Port C&C
  • 56. © AhnLab, Inc. All rights reserved. Process Malware Evoultion 01 2011-2012 02 2013-2014 03 2015-2017 • Bisonal, Bioazih Strings.. • Dynamic DNS • Bisonal, Bioazih Strings.. • Encrypting Strings • Dexbia (Bromall) discovered • Dexbia (Bromall) • Packed Bisonal
  • 57. 06 Who Is Behind The Attacks?
  • 58. © AhnLab, Inc. All rights reserved. 58 Korean?! • GhostRat ManagementKorean Edition - Koreanbutstrange Strings (문자렬 -> 문자열) ??? (maybe when notified) 팁 Tip ??? (typo 암 -> 안) System Setting (체계설정 -> 설정) Secret (비밀 -> 암호 Password)User
  • 59. © AhnLab, Inc. All rights reserved. 59 Korean?! • Korean?! -C:UsersKGHDownloads(DONE)TROYS(DONE)(done)1charelease(done)(done)1cha(dll)Installer-dll-service- win32ReleaseInstallBD.pdb -KGH-commonKoreannameinitials(?) -1cha-'cha'hasthesamepronunciationforKoreanordinalnumber -C8:thesamepronunciationasaprofanitywiththemeaningofF-wordinKorea.
  • 61. © AhnLab, Inc. All rights reserved. 61 Conclusion • Conclusion -5groupsactiveinSouthKorea-atleast -AndarielGroup,OperationRedDot:Motivationforattackseemstohavechanged (ConfidentialInformation→Monetarybenefit) -SomeofthemknowKoreanverywellandknowKoreancultureandenvironment -TheyattackvulnerabilitiesinKoreansoftwresanddisguisedasKoreanfamoussoftwares -SomeofthemareactiveoutsideofKorea • Cooperation -We need to cooperate to fight them !
  • 62. © AhnLab, Inc. All rights reserved. 62 Q&A minseok.cha@ahnlab.com / mstoned7@gmail.com http://xcoolcat7.tistory.com, https://www.facebook.com/xcoolcat7 https://twitter.com/xcoolcat7, https://twitter.com/mstoned7
  • 63.
  • 64. © AhnLab, Inc. All rights reserved. 64 Reference • TargetedAttackson DefenseIndusty (Korean) http://www.ahnlab.com/kr/site/securityinfo/secunews/secuNewsView.do?seq=26565ABC, http://download.ahnlab.com/kr/site/library/%5bAnalysis%5dDefense_Industry_Threats.pdf) • Targeted Attacks on Defense Industry (http://download.ahnlab.com/global/brochure/Tech_Report_Defense%20Industry.pdf) • CyberThreat IntelligenceReport (Korean) (https://www.fsec.or.kr/user/bbs/fsec/21/13/bbsDataView/910.do)