SlideShare a Scribd company logo

7122017 cyber espionage is alive and well apt32 and the thr

Download as DOCX, PDF
S
smile790243

7122017 cyber espionage is alive and well apt32 and the thr

Education
1 of 18
7/12/2017 Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations « Threat Research Blog | FireEye Inc https://www.fireeye.com/blog/threat-research/2017/05/cyber- espionage-apt32.html 1/10 Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations May 14, 2017 | by Nick Carr | Threat Research Cyber espionage actors, now designated by FireEye as APT32 ( OceanLotus Group), are carrying out intrusions into private sect or companies across multiple industries and have also targeted foreign govern ments, dissidents, and journalists. FireEye assesses that APT32 leverages a unique suite of fully-featured malware, in conjunction with com mercially-available tools, to conduct targeted operations that ar e aligned with Vietnamese state interests. APT32 and FireEye’s Community Response In the course of investigations into intrusions at several corpora tions with business interests in Vietnam, FireEye’s Mandiant in cident response consultants uncovered activity and attacker-controlled infrastruc ture indicative of a significant intrusion campaign. In March 20 17, in response to active targeting of FireEye clients, the team launched a Com
munity Protection Event (CPE) – a coordinated effort between Mandiant incident responders, FireEye as a Service (FaaS), FireEye iSight Intelligence, and FireEye product engineering – to protect all clients from APT32 activity. In the following weeks, FireEye released threat intelligence pro ducts and updated malware profiles to customers while developi ng new detection techniques for APT32’s tools and phishing lures. This focused intelligence and detection effort led to new external vic tim identifications as well as providing sufficient technical evidence to link twelve prior intrusions, consolidating four previously un related clusters of threat actor activity into FireEye’s newest named advanced p ersistent threat group: APT32. APT32 Targeting of Private Sector Company Operations in Southeast Asia Since at least 2014, FireEye has observed APT32 targeting forei gn corporations with a vested interest in Vietnam’s manufacturi ng, consumer products, and hospitality sectors. Furthermore, there are indicati ons that APT32 actors are targeting peripheral network security and technology infrastructure corporations. Here is an overview of intrusions investigated by FireEye that a re attributed to APT32: In 2014, a European corporation was compromised prior to cons tructing a manufacturing facility in Vietnam. In 2016, Vietnamese and foreign-owned corporations working in
network security, technology infrastructure, banking, and medi a industries were targeted. In mid-2016, malware that FireEye believes to be unique to AP T32 was detected on the networks of a global hospitality industr y developer with plans to expand operations into Vietnam. From 2016 through 2017, two subsidiaries of U.S. and Philippin e consumer products corporations, located inside Vietnam, were the target of APT32 intrusion operations. Table 1 shows a breakdown of APT32 activity, including the ma lware families used in each. Year Country Industry Malware 2014 Vietnam Network Security WINDSHIELD 2014 Germany Manufacturing WINDSHIELD 2015 Vietnam Media WINDSHIELD 2016 Philippines Consumer products KOMPROGO WINDSHIELD https://www.fireeye.com/blog/threat- research.html/category/etc/tags/fireeye-blog-authors/nick-carr https://www.fireeye.com/blog/threat- research.html/category/etc/tags/fireeye-blog-threat- research/threat-research
https://www2.fireeye.com/WEB-Community-Protection- Security-Numbers.html 7/12/2017 Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations « Threat Research Blog | FireEye Inc https://www.fireeye.com/blog/threat-research/2017/05/cyber- espionage-apt32.html 2/10 SOUNDBITE BEACON 2016 Vietnam Banking WINDSHIELD 2016 Philippines Technology Infrastructure WINDSHIELD 2016 China Hospitality WINDSHIELD 2016 Vietnam Media WINDSHIELD 2016 United States Consumer Products WINDSHIELD PHOREAL
BEACON SOUNDBITE Table 1: APT32 Private Sector Targeting Identified by FireEye APT32 Interest in Political Influence and Foreign Governments In addition to focused targeting of the private sector with ties to Vietnam, APT32 has also targeted foreign governments, as well as Vietnamese dissidents and journalists since at least 2013. Here i s an overview of this activity: A public blog published by the Electronic Frontier Foundation i ndicated that journalists, activists, dissidents, and bloggers were targeted in 2013 by malware and tactics consistent with APT32 operations. In 2014, APT32 leveraged a spear-phishing attachment titled “P lans to crackdown on protesters at the Embassy of Vietnam.exe, " which targeted dissident activity among the Vietnamese diaspora in So utheast Asia. Also in 2014, APT32 carried out an intrusion agai nst a Western country’s national legislature. In 2015, SkyEye Labs, the security research division of the Chi nese firm Qihoo 360, released a report detailing threat actors th at were targeting Chinese public and private entities including governm ent agencies, research institutes, maritime agencies, sea constru ction, and shipping enterprises. The information included in the report indi cated that the perpetrators used the same malware, overlapping infrastructure, and similar targets as APT32. In 2015 and 2016, two Vietnamese media outlets were targeted with malware that FireEye assesses to be unique to APT32. In 2017, social engineering content in lures used by the actor pr
ovided evidence that they were likely used to target members of the Vietnam diaspora in Australia as well as government employees in the Philippines. APT32 Tactics In their current campaign, APT32 has leveraged ActiveMime fil es that employ social engineering methods to entice the victim i nto enabling macros. Upon execution, the initialized file downloads multiple malicious payloads from remote servers. APT32 actors continue to deliver the malicious attachments via spear-phishing emails. APT32 actors designed multilingual lure documents which were tailored to specific victims. Although the files had “.doc” file e xtensions, the recovered phishing lures were ActiveMime “.mht” web page arc hives that contained text and images. These files were likely cre ated by exporting Word documents into single file web pages. Table 2 contains a sample of recovered APT32 multilingual lure files. ActiveMime Lure Files MD5 2017年员工工资性津贴额统计报 告.doc (2017 Statistical Report on Staff Salary and Allowances) 5458a2e4d784abb1a1127263bd5006b5 https://www.eff.org/deeplinks/2014/01/vietnamese-malware-
gets-personal http://blogs.360.cn/blog/oceanlotus-apt 7/12/2017 Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations « Threat Research Blog | FireEye Inc https://www.fireeye.com/blog/threat-research/2017/05/cyber- espionage-apt32.html 3/10 Thong tin.doc (Information) ce50e544430e7265a45fab5a1f31e529 Phan Vu Tutn CV.doc 4f761095ca51bfbbf4496a4964e41d4f Ke hoach cuu tro nam 2017.doc (2017 Bailout Plan) e9abe54162ba4572c770ab043f576784 Instructions to GSIS.doc fba089444c769700e47c6b44c362f96b Hoi thao truyen thong doc lap.doc (Traditional Games) f6ee4b72d6d42d0c7be9172be2b817c1 Giấy yêu cầu bồi thường mới 2016 - hằng.doc (New 2016 Claim Form) aa1f85de3e4d33f31b4f78968b29f175
Hoa don chi tiet tien no.doc (Debt Details) 5180a8d9325a417f2d8066f9226a5154 Thu moi tham du Hoi luan.doc (Collection of Participants) f6ee4b72d6d42d0c7be9172be2b817c1 Danh sach nhan vien vi pham ky luat.doc (List of Employee Violations) 6baafffa7bf960dec821b627f9653e44 Nội­dung­quảng­cáo.doc (Internal Content Advertising) 471a2e7341f2614b715dc89e803ffcac HĐ DVPM-VTC 31.03.17.doc f1af6bb36cdf3cff768faee7919f0733 Table 2: Sampling of APT32 Lure Files The Base64 encoded ActiveMime data also contained an OLE fil e with malicious macros. When opened, many lure files displaye d fake error messages in an attempt to trick users into launching the malicio us macros. Figure 1 shows a fake Gmail-theme paired with a he xadecimal error code that encourages the recipient to enable content to res olve the error. Figure 2 displays another APT32 lure that used a convincing
image of a fake Windows error message instructing the recipient to enable content to properly display document font characters. Figure 1: Example APT32 Phishing Lure – Fake Gmail Error Message 7/12/2017 Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations « Threat Research Blog | FireEye Inc https://www.fireeye.com/blog/threat-research/2017/05/cyber- espionage-apt32.html 4/10 Figure 2: Example APT32 Phishing Lure – Fake Text Encoding Error Message APT32 operators implemented several novel techniques to track the efficacy of their phishing, monitor the distribution of their malicious documents, and establish persistence mechanisms to dynamicall y update backdoors injected into memory. In order to track who opened the phishing emails, viewed the lin ks, and downloaded the attachments in real-time, APT32 used cl oud-based email analytics software designed for sales organizations. In so me instances, APT32 abandoned direct email attachments altoge ther and relied exclusively on this tracking technique with links to their ActiveMime lures hosted externally on legitimate cloud storage services. To enhance visibility into the further distribution of their phishi ng lures, APT32 utilized the native web page functionality of th
eir ActiveMime documents to link to external images hosted on APT32 monitore d infrastructure. Figure 3 contains an example phishing lure with HTML image t ags used for additional tracking by APT32. Figure 3: Phishing Lure Containing HTML Image Tags for Addi tional Tracking When a document with this feature is opened, Microsoft Word will attempt to download the external image, even if macros wer e disabled. In all phishing lures analyzed, the external images did not exist. Mand iant consultants suspect that APT32 was monitoring web logs to track the public IP address used to request remote images. When combine d with email tracking software, APT32 was able to closely track phishing delivery, success rate, and conduct further analysis about victim organizations while monitoring the interest of security firms. 7/12/2017 Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations « Threat Research Blog | FireEye Inc https://www.fireeye.com/blog/threat-research/2017/05/cyber- espionage-apt32.html 5/10 Once macros were enabled on the target system, the malicious macros created two named scheduled tasks as persistence mecha nisms for two backdoors on the infected system. The first named schedule d task launched an application whitelisting script protection byp
ass to execute a COM scriptlet that dynamically downloaded the first backdoor from APT32’s infrastructure and injected it into memory. The s econd named scheduled task, loaded as an XML file to falsify task attributes, ran a JavaScript code block that downloaded and launched a sec ondary backdoor, delivered as a multi-stage PowerShell script. In most lures, one scheduled task persisted an APT32-specific backdoor and the other scheduled task initialized a commercially-available backdoor as backup. To illustrate the complexity of these lures, Figure 4 shows the c reation of persistence mechanisms for recovered APT32 lure “2 017年员工工资 性津贴额统计报告.doc”. Figure 4: APT32 ActiveMime Lures Create Two Named Schedul ed Tasks In this example, a scheduled task named “Windows Scheduled Maintenance” was created to run Casey Smith’s “Squiblydoo” A pp Whitelisting bypass every 30 minutes. While all payloads can be dynamically updated, at the time of delivery, this task launched a COM scri ptlet (“.sct” file extension) that downloaded and executed Meterpreter hosted on images.chinabytes[.]info. Meterpreter then loaded Cobalt Strike BEACON, configured to communicate with 80.255.3[.]87 using the Safebro wsing malleable C2 profile to further blend in with network traf fic. A second scheduled task named “Scheduled Defrags” was created by loadi ng the raw task XML with a backdated task creation timestamp of June 2,
2016. This second task ran “mshta.exe” every 50 minutes which launched an APT32-specific backdoor delivered as shellcode in a PowerShell script, configured to communicate with the domains blog.panggi n[.]org, share.codehao[.]net, and yii.yiihao126[.]net. Figure 5 illustrates the chain of events for a single successful A PT32 phishing lure that dynamically injects two multi-stage mal ware frameworks into memory. http://subt0x10.blogspot.com/2016/04/bypass-application- whitelisting-script.html https://github.com/rsmudge/Malleable-C2- Profiles/blob/master/normal/safebrowsing.profile 7/12/2017 Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations « Threat Research Blog | FireEye Inc https://www.fireeye.com/blog/threat-research/2017/05/cyber- espionage-apt32.html 6/10 Figure 5: APT32 Phishing Chain of Events The impressive APT32 operations did not stop after they establi shed a foothold in victim environments. Several Mandiant inves tigations revealed that, after gaining access, APT32 regularly cleared sele ct event log entries and heavily obfuscated their PowerShell-bas ed tools and shellcode loaders with Daniel Bohannon’s Invoke-Obfuscation f ramework. APT32 regularly used stealthy techniques to blend in with legiti
mate user activity: During one investigation, APT32 was observed using a privilege escalation exploit (CVE-2016-7255) masquerading as a Windo ws hotfix. In another investigation, APT32 compromised the McAfee ePO i nfrastructure to distribute their malware as a software deployme nt task in which all systems pulled the payload from the ePO server using the proprietary SPIPE protocol. APT32 also used hidden or non-printing characters to help visua lly camouflage their malware on a system. For example, APT32 installed one backdoor as a persistent service with a legitimate service na me that had a Unicode no-break space character appended to it. Another backdoor used an otherwise legitimate DLL filename padded wit h a non-printing OS command control code. APT32 Malware and Infrastructure APT32 appears to have a well-resourced development capability and uses a custom suite of backdoors spanning multiple protoco ls. APT32 operations are characterized through deployment of signature m alware payloads including WINDSHIELD, KOMPROGO, SOUN DBITE, and PHOREAL. APT32 often deploys these backdoors along with th e commercially-available Cobalt Strike BEACON backdoor. AP T32 may also possess backdoor development capabilities for macOS. The capabilities for this unique suite of malware is shown in Ta ble 3. Malware Capabilities
WINDSHIELD Command and control (C2) communications via TCP raw sockets https://github.com/danielbohannon/Invoke-Obfuscation https://www.alienvault.com/blogs/labs-research/oceanlotus-for- os-x-an-application-bundle-pretending-to-be-an-adobe-flash- update 7/12/2017 Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations « Threat Research Blog | FireEye Inc https://www.fireeye.com/blog/threat-research/2017/05/cyber- espionage-apt32.html 7/10 Four configured C2s and six configured ports – randomly-chosen C2/port for communications Registry manipulation Get the current module's file name Gather system information including registry values, user name, computer name, and current code page File system interaction including directory creation, file deletion, reading, and writing files Load additional modules and execute code Terminate processes Anti-disassembly KOMPROGO Fully-featured backdoor capable of process, file, and registry management Creating a reverse shell File transfers
Running WMI queries Retrieving information about the infected system SOUNDBITE C2 communications via DNS Process creation File upload Shell command execution File and directory enumeration/manipulation Window enumeration Registry manipulation System information gathering PHOREAL C2 communications via ICMP Reverse shell creation Filesystem manipulation Registry manipulation Process creation File upload BEACON (Cobalt Strike) Publicly available payload that can inject and execute arbitrary code into processes Impersonating the security context of users Importing Kerberos tickets Uploading and downloading files Executing shell commands Configured with malleable C2 profiles to blend in with normal network traffic Co-deployment and interoperability with
Metasploit framework SMB Named Pipe in-memory backdoor payload that enables peer-to-peer C2 and pivoting over SMB Table 3: APT32 Malware and Capabilities APT32 operators appear to be well-resourced and supported as t hey use a large set of domains and IP addresses as command and control infrastructure. The FireEye iSIGHT Intelligence MySIGHT Port al contains additional information on these backdoor families ba sed on https://www.fireeye.com/products/isight-intelligence.html 7/12/2017 Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations « Threat Research Blog | FireEye Inc https://www.fireeye.com/blog/threat-research/2017/05/cyber- espionage-apt32.html 8/10 Mandiant investigations of APT32 intrusions. Figure 6 provides a summary of APT32 tools and techniques ma pped to each stage of the attack lifecycle. Figure 6: APT32 Attack Lifecycle Outlook and Implications Based on incident response investigations, product detections, a nd intelligence observations along with additional publications on the same
operators, FireEye assesses that APT32 is a cyber espionage gro up aligned with Vietnamese government interests. The targeting of private sector interests by APT32 is notable and FireEye believes the ac tor poses significant risk to companies doing business in, or pre paring to invest in, the country. While the motivation for each APT32 pri vate sector compromise varied – and in some cases was unknown – the unauthorized access could serve as a platform for law enforcem ent, intellectual property theft, or anticorruption measures that c ould ultimately erode the competitive advantage of targeted organizations. Furt hermore, APT32 continues to threaten political activism and fre e speech in Southeast Asia and the public sector worldwide. Governments, j ournalists, and members of the Vietnam diaspora may continue t o be targeted. While actors from China, Iran, Russia, and North Korea remain the most active cyber espionage threats tracked and responded t o by FireEye, APT32 reflects a growing host of new countries that have adopt ed this dynamic capability. APT32 demonstrates how accessible and impactful offensive capabilities can be with the proper investment and the flexibility to embrace newly-available tools and techniques. As more countries utilize inexpensive and efficient cyber operations, there is a nee d for public awareness of these threats and renewed dialogue ar ound emerging nation-state intrusions that go beyond public sector an d intelligence targets. APT32 Detection
…

Recommended

INTRODUCTION OF CYBER CRIME AND ITS TYPE
INTRODUCTION OF CYBER CRIME AND ITS TYPEINTRODUCTION OF CYBER CRIME AND ITS TYPE
INTRODUCTION OF CYBER CRIME AND ITS TYPEAM Publications
 
Cyber Threat Advisory: Coronavirus Related Scams
Cyber Threat Advisory: Coronavirus Related ScamsCyber Threat Advisory: Coronavirus Related Scams
Cyber Threat Advisory: Coronavirus Related ScamsCTM360
 
Cyber Crime and Cyber Security
Cyber Crime and Cyber SecurityCyber Crime and Cyber Security
Cyber Crime and Cyber SecurityIRJET Journal
 
Advanced Phishing The Art of Stealing
Advanced Phishing The Art of StealingAdvanced Phishing The Art of Stealing
Advanced Phishing The Art of StealingAvinash Sinha
 
Invesitigation of Malware and Forensic Tools on Internet
Invesitigation of Malware and Forensic Tools on Internet Invesitigation of Malware and Forensic Tools on Internet
Invesitigation of Malware and Forensic Tools on Internet IJECEIAES
 
External threats to information system: Malicious software and computer crimes
External threats to information system: Malicious software and computer crimesExternal threats to information system: Malicious software and computer crimes
External threats to information system: Malicious software and computer crimesSouman Guha
 
Symantec Cyber Security Intelligence Report
Symantec Cyber Security Intelligence ReportSymantec Cyber Security Intelligence Report
Symantec Cyber Security Intelligence ReportSymantec
 
Microsoft Security Intelligence Report vol. 21
Microsoft Security Intelligence Report vol. 21Microsoft Security Intelligence Report vol. 21
Microsoft Security Intelligence Report vol. 21Ioannis Aligizakis, M.Sc.
 

Recommended

INTRODUCTION OF CYBER CRIME AND ITS TYPE
INTRODUCTION OF CYBER CRIME AND ITS TYPEINTRODUCTION OF CYBER CRIME AND ITS TYPE
INTRODUCTION OF CYBER CRIME AND ITS TYPEAM Publications
 
Cyber Threat Advisory: Coronavirus Related Scams
Cyber Threat Advisory: Coronavirus Related ScamsCyber Threat Advisory: Coronavirus Related Scams
Cyber Threat Advisory: Coronavirus Related ScamsCTM360
 
Cyber Crime and Cyber Security
Cyber Crime and Cyber SecurityCyber Crime and Cyber Security
Cyber Crime and Cyber SecurityIRJET Journal
 
Advanced Phishing The Art of Stealing
Advanced Phishing The Art of StealingAdvanced Phishing The Art of Stealing
Advanced Phishing The Art of StealingAvinash Sinha
 
Invesitigation of Malware and Forensic Tools on Internet
Invesitigation of Malware and Forensic Tools on Internet Invesitigation of Malware and Forensic Tools on Internet
Invesitigation of Malware and Forensic Tools on Internet IJECEIAES
 
External threats to information system: Malicious software and computer crimes
External threats to information system: Malicious software and computer crimesExternal threats to information system: Malicious software and computer crimes
External threats to information system: Malicious software and computer crimesSouman Guha
 
Symantec Cyber Security Intelligence Report
Symantec Cyber Security Intelligence ReportSymantec Cyber Security Intelligence Report
Symantec Cyber Security Intelligence ReportSymantec
 
Microsoft Security Intelligence Report vol. 21
Microsoft Security Intelligence Report vol. 21Microsoft Security Intelligence Report vol. 21
Microsoft Security Intelligence Report vol. 21Ioannis Aligizakis, M.Sc.
 
Microsoft security intelligence_report_regional_threat_assessment_romania
Microsoft security intelligence_report_regional_threat_assessment_romaniaMicrosoft security intelligence_report_regional_threat_assessment_romania
Microsoft security intelligence_report_regional_threat_assessment_romaniaB Eduard
 
Symantec Intelligence Report - July 2014
Symantec Intelligence Report - July 2014Symantec Intelligence Report - July 2014
Symantec Intelligence Report - July 2014Symantec
 
2015 HPSR Cyber Risk Report
2015 HPSR Cyber Risk Report2015 HPSR Cyber Risk Report
2015 HPSR Cyber Risk ReportAngela Gunn
 
V01 i010413
V01 i010413V01 i010413
V01 i010413IJARBEST JOURNAL
 
2016 Trends in Security
2016 Trends in Security 2016 Trends in Security
2016 Trends in Security Ioannis Aligizakis, M.Sc.
 
HOST PROTECTION USING PROCESS WHITE-LISTING, DECEPTION AND REPUTATION SERVICES
HOST PROTECTION USING PROCESS WHITE-LISTING, DECEPTION AND REPUTATION SERVICESHOST PROTECTION USING PROCESS WHITE-LISTING, DECEPTION AND REPUTATION SERVICES
HOST PROTECTION USING PROCESS WHITE-LISTING, DECEPTION AND REPUTATION SERVICESAM Publications,India
 
An Indistinguishability Model for Evaluating Diverse Classes of Phishing Atta...
An Indistinguishability Model for Evaluating Diverse Classes of Phishing Atta...An Indistinguishability Model for Evaluating Diverse Classes of Phishing Atta...
An Indistinguishability Model for Evaluating Diverse Classes of Phishing Atta...CSCJournals
 
Ey giss-under-cyber-attack
Ey giss-under-cyber-attackEy giss-under-cyber-attack
Ey giss-under-cyber-attackКомсс Файквэе
 
Symantec Intelligence Report September 2014
Symantec Intelligence Report September 2014Symantec Intelligence Report September 2014
Symantec Intelligence Report September 2014Symantec
 
Adaptive Mobile Malware Detection Model Based on CBR
Adaptive Mobile Malware Detection Model Based on CBRAdaptive Mobile Malware Detection Model Based on CBR
Adaptive Mobile Malware Detection Model Based on CBRijtsrd
 
Websense 2013 Threat Report
Websense 2013 Threat ReportWebsense 2013 Threat Report
Websense 2013 Threat ReportKim Jensen
 
Open Source Insight: Artifex Ruling, NY Cybersecurity Regs, PATCH Act, & Wan...
Open Source Insight: Artifex Ruling, NY Cybersecurity Regs, PATCH Act, & Wan...Open Source Insight: Artifex Ruling, NY Cybersecurity Regs, PATCH Act, & Wan...
Open Source Insight: Artifex Ruling, NY Cybersecurity Regs, PATCH Act, & Wan...Black Duck by Synopsys
 
IRJET - Chrome Extension for Detecting Phishing Websites
IRJET - Chrome Extension for Detecting Phishing WebsitesIRJET - Chrome Extension for Detecting Phishing Websites
IRJET - Chrome Extension for Detecting Phishing WebsitesIRJET Journal
 
375
375375
375Waqas Amir
 
Mobile threat report_q3_2013
Mobile threat report_q3_2013Mobile threat report_q3_2013
Mobile threat report_q3_2013Комсс Файквэе
 
Threat Actors - Vietnam (OceansLotus).pptx
Threat Actors - Vietnam (OceansLotus).pptxThreat Actors - Vietnam (OceansLotus).pptx
Threat Actors - Vietnam (OceansLotus).pptxMALCOMNORONHA1
 
A STUDY ON CYBER SECURITY AND ITS RISKS K. Jenifer
A STUDY ON CYBER SECURITY AND ITS RISKS K. JeniferA STUDY ON CYBER SECURITY AND ITS RISKS K. Jenifer
A STUDY ON CYBER SECURITY AND ITS RISKS K. JeniferAM Publications
 
Protecting the Oil and Gas Industry from Email Threats
Protecting the Oil and Gas Industry from Email ThreatsProtecting the Oil and Gas Industry from Email Threats
Protecting the Oil and Gas Industry from Email ThreatsOPSWAT
 
Chinese Cyber attack on mumbai power plant
Chinese Cyber attack on mumbai power plantChinese Cyber attack on mumbai power plant
Chinese Cyber attack on mumbai power plantRohanMistry15
 
Advanced phishing the art of stealing
Advanced phishing the art of stealingAdvanced phishing the art of stealing
Advanced phishing the art of stealingprj_publication
 
Advanced phishing the art of stealing
Advanced phishing the art of stealingAdvanced phishing the art of stealing
Advanced phishing the art of stealingprj_publication
 
A Joint Study by National University of Singapore and IDC
A Joint Study by National University of Singapore and IDCA Joint Study by National University of Singapore and IDC
A Joint Study by National University of Singapore and IDCMicrosoft Asia
 

More Related Content

What's hot

Microsoft security intelligence_report_regional_threat_assessment_romania
Microsoft security intelligence_report_regional_threat_assessment_romaniaMicrosoft security intelligence_report_regional_threat_assessment_romania
Microsoft security intelligence_report_regional_threat_assessment_romaniaB Eduard
 
Symantec Intelligence Report - July 2014
Symantec Intelligence Report - July 2014Symantec Intelligence Report - July 2014
Symantec Intelligence Report - July 2014Symantec
 
2015 HPSR Cyber Risk Report
2015 HPSR Cyber Risk Report2015 HPSR Cyber Risk Report
2015 HPSR Cyber Risk ReportAngela Gunn
 
HOST PROTECTION USING PROCESS WHITE-LISTING, DECEPTION AND REPUTATION SERVICES
HOST PROTECTION USING PROCESS WHITE-LISTING, DECEPTION AND REPUTATION SERVICESHOST PROTECTION USING PROCESS WHITE-LISTING, DECEPTION AND REPUTATION SERVICES
HOST PROTECTION USING PROCESS WHITE-LISTING, DECEPTION AND REPUTATION SERVICESAM Publications,India
 
An Indistinguishability Model for Evaluating Diverse Classes of Phishing Atta...
An Indistinguishability Model for Evaluating Diverse Classes of Phishing Atta...An Indistinguishability Model for Evaluating Diverse Classes of Phishing Atta...
An Indistinguishability Model for Evaluating Diverse Classes of Phishing Atta...CSCJournals
 
Symantec Intelligence Report September 2014
Symantec Intelligence Report September 2014Symantec Intelligence Report September 2014
Symantec Intelligence Report September 2014Symantec
 
Adaptive Mobile Malware Detection Model Based on CBR
Adaptive Mobile Malware Detection Model Based on CBRAdaptive Mobile Malware Detection Model Based on CBR
Adaptive Mobile Malware Detection Model Based on CBRijtsrd
 
Websense 2013 Threat Report
Websense 2013 Threat ReportWebsense 2013 Threat Report
Websense 2013 Threat ReportKim Jensen
 
Open Source Insight: Artifex Ruling, NY Cybersecurity Regs, PATCH Act, & Wan...
Open Source Insight: Artifex Ruling, NY Cybersecurity Regs, PATCH Act, & Wan...Open Source Insight: Artifex Ruling, NY Cybersecurity Regs, PATCH Act, & Wan...
Open Source Insight: Artifex Ruling, NY Cybersecurity Regs, PATCH Act, & Wan...Black Duck by Synopsys
 
IRJET - Chrome Extension for Detecting Phishing Websites
IRJET - Chrome Extension for Detecting Phishing WebsitesIRJET - Chrome Extension for Detecting Phishing Websites
IRJET - Chrome Extension for Detecting Phishing WebsitesIRJET Journal
 

What's hot (15)

Microsoft security intelligence_report_regional_threat_assessment_romania
Microsoft security intelligence_report_regional_threat_assessment_romaniaMicrosoft security intelligence_report_regional_threat_assessment_romania
Microsoft security intelligence_report_regional_threat_assessment_romania
 
Symantec Intelligence Report - July 2014
Symantec Intelligence Report - July 2014Symantec Intelligence Report - July 2014
Symantec Intelligence Report - July 2014
 
2015 HPSR Cyber Risk Report
2015 HPSR Cyber Risk Report2015 HPSR Cyber Risk Report
2015 HPSR Cyber Risk Report
 
V01 i010413
V01 i010413V01 i010413
V01 i010413
 
2016 Trends in Security
2016 Trends in Security 2016 Trends in Security
2016 Trends in Security
 
HOST PROTECTION USING PROCESS WHITE-LISTING, DECEPTION AND REPUTATION SERVICES
HOST PROTECTION USING PROCESS WHITE-LISTING, DECEPTION AND REPUTATION SERVICESHOST PROTECTION USING PROCESS WHITE-LISTING, DECEPTION AND REPUTATION SERVICES
HOST PROTECTION USING PROCESS WHITE-LISTING, DECEPTION AND REPUTATION SERVICES
 
An Indistinguishability Model for Evaluating Diverse Classes of Phishing Atta...
An Indistinguishability Model for Evaluating Diverse Classes of Phishing Atta...An Indistinguishability Model for Evaluating Diverse Classes of Phishing Atta...
An Indistinguishability Model for Evaluating Diverse Classes of Phishing Atta...
 
Ey giss-under-cyber-attack
Ey giss-under-cyber-attackEy giss-under-cyber-attack
Ey giss-under-cyber-attack
 
Symantec Intelligence Report September 2014
Symantec Intelligence Report September 2014Symantec Intelligence Report September 2014
Symantec Intelligence Report September 2014
 
Adaptive Mobile Malware Detection Model Based on CBR
Adaptive Mobile Malware Detection Model Based on CBRAdaptive Mobile Malware Detection Model Based on CBR
Adaptive Mobile Malware Detection Model Based on CBR
 
Websense 2013 Threat Report
Websense 2013 Threat ReportWebsense 2013 Threat Report
Websense 2013 Threat Report
 
Open Source Insight: Artifex Ruling, NY Cybersecurity Regs, PATCH Act, & Wan...
Open Source Insight: Artifex Ruling, NY Cybersecurity Regs, PATCH Act, & Wan...Open Source Insight: Artifex Ruling, NY Cybersecurity Regs, PATCH Act, & Wan...
Open Source Insight: Artifex Ruling, NY Cybersecurity Regs, PATCH Act, & Wan...
 
IRJET - Chrome Extension for Detecting Phishing Websites
IRJET - Chrome Extension for Detecting Phishing WebsitesIRJET - Chrome Extension for Detecting Phishing Websites
IRJET - Chrome Extension for Detecting Phishing Websites
 
375
375375
375
 
Mobile threat report_q3_2013
Mobile threat report_q3_2013Mobile threat report_q3_2013
Mobile threat report_q3_2013
 

Similar to 7122017 cyber espionage is alive and well apt32 and the thr

Threat Actors - Vietnam (OceansLotus).pptx
Threat Actors - Vietnam (OceansLotus).pptxThreat Actors - Vietnam (OceansLotus).pptx
Threat Actors - Vietnam (OceansLotus).pptxMALCOMNORONHA1
 
A STUDY ON CYBER SECURITY AND ITS RISKS K. Jenifer
A STUDY ON CYBER SECURITY AND ITS RISKS K. JeniferA STUDY ON CYBER SECURITY AND ITS RISKS K. Jenifer
A STUDY ON CYBER SECURITY AND ITS RISKS K. JeniferAM Publications
 
Protecting the Oil and Gas Industry from Email Threats
Protecting the Oil and Gas Industry from Email ThreatsProtecting the Oil and Gas Industry from Email Threats
Protecting the Oil and Gas Industry from Email ThreatsOPSWAT
 
Chinese Cyber attack on mumbai power plant
Chinese Cyber attack on mumbai power plantChinese Cyber attack on mumbai power plant
Chinese Cyber attack on mumbai power plantRohanMistry15
 
Advanced phishing the art of stealing
Advanced phishing the art of stealingAdvanced phishing the art of stealing
Advanced phishing the art of stealingprj_publication
 
Advanced phishing the art of stealing
Advanced phishing the art of stealingAdvanced phishing the art of stealing
Advanced phishing the art of stealingprj_publication
 
A Joint Study by National University of Singapore and IDC
A Joint Study by National University of Singapore and IDCA Joint Study by National University of Singapore and IDC
A Joint Study by National University of Singapore and IDCMicrosoft Asia
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hackingijtsrd
 
Fraud and Malware Detection in Google Play by using Search Rank
Fraud and Malware Detection in Google Play by using Search RankFraud and Malware Detection in Google Play by using Search Rank
Fraud and Malware Detection in Google Play by using Search Rankijtsrd
 
Analyzing the effectualness of Phishing Algorithms in Web Applications Inques...
Analyzing the effectualness of Phishing Algorithms in Web Applications Inques...Analyzing the effectualness of Phishing Algorithms in Web Applications Inques...
Analyzing the effectualness of Phishing Algorithms in Web Applications Inques...Editor IJMTER
 
Client Honeypot Based Drive by Download Exploit Detection and their Categoriz...
Client Honeypot Based Drive by Download Exploit Detection and their Categoriz...Client Honeypot Based Drive by Download Exploit Detection and their Categoriz...
Client Honeypot Based Drive by Download Exploit Detection and their Categoriz...IJERA Editor
 
UN Presentation - 10-17-2018 - Maccaglia
UN Presentation - 10-17-2018 - MaccagliaUN Presentation - 10-17-2018 - Maccaglia
UN Presentation - 10-17-2018 - MaccagliaStefano Maccaglia
 
APT Targeting Indian Police Agencies.
APT Targeting Indian Police Agencies.APT Targeting Indian Police Agencies.
APT Targeting Indian Police Agencies.Rahul Sasi
 
Countering the Advanced Persistent Threat Challenge with Deep Discovery
Countering the Advanced Persistent Threat Challenge with Deep DiscoveryCountering the Advanced Persistent Threat Challenge with Deep Discovery
Countering the Advanced Persistent Threat Challenge with Deep DiscoveryTrend Micro
 
A Study on Honeypots and Deceiving Attacker using Modern Honeypot Network
A Study on Honeypots and Deceiving Attacker using Modern Honeypot NetworkA Study on Honeypots and Deceiving Attacker using Modern Honeypot Network
A Study on Honeypots and Deceiving Attacker using Modern Honeypot Networkijtsrd
 
IRJET - Detecting Spiteful Accounts in Social Network
IRJET - Detecting Spiteful Accounts in Social NetworkIRJET - Detecting Spiteful Accounts in Social Network
IRJET - Detecting Spiteful Accounts in Social NetworkIRJET Journal
 
A Systematic Review of Android Malware Detection Techniques
A Systematic Review of Android Malware Detection TechniquesA Systematic Review of Android Malware Detection Techniques
A Systematic Review of Android Malware Detection TechniquesCSCJournals
 
A Systematic Literature Review on Phishing and Anti-Phishing Techniques.pdf
A Systematic Literature Review on Phishing and Anti-Phishing Techniques.pdfA Systematic Literature Review on Phishing and Anti-Phishing Techniques.pdf
A Systematic Literature Review on Phishing and Anti-Phishing Techniques.pdfKatie Naple
 
An Indistinguishability Model for Evaluating Diverse Classes of Phishing Atta...
An Indistinguishability Model for Evaluating Diverse Classes of Phishing Atta...An Indistinguishability Model for Evaluating Diverse Classes of Phishing Atta...
An Indistinguishability Model for Evaluating Diverse Classes of Phishing Atta...CSCJournals
 
Threat Actors and Innovators - Webinar
Threat Actors and Innovators - Webinar Threat Actors and Innovators - Webinar
Threat Actors and Innovators - Webinar Sparity Inc.
 

Similar to 7122017 cyber espionage is alive and well apt32 and the thr (20)

Threat Actors - Vietnam (OceansLotus).pptx
Threat Actors - Vietnam (OceansLotus).pptxThreat Actors - Vietnam (OceansLotus).pptx
Threat Actors - Vietnam (OceansLotus).pptx
 
A STUDY ON CYBER SECURITY AND ITS RISKS K. Jenifer
A STUDY ON CYBER SECURITY AND ITS RISKS K. JeniferA STUDY ON CYBER SECURITY AND ITS RISKS K. Jenifer
A STUDY ON CYBER SECURITY AND ITS RISKS K. Jenifer
 
Protecting the Oil and Gas Industry from Email Threats
Protecting the Oil and Gas Industry from Email ThreatsProtecting the Oil and Gas Industry from Email Threats
Protecting the Oil and Gas Industry from Email Threats
 
Chinese Cyber attack on mumbai power plant
Chinese Cyber attack on mumbai power plantChinese Cyber attack on mumbai power plant
Chinese Cyber attack on mumbai power plant
 
Advanced phishing the art of stealing
Advanced phishing the art of stealingAdvanced phishing the art of stealing
Advanced phishing the art of stealing
 
Advanced phishing the art of stealing
Advanced phishing the art of stealingAdvanced phishing the art of stealing
Advanced phishing the art of stealing
 
A Joint Study by National University of Singapore and IDC
A Joint Study by National University of Singapore and IDCA Joint Study by National University of Singapore and IDC
A Joint Study by National University of Singapore and IDC
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 
Fraud and Malware Detection in Google Play by using Search Rank
Fraud and Malware Detection in Google Play by using Search RankFraud and Malware Detection in Google Play by using Search Rank
Fraud and Malware Detection in Google Play by using Search Rank
 
Analyzing the effectualness of Phishing Algorithms in Web Applications Inques...
Analyzing the effectualness of Phishing Algorithms in Web Applications Inques...Analyzing the effectualness of Phishing Algorithms in Web Applications Inques...
Analyzing the effectualness of Phishing Algorithms in Web Applications Inques...
 
Client Honeypot Based Drive by Download Exploit Detection and their Categoriz...
Client Honeypot Based Drive by Download Exploit Detection and their Categoriz...Client Honeypot Based Drive by Download Exploit Detection and their Categoriz...
Client Honeypot Based Drive by Download Exploit Detection and their Categoriz...
 
UN Presentation - 10-17-2018 - Maccaglia
UN Presentation - 10-17-2018 - MaccagliaUN Presentation - 10-17-2018 - Maccaglia
UN Presentation - 10-17-2018 - Maccaglia
 
APT Targeting Indian Police Agencies.
APT Targeting Indian Police Agencies.APT Targeting Indian Police Agencies.
APT Targeting Indian Police Agencies.
 
Countering the Advanced Persistent Threat Challenge with Deep Discovery
Countering the Advanced Persistent Threat Challenge with Deep DiscoveryCountering the Advanced Persistent Threat Challenge with Deep Discovery
Countering the Advanced Persistent Threat Challenge with Deep Discovery
 
A Study on Honeypots and Deceiving Attacker using Modern Honeypot Network
A Study on Honeypots and Deceiving Attacker using Modern Honeypot NetworkA Study on Honeypots and Deceiving Attacker using Modern Honeypot Network
A Study on Honeypots and Deceiving Attacker using Modern Honeypot Network
 
IRJET - Detecting Spiteful Accounts in Social Network
IRJET - Detecting Spiteful Accounts in Social NetworkIRJET - Detecting Spiteful Accounts in Social Network
IRJET - Detecting Spiteful Accounts in Social Network
 
A Systematic Review of Android Malware Detection Techniques
A Systematic Review of Android Malware Detection TechniquesA Systematic Review of Android Malware Detection Techniques
A Systematic Review of Android Malware Detection Techniques
 
A Systematic Literature Review on Phishing and Anti-Phishing Techniques.pdf
A Systematic Literature Review on Phishing and Anti-Phishing Techniques.pdfA Systematic Literature Review on Phishing and Anti-Phishing Techniques.pdf
A Systematic Literature Review on Phishing and Anti-Phishing Techniques.pdf
 
An Indistinguishability Model for Evaluating Diverse Classes of Phishing Atta...
An Indistinguishability Model for Evaluating Diverse Classes of Phishing Atta...An Indistinguishability Model for Evaluating Diverse Classes of Phishing Atta...
An Indistinguishability Model for Evaluating Diverse Classes of Phishing Atta...
 
Threat Actors and Innovators - Webinar
Threat Actors and Innovators - Webinar Threat Actors and Innovators - Webinar
Threat Actors and Innovators - Webinar
 

More from smile790243

PART B Please response to these two original posts below. Wh.docx
PART B Please response to these two original posts below. Wh.docxPART B Please response to these two original posts below. Wh.docx
PART B Please response to these two original posts below. Wh.docxsmile790243
 
Part C Developing Your Design SolutionThe Production Cycle.docx
Part C Developing Your Design SolutionThe Production Cycle.docxPart C Developing Your Design SolutionThe Production Cycle.docx
Part C Developing Your Design SolutionThe Production Cycle.docxsmile790243
 
PART A You will create a media piece based around the theme of a.docx
PART A You will create a media piece based around the theme of a.docxPART A You will create a media piece based around the theme of a.docx
PART A You will create a media piece based around the theme of a.docxsmile790243
 
Part 4. Implications to Nursing Practice & Implication to Patien.docx
Part 4. Implications to Nursing Practice & Implication to Patien.docxPart 4. Implications to Nursing Practice & Implication to Patien.docx
Part 4. Implications to Nursing Practice & Implication to Patien.docxsmile790243
 
PART AHepatitis C is a chronic liver infection that can be e.docx
PART AHepatitis C is a chronic liver infection that can be e.docxPART AHepatitis C is a chronic liver infection that can be e.docx
PART AHepatitis C is a chronic liver infection that can be e.docxsmile790243
 
Part A post your answer to the following question1. How m.docx
Part A post your answer to the following question1. How m.docxPart A post your answer to the following question1. How m.docx
Part A post your answer to the following question1. How m.docxsmile790243
 
PART BPlease response to these two original posts below..docx
PART BPlease response to these two original posts below..docxPART BPlease response to these two original posts below..docx
PART BPlease response to these two original posts below..docxsmile790243
 
Part A (50 Points)Various men and women throughout history .docx
Part A (50 Points)Various men and women throughout history .docxPart A (50 Points)Various men and women throughout history .docx
Part A (50 Points)Various men and women throughout history .docxsmile790243
 
Part A1. K2. D3. N4. C5. A6. O7. F8. Q9. H10..docx
Part A1. K2. D3. N4. C5. A6. O7. F8. Q9. H10..docxPart A1. K2. D3. N4. C5. A6. O7. F8. Q9. H10..docx
Part A1. K2. D3. N4. C5. A6. O7. F8. Q9. H10..docxsmile790243
 
Part A Develop an original age-appropriate activity for your .docx
Part A Develop an original age-appropriate activity for your .docxPart A Develop an original age-appropriate activity for your .docx
Part A Develop an original age-appropriate activity for your .docxsmile790243
 
Part 3 Social Situations2. Identify multicultural challenges th.docx
Part 3 Social Situations2. Identify multicultural challenges th.docxPart 3 Social Situations2. Identify multicultural challenges th.docx
Part 3 Social Situations2. Identify multicultural challenges th.docxsmile790243
 
Part A (1000 words) Annotated Bibliography - Create an annota.docx
Part A (1000 words) Annotated Bibliography - Create an annota.docxPart A (1000 words) Annotated Bibliography - Create an annota.docx
Part A (1000 words) Annotated Bibliography - Create an annota.docxsmile790243
 
Part 6 Disseminating Results Create a 5-minute, 5- to 6-sli.docx
Part 6 Disseminating Results Create a 5-minute, 5- to 6-sli.docxPart 6 Disseminating Results Create a 5-minute, 5- to 6-sli.docx
Part 6 Disseminating Results Create a 5-minute, 5- to 6-sli.docxsmile790243
 
Part 3 Social Situations • Proposal paper which identifies multicul.docx
Part 3 Social Situations • Proposal paper which identifies multicul.docxPart 3 Social Situations • Proposal paper which identifies multicul.docx
Part 3 Social Situations • Proposal paper which identifies multicul.docxsmile790243
 
Part 3 Social Situations 2. Identify multicultural challenges that .docx
Part 3 Social Situations 2. Identify multicultural challenges that .docxPart 3 Social Situations 2. Identify multicultural challenges that .docx
Part 3 Social Situations 2. Identify multicultural challenges that .docxsmile790243
 
Part 2The client is a 32-year-old Hispanic American male who c.docx
Part 2The client is a 32-year-old Hispanic American male who c.docxPart 2The client is a 32-year-old Hispanic American male who c.docx
Part 2The client is a 32-year-old Hispanic American male who c.docxsmile790243
 
Part 2For this section of the template, focus on gathering deta.docx
Part 2For this section of the template, focus on gathering deta.docxPart 2For this section of the template, focus on gathering deta.docx
Part 2For this section of the template, focus on gathering deta.docxsmile790243
 
Part 2 Observation Summary and Analysis • Summary paper of observat.docx
Part 2 Observation Summary and Analysis • Summary paper of observat.docxPart 2 Observation Summary and Analysis • Summary paper of observat.docx
Part 2 Observation Summary and Analysis • Summary paper of observat.docxsmile790243
 
Part 2 Observation Summary and Analysis 1. Review and implement any.docx
Part 2 Observation Summary and Analysis 1. Review and implement any.docxPart 2 Observation Summary and Analysis 1. Review and implement any.docx
Part 2 Observation Summary and Analysis 1. Review and implement any.docxsmile790243
 
Part 2Data collectionfrom your change study initiative,.docx
Part 2Data collectionfrom your change study initiative,.docxPart 2Data collectionfrom your change study initiative,.docx
Part 2Data collectionfrom your change study initiative,.docxsmile790243
 

More from smile790243 (20)

PART B Please response to these two original posts below. Wh.docx
PART B Please response to these two original posts below. Wh.docxPART B Please response to these two original posts below. Wh.docx
PART B Please response to these two original posts below. Wh.docx
 
Part C Developing Your Design SolutionThe Production Cycle.docx
Part C Developing Your Design SolutionThe Production Cycle.docxPart C Developing Your Design SolutionThe Production Cycle.docx
Part C Developing Your Design SolutionThe Production Cycle.docx
 
PART A You will create a media piece based around the theme of a.docx
PART A You will create a media piece based around the theme of a.docxPART A You will create a media piece based around the theme of a.docx
PART A You will create a media piece based around the theme of a.docx
 
Part 4. Implications to Nursing Practice & Implication to Patien.docx
Part 4. Implications to Nursing Practice & Implication to Patien.docxPart 4. Implications to Nursing Practice & Implication to Patien.docx
Part 4. Implications to Nursing Practice & Implication to Patien.docx
 
PART AHepatitis C is a chronic liver infection that can be e.docx
PART AHepatitis C is a chronic liver infection that can be e.docxPART AHepatitis C is a chronic liver infection that can be e.docx
PART AHepatitis C is a chronic liver infection that can be e.docx
 
Part A post your answer to the following question1. How m.docx
Part A post your answer to the following question1. How m.docxPart A post your answer to the following question1. How m.docx
Part A post your answer to the following question1. How m.docx
 
PART BPlease response to these two original posts below..docx
PART BPlease response to these two original posts below..docxPART BPlease response to these two original posts below..docx
PART BPlease response to these two original posts below..docx
 
Part A (50 Points)Various men and women throughout history .docx
Part A (50 Points)Various men and women throughout history .docxPart A (50 Points)Various men and women throughout history .docx
Part A (50 Points)Various men and women throughout history .docx
 
Part A1. K2. D3. N4. C5. A6. O7. F8. Q9. H10..docx
Part A1. K2. D3. N4. C5. A6. O7. F8. Q9. H10..docxPart A1. K2. D3. N4. C5. A6. O7. F8. Q9. H10..docx
Part A1. K2. D3. N4. C5. A6. O7. F8. Q9. H10..docx
 
Part A Develop an original age-appropriate activity for your .docx
Part A Develop an original age-appropriate activity for your .docxPart A Develop an original age-appropriate activity for your .docx
Part A Develop an original age-appropriate activity for your .docx
 
Part 3 Social Situations2. Identify multicultural challenges th.docx
Part 3 Social Situations2. Identify multicultural challenges th.docxPart 3 Social Situations2. Identify multicultural challenges th.docx
Part 3 Social Situations2. Identify multicultural challenges th.docx
 
Part A (1000 words) Annotated Bibliography - Create an annota.docx
Part A (1000 words) Annotated Bibliography - Create an annota.docxPart A (1000 words) Annotated Bibliography - Create an annota.docx
Part A (1000 words) Annotated Bibliography - Create an annota.docx
 
Part 6 Disseminating Results Create a 5-minute, 5- to 6-sli.docx
Part 6 Disseminating Results Create a 5-minute, 5- to 6-sli.docxPart 6 Disseminating Results Create a 5-minute, 5- to 6-sli.docx
Part 6 Disseminating Results Create a 5-minute, 5- to 6-sli.docx
 
Part 3 Social Situations • Proposal paper which identifies multicul.docx
Part 3 Social Situations • Proposal paper which identifies multicul.docxPart 3 Social Situations • Proposal paper which identifies multicul.docx
Part 3 Social Situations • Proposal paper which identifies multicul.docx
 
Part 3 Social Situations 2. Identify multicultural challenges that .docx
Part 3 Social Situations 2. Identify multicultural challenges that .docxPart 3 Social Situations 2. Identify multicultural challenges that .docx
Part 3 Social Situations 2. Identify multicultural challenges that .docx
 
Part 2The client is a 32-year-old Hispanic American male who c.docx
Part 2The client is a 32-year-old Hispanic American male who c.docxPart 2The client is a 32-year-old Hispanic American male who c.docx
Part 2The client is a 32-year-old Hispanic American male who c.docx
 
Part 2For this section of the template, focus on gathering deta.docx
Part 2For this section of the template, focus on gathering deta.docxPart 2For this section of the template, focus on gathering deta.docx
Part 2For this section of the template, focus on gathering deta.docx
 
Part 2 Observation Summary and Analysis • Summary paper of observat.docx
Part 2 Observation Summary and Analysis • Summary paper of observat.docxPart 2 Observation Summary and Analysis • Summary paper of observat.docx
Part 2 Observation Summary and Analysis • Summary paper of observat.docx
 
Part 2 Observation Summary and Analysis 1. Review and implement any.docx
Part 2 Observation Summary and Analysis 1. Review and implement any.docxPart 2 Observation Summary and Analysis 1. Review and implement any.docx
Part 2 Observation Summary and Analysis 1. Review and implement any.docx
 
Part 2Data collectionfrom your change study initiative,.docx
Part 2Data collectionfrom your change study initiative,.docxPart 2Data collectionfrom your change study initiative,.docx
Part 2Data collectionfrom your change study initiative,.docx
 

Recently uploaded

social pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajansocial pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajanpragatimahajan3
 
Mastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionMastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionSafetyChain Software
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactPECB
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityGeoBlogs
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxheathfieldcps1
 
Student login on Anyboli platform.helpin
Student login on Anyboli platform.helpinStudent login on Anyboli platform.helpin
Student login on Anyboli platform.helpinRaunakKeshri1
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfchloefrazer622
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Celine George
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxGaneshChakor2
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeThiyagu K
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Krashi Coaching
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxSayali Powar
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13Steve Thomason
 
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...Sapna Thakur
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)eniolaolutunde
 
Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationnomboosow
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAssociation for Project Management
 
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...fonyou31
 
The byproduct of sericulture in different industries.pptx
The byproduct of sericulture in different industries.pptxThe byproduct of sericulture in different industries.pptx
The byproduct of sericulture in different industries.pptxShobhayan Kirtania
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...EduSkills OECD
 

Recently uploaded (20)

social pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajansocial pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajan
 
Mastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionMastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory Inspection
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activity
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
 
Student login on Anyboli platform.helpin
Student login on Anyboli platform.helpinStudent login on Anyboli platform.helpin
Student login on Anyboli platform.helpin
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdf
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptx
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and Mode
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13
 
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)
 
Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communication
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across Sectors
 
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
 
The byproduct of sericulture in different industries.pptx
The byproduct of sericulture in different industries.pptxThe byproduct of sericulture in different industries.pptx
The byproduct of sericulture in different industries.pptx
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
 

7122017 cyber espionage is alive and well apt32 and the thr

  • 1. 7/12/2017 Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations « Threat Research Blog | FireEye Inc https://www.fireeye.com/blog/threat-research/2017/05/cyber- espionage-apt32.html 1/10 Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations May 14, 2017 | by Nick Carr | Threat Research Cyber espionage actors, now designated by FireEye as APT32 ( OceanLotus Group), are carrying out intrusions into private sect or companies across multiple industries and have also targeted foreign govern ments, dissidents, and journalists. FireEye assesses that APT32 leverages a unique suite of fully-featured malware, in conjunction with com mercially-available tools, to conduct targeted operations that ar e aligned with Vietnamese state interests. APT32 and FireEye’s Community Response In the course of investigations into intrusions at several corpora tions with business interests in Vietnam, FireEye’s Mandiant in cident response consultants uncovered activity and attacker-controlled infrastruc ture indicative of a significant intrusion campaign. In March 20 17, in response to active targeting of FireEye clients, the team launched a Com
  • 2. munity Protection Event (CPE) – a coordinated effort between Mandiant incident responders, FireEye as a Service (FaaS), FireEye iSight Intelligence, and FireEye product engineering – to protect all clients from APT32 activity. In the following weeks, FireEye released threat intelligence pro ducts and updated malware profiles to customers while developi ng new detection techniques for APT32’s tools and phishing lures. This focused intelligence and detection effort led to new external vic tim identifications as well as providing sufficient technical evidence to link twelve prior intrusions, consolidating four previously un related clusters of threat actor activity into FireEye’s newest named advanced p ersistent threat group: APT32. APT32 Targeting of Private Sector Company Operations in Southeast Asia Since at least 2014, FireEye has observed APT32 targeting forei gn corporations with a vested interest in Vietnam’s manufacturi ng, consumer products, and hospitality sectors. Furthermore, there are indicati ons that APT32 actors are targeting peripheral network security and technology infrastructure corporations. Here is an overview of intrusions investigated by FireEye that a re attributed to APT32: In 2014, a European corporation was compromised prior to cons tructing a manufacturing facility in Vietnam. In 2016, Vietnamese and foreign-owned corporations working in
  • 3. network security, technology infrastructure, banking, and medi a industries were targeted. In mid-2016, malware that FireEye believes to be unique to AP T32 was detected on the networks of a global hospitality industr y developer with plans to expand operations into Vietnam. From 2016 through 2017, two subsidiaries of U.S. and Philippin e consumer products corporations, located inside Vietnam, were the target of APT32 intrusion operations. Table 1 shows a breakdown of APT32 activity, including the ma lware families used in each. Year Country Industry Malware 2014 Vietnam Network Security WINDSHIELD 2014 Germany Manufacturing WINDSHIELD 2015 Vietnam Media WINDSHIELD 2016 Philippines Consumer products KOMPROGO WINDSHIELD https://www.fireeye.com/blog/threat- research.html/category/etc/tags/fireeye-blog-authors/nick-carr https://www.fireeye.com/blog/threat- research.html/category/etc/tags/fireeye-blog-threat- research/threat-research
  • 4. https://www2.fireeye.com/WEB-Community-Protection- Security-Numbers.html 7/12/2017 Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations « Threat Research Blog | FireEye Inc https://www.fireeye.com/blog/threat-research/2017/05/cyber- espionage-apt32.html 2/10 SOUNDBITE BEACON 2016 Vietnam Banking WINDSHIELD 2016 Philippines Technology Infrastructure WINDSHIELD 2016 China Hospitality WINDSHIELD 2016 Vietnam Media WINDSHIELD 2016 United States Consumer Products WINDSHIELD PHOREAL
  • 5. BEACON SOUNDBITE Table 1: APT32 Private Sector Targeting Identified by FireEye APT32 Interest in Political Influence and Foreign Governments In addition to focused targeting of the private sector with ties to Vietnam, APT32 has also targeted foreign governments, as well as Vietnamese dissidents and journalists since at least 2013. Here i s an overview of this activity: A public blog published by the Electronic Frontier Foundation i ndicated that journalists, activists, dissidents, and bloggers were targeted in 2013 by malware and tactics consistent with APT32 operations. In 2014, APT32 leveraged a spear-phishing attachment titled “P lans to crackdown on protesters at the Embassy of Vietnam.exe, " which targeted dissident activity among the Vietnamese diaspora in So utheast Asia. Also in 2014, APT32 carried out an intrusion agai nst a Western country’s national legislature. In 2015, SkyEye Labs, the security research division of the Chi nese firm Qihoo 360, released a report detailing threat actors th at were targeting Chinese public and private entities including governm ent agencies, research institutes, maritime agencies, sea constru ction, and shipping enterprises. The information included in the report indi cated that the perpetrators used the same malware, overlapping infrastructure, and similar targets as APT32. In 2015 and 2016, two Vietnamese media outlets were targeted with malware that FireEye assesses to be unique to APT32. In 2017, social engineering content in lures used by the actor pr
  • 6. ovided evidence that they were likely used to target members of the Vietnam diaspora in Australia as well as government employees in the Philippines. APT32 Tactics In their current campaign, APT32 has leveraged ActiveMime fil es that employ social engineering methods to entice the victim i nto enabling macros. Upon execution, the initialized file downloads multiple malicious payloads from remote servers. APT32 actors continue to deliver the malicious attachments via spear-phishing emails. APT32 actors designed multilingual lure documents which were tailored to specific victims. Although the files had “.doc” file e xtensions, the recovered phishing lures were ActiveMime “.mht” web page arc hives that contained text and images. These files were likely cre ated by exporting Word documents into single file web pages. Table 2 contains a sample of recovered APT32 multilingual lure files. ActiveMime Lure Files MD5 2017年员工工资性津贴额统计报 告.doc (2017 Statistical Report on Staff Salary and Allowances) 5458a2e4d784abb1a1127263bd5006b5 https://www.eff.org/deeplinks/2014/01/vietnamese-malware-
  • 7. gets-personal http://blogs.360.cn/blog/oceanlotus-apt 7/12/2017 Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations « Threat Research Blog | FireEye Inc https://www.fireeye.com/blog/threat-research/2017/05/cyber- espionage-apt32.html 3/10 Thong tin.doc (Information) ce50e544430e7265a45fab5a1f31e529 Phan Vu Tutn CV.doc 4f761095ca51bfbbf4496a4964e41d4f Ke hoach cuu tro nam 2017.doc (2017 Bailout Plan) e9abe54162ba4572c770ab043f576784 Instructions to GSIS.doc fba089444c769700e47c6b44c362f96b Hoi thao truyen thong doc lap.doc (Traditional Games) f6ee4b72d6d42d0c7be9172be2b817c1 Giấy yêu cầu bồi thường mới 2016 - hằng.doc (New 2016 Claim Form) aa1f85de3e4d33f31b4f78968b29f175
  • 8. Hoa don chi tiet tien no.doc (Debt Details) 5180a8d9325a417f2d8066f9226a5154 Thu moi tham du Hoi luan.doc (Collection of Participants) f6ee4b72d6d42d0c7be9172be2b817c1 Danh sach nhan vien vi pham ky luat.doc (List of Employee Violations) 6baafffa7bf960dec821b627f9653e44 Nội­dung­quảng­cáo.doc (Internal Content Advertising) 471a2e7341f2614b715dc89e803ffcac HĐ DVPM-VTC 31.03.17.doc f1af6bb36cdf3cff768faee7919f0733 Table 2: Sampling of APT32 Lure Files The Base64 encoded ActiveMime data also contained an OLE fil e with malicious macros. When opened, many lure files displaye d fake error messages in an attempt to trick users into launching the malicio us macros. Figure 1 shows a fake Gmail-theme paired with a he xadecimal error code that encourages the recipient to enable content to res olve the error. Figure 2 displays another APT32 lure that used a convincing
  • 9. image of a fake Windows error message instructing the recipient to enable content to properly display document font characters. Figure 1: Example APT32 Phishing Lure – Fake Gmail Error Message 7/12/2017 Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations « Threat Research Blog | FireEye Inc https://www.fireeye.com/blog/threat-research/2017/05/cyber- espionage-apt32.html 4/10 Figure 2: Example APT32 Phishing Lure – Fake Text Encoding Error Message APT32 operators implemented several novel techniques to track the efficacy of their phishing, monitor the distribution of their malicious documents, and establish persistence mechanisms to dynamicall y update backdoors injected into memory. In order to track who opened the phishing emails, viewed the lin ks, and downloaded the attachments in real-time, APT32 used cl oud-based email analytics software designed for sales organizations. In so me instances, APT32 abandoned direct email attachments altoge ther and relied exclusively on this tracking technique with links to their ActiveMime lures hosted externally on legitimate cloud storage services. To enhance visibility into the further distribution of their phishi ng lures, APT32 utilized the native web page functionality of th
  • 10. eir ActiveMime documents to link to external images hosted on APT32 monitore d infrastructure. Figure 3 contains an example phishing lure with HTML image t ags used for additional tracking by APT32. Figure 3: Phishing Lure Containing HTML Image Tags for Addi tional Tracking When a document with this feature is opened, Microsoft Word will attempt to download the external image, even if macros wer e disabled. In all phishing lures analyzed, the external images did not exist. Mand iant consultants suspect that APT32 was monitoring web logs to track the public IP address used to request remote images. When combine d with email tracking software, APT32 was able to closely track phishing delivery, success rate, and conduct further analysis about victim organizations while monitoring the interest of security firms. 7/12/2017 Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations « Threat Research Blog | FireEye Inc https://www.fireeye.com/blog/threat-research/2017/05/cyber- espionage-apt32.html 5/10 Once macros were enabled on the target system, the malicious macros created two named scheduled tasks as persistence mecha nisms for two backdoors on the infected system. The first named schedule d task launched an application whitelisting script protection byp
  • 11. ass to execute a COM scriptlet that dynamically downloaded the first backdoor from APT32’s infrastructure and injected it into memory. The s econd named scheduled task, loaded as an XML file to falsify task attributes, ran a JavaScript code block that downloaded and launched a sec ondary backdoor, delivered as a multi-stage PowerShell script. In most lures, one scheduled task persisted an APT32-specific backdoor and the other scheduled task initialized a commercially-available backdoor as backup. To illustrate the complexity of these lures, Figure 4 shows the c reation of persistence mechanisms for recovered APT32 lure “2 017年员工工资 性津贴额统计报告.doc”. Figure 4: APT32 ActiveMime Lures Create Two Named Schedul ed Tasks In this example, a scheduled task named “Windows Scheduled Maintenance” was created to run Casey Smith’s “Squiblydoo” A pp Whitelisting bypass every 30 minutes. While all payloads can be dynamically updated, at the time of delivery, this task launched a COM scri ptlet (“.sct” file extension) that downloaded and executed Meterpreter hosted on images.chinabytes[.]info. Meterpreter then loaded Cobalt Strike BEACON, configured to communicate with 80.255.3[.]87 using the Safebro wsing malleable C2 profile to further blend in with network traf fic. A second scheduled task named “Scheduled Defrags” was created by loadi ng the raw task XML with a backdated task creation timestamp of June 2,
  • 12. 2016. This second task ran “mshta.exe” every 50 minutes which launched an APT32-specific backdoor delivered as shellcode in a PowerShell script, configured to communicate with the domains blog.panggi n[.]org, share.codehao[.]net, and yii.yiihao126[.]net. Figure 5 illustrates the chain of events for a single successful A PT32 phishing lure that dynamically injects two multi-stage mal ware frameworks into memory. http://subt0x10.blogspot.com/2016/04/bypass-application- whitelisting-script.html https://github.com/rsmudge/Malleable-C2- Profiles/blob/master/normal/safebrowsing.profile 7/12/2017 Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations « Threat Research Blog | FireEye Inc https://www.fireeye.com/blog/threat-research/2017/05/cyber- espionage-apt32.html 6/10 Figure 5: APT32 Phishing Chain of Events The impressive APT32 operations did not stop after they establi shed a foothold in victim environments. Several Mandiant inves tigations revealed that, after gaining access, APT32 regularly cleared sele ct event log entries and heavily obfuscated their PowerShell-bas ed tools and shellcode loaders with Daniel Bohannon’s Invoke-Obfuscation f ramework. APT32 regularly used stealthy techniques to blend in with legiti
  • 13. mate user activity: During one investigation, APT32 was observed using a privilege escalation exploit (CVE-2016-7255) masquerading as a Windo ws hotfix. In another investigation, APT32 compromised the McAfee ePO i nfrastructure to distribute their malware as a software deployme nt task in which all systems pulled the payload from the ePO server using the proprietary SPIPE protocol. APT32 also used hidden or non-printing characters to help visua lly camouflage their malware on a system. For example, APT32 installed one backdoor as a persistent service with a legitimate service na me that had a Unicode no-break space character appended to it. Another backdoor used an otherwise legitimate DLL filename padded wit h a non-printing OS command control code. APT32 Malware and Infrastructure APT32 appears to have a well-resourced development capability and uses a custom suite of backdoors spanning multiple protoco ls. APT32 operations are characterized through deployment of signature m alware payloads including WINDSHIELD, KOMPROGO, SOUN DBITE, and PHOREAL. APT32 often deploys these backdoors along with th e commercially-available Cobalt Strike BEACON backdoor. AP T32 may also possess backdoor development capabilities for macOS. The capabilities for this unique suite of malware is shown in Ta ble 3. Malware Capabilities
  • 14. WINDSHIELD Command and control (C2) communications via TCP raw sockets https://github.com/danielbohannon/Invoke-Obfuscation https://www.alienvault.com/blogs/labs-research/oceanlotus-for- os-x-an-application-bundle-pretending-to-be-an-adobe-flash- update 7/12/2017 Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations « Threat Research Blog | FireEye Inc https://www.fireeye.com/blog/threat-research/2017/05/cyber- espionage-apt32.html 7/10 Four configured C2s and six configured ports – randomly-chosen C2/port for communications Registry manipulation Get the current module's file name Gather system information including registry values, user name, computer name, and current code page File system interaction including directory creation, file deletion, reading, and writing files Load additional modules and execute code Terminate processes Anti-disassembly KOMPROGO Fully-featured backdoor capable of process, file, and registry management Creating a reverse shell File transfers
  • 15. Running WMI queries Retrieving information about the infected system SOUNDBITE C2 communications via DNS Process creation File upload Shell command execution File and directory enumeration/manipulation Window enumeration Registry manipulation System information gathering PHOREAL C2 communications via ICMP Reverse shell creation Filesystem manipulation Registry manipulation Process creation File upload BEACON (Cobalt Strike) Publicly available payload that can inject and execute arbitrary code into processes Impersonating the security context of users Importing Kerberos tickets Uploading and downloading files Executing shell commands Configured with malleable C2 profiles to blend in with normal network traffic Co-deployment and interoperability with
  • 16. Metasploit framework SMB Named Pipe in-memory backdoor payload that enables peer-to-peer C2 and pivoting over SMB Table 3: APT32 Malware and Capabilities APT32 operators appear to be well-resourced and supported as t hey use a large set of domains and IP addresses as command and control infrastructure. The FireEye iSIGHT Intelligence MySIGHT Port al contains additional information on these backdoor families ba sed on https://www.fireeye.com/products/isight-intelligence.html 7/12/2017 Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations « Threat Research Blog | FireEye Inc https://www.fireeye.com/blog/threat-research/2017/05/cyber- espionage-apt32.html 8/10 Mandiant investigations of APT32 intrusions. Figure 6 provides a summary of APT32 tools and techniques ma pped to each stage of the attack lifecycle. Figure 6: APT32 Attack Lifecycle Outlook and Implications Based on incident response investigations, product detections, a nd intelligence observations along with additional publications on the same
  • 17. operators, FireEye assesses that APT32 is a cyber espionage gro up aligned with Vietnamese government interests. The targeting of private sector interests by APT32 is notable and FireEye believes the ac tor poses significant risk to companies doing business in, or pre paring to invest in, the country. While the motivation for each APT32 pri vate sector compromise varied – and in some cases was unknown – the unauthorized access could serve as a platform for law enforcem ent, intellectual property theft, or anticorruption measures that c ould ultimately erode the competitive advantage of targeted organizations. Furt hermore, APT32 continues to threaten political activism and fre e speech in Southeast Asia and the public sector worldwide. Governments, j ournalists, and members of the Vietnam diaspora may continue t o be targeted. While actors from China, Iran, Russia, and North Korea remain the most active cyber espionage threats tracked and responded t o by FireEye, APT32 reflects a growing host of new countries that have adopt ed this dynamic capability. APT32 demonstrates how accessible and impactful offensive capabilities can be with the proper investment and the flexibility to embrace newly-available tools and techniques. As more countries utilize inexpensive and efficient cyber operations, there is a nee d for public awareness of these threats and renewed dialogue ar ound emerging nation-state intrusions that go beyond public sector an d intelligence targets. APT32 Detection
  • 18.