Post on 18-Nov-2014
description
APTs, Cyber-attacks, Cybercrime, Cyber warfare and Cyber threats exposed
Marcus Murray & Hasain AlshakartiTruesec Security Team, MVP-Enterprise Security x2
Marcus Murray Hasain Alshakarti
The threat landscape is changing..
It used to be kids hacking for fun…..
Not anymore....
Most countries have “cyber capabilities” today..
The ”Mandiant report”
Unit 61398 is partially situated on Datong Road (大同路 ) in Gaoqiaozhen (高桥镇 ), which is located in the Pudong New Area (浦东新区 ) of Shanghai (上海 ). The central building in this compound is a 130,663 square foot facility that is 12 stories high and was built in early 2007.
* Mandiant APT1 report 2013
We estimate that Unit 61398 is staffed by hundreds, and perhaps thousands of people based on the size of Unit 61398’s physical infrastructure.
“Unit 61398 requires its personnel to be trained in computer security and computer network operations and also requires its personnel to be proficient in the English language.”
* Mandiant APT1 report 2013
“They have systematically stolen hundreds of terabytes of data from at least 141 organizations, and has demonstrated the capability and intent to steal from dozens of organizations simultaneously”*
* Mandiant APT1 report 2013
“Among other large-scale thefts of intellectual property, we have observed them stealing 6.5 terabytes of compressed data from a single organization over a ten-month time period.”
* Mandiant APT1 report 2013
Attack processLateral
Movement
Maintain presence
Escalate privileges
Internal Recon
Initial recon
Initial compromize
Establish foothold
Complete mission
Attack process
Initial compromize
Web Srv Mail Srv
File SrvDC Mail Srv
Client
UserAdmin
Client
Attacker
Establish foothold
Web Srv Mail Srv
File SrvDC Mail Srv
Client
UserAdmin
Client
C & C SRV Attacker
What about antivirus?
Trojan.exe Newtrojan.exeAvhide
Attacker
Av-test
Lateral movement
Web Srv Mail Srv
File SrvDC Mail Srv
Client
UserAdmin
Client Attacker
Complete mission
Web Srv Mail Srv
File SrvDC Mail Srv
Client
UserAdmin
Client
Attacker
Attacker
What about network detection?
Complete mission
Harvest data• intellectual property• business contracts• negotiations,• policy papers• internal memoranda• etc.
Compress and collect• Rar+pwd• etc.
Attacker
Channel over MSN
Channel over Google calendar
FQDN used..About half of APT1’s known zones were named according to three themes: • News• Technology• Business.
aoldaily.comaunewsonline.comcanadatvsite.comcanoedaily.comcnndaily.comcnndaily.netcnnnewsdaily.comdefenceonline.netfreshreaders.netgiftnews.orgissnbgkit.net
reutersnewsonline.comrssadvanced.orgsaltlakenews.orgsportreadok.nettodayusa.orgusapappers.comusnewssite.comyahoodaily.com
mediaxsds.netmyyahoonews.comnewsesport.comnewsonet.netnewsonlinesite.comnewspappers.orgnytimesnews.netoplaymagzine.comphoenixtvus.compurpledaily.com
Origins of attacks..
Marcus Murray Hasain Alshakarti
Thank you for listening!