Embed Size (px)
Citation preview
P R O T E C T I N G Y O U R N E T W O R K
Industry-leading threat intelligence. The largest threat detection network in the world.
Martin Lee – Manager Talos Outreach EMEA
250+Full Time Threat Intel Researchers
MILLIONSOf Telemetry Agents
4Global Data Centers
1100+Threat Traps
100+Threat Intelligence Partners
THREAT INTEL
1.5 MILLIONDaily Malware Samples
600 BILLIONDaily Email Messages
16 BILLIONDaily Web Requests
Honeypots
Open Source Communities
Vulnerability Discovery (Internal)
Product Telemetry
Internet-Wide Scanning
20 BILLION
Threats Blocked
INTEL SHARING
Talos Intel Background
Customer Data Sharing Programs
Provider Coordination Program
Open Source Intel Sharing
3rd Party Programs (MAPP)
Industry Sharing Partnerships (ISACs)
500+Participants
Olympic Destroyerand the Rise of Wiper Malware
The Guardian Publication
Reported Effects
§ Official Pyeongchang 2018 website off line
• visitors unable to access information
• unable to print tickets for events
§ Wifi in Olympic stadium unavailable
§ Internet access in press centre unavailable
§ Television screens in press centre not working
Olympic Destroyer
Actions
• Overwrite files with 1Mb of ‘0’s.
• Delete shadow copies.
• Delete backups.
• Wipe files on mapped shared folders.
• Disable boot recovery.
• Destroy event logs.
• Disable all Windows services.
• Reboot.
Antecedents
Rogues Gallery
The Delivery Problem
Solved
Nyetya Spread
ETERNALBLUE
Scans IP subnet139 TCP
Perfc.dat PSEXEC
WMI
ETERNALROMANCE
Nyetya Effects
Olympic Destroyer Spread
Scans IP subnet viaARP table & WMI (WQL)
Winlogon.exe PSEXEC
WMI
System Stealer
• Mimikatz (communication to the main module via named pipe)
Password Stealer
• Browsers: Internet Explorer, Firefox, Chrome (communication to the main module via named pipe)
System Stealer
• The stolen credentials are used to patch the main binary• The patched binary will be used for the propagation
Whodunnit?
Who Was That?
Olympic Destroyer Similarities
Lazarus Group
APT3 APT10 Nyetya
Filename similarities +
Wiper function logic +
Credential stealer + +
AES key generation function +
WMI propagation & named pipe comms +
EternalBlue POC stub +
Is Anything New?
Ancient History
1974 Wabbit (1969?)
1985 CyberAIDS
1987 Jerusalem Virus
mainframe – used up resources until unable to access system
DOS – deletes executable files on Friday 13th
Apple – overwrites file system
Really Ancient History
Lumine supero privitis.Devotas consecratasque.Sunt maxime…Devoti.
Publius Cornelius Scipio Africanus
Areas for Research
Areas for Research
Traditional• Worm Spread
• Malware Execution
• Minimising Harm
Areas for Research
Traditional Organisational• Worm Spread
• Malware Execution
• Minimising Harm
• Network architecture choices
• End point protection prevalence
• Backups anyone?
What decisions were made and why?
