Upload
f-secure-corporation
View
242
Download
2
Embed Size (px)
Citation preview
Threat LandscapeCyber Security Webinar Series
Webinar 1, May 4th, 2015
Jarno Niemelä
Twitter: @jarnomn
WHAT’S THIS ALL ABOUT
Enemies, every company has them Large or strategically important companies
have enemies who target them specifically
The rest will be targets of opportunity
A normal company has to worry about Undirected malware attacks
For profit criminals
Activists, hackers, script kiddies
Spies who are after your customers and using you as path for attack
© F-Secure2
STAGES OF ATTACK
1. Recon Target and build exploit and malware for attack
2. Get in contact with target and attack
3. Get C&C access to target beach-head malware
4. Move within target network
5. Monetize
6. Persist as long as possible
© F-Secure3
RECONExploits are always specific to certain program, and sometimes even version
Thus in order to weaponize, attacker must know his target Or use mass attacks and rely on luck
Network scanning, banner grabbing, etc basic techniques
OSINT, what software @company.com users have posted or asked about Are any vendors using the company as reference?
DNS timing recon, query target DNS and time the answers Anything that is in use in the company will answer fast
Humint, call people and ask, pretend to be student and send questionnaires
© F-Secure4
ATTACK OVER EMAIL
SPAM: the attacker builds a generic email…
…and hopes that message hits home to someone
Spear Phishing: Victim gets tailored email with a document
The document is from known sender
Topic of document is what could be expected
All in all it looks like regular business mail
Except that it contains an exploit and backdoor
© F-Secure5
ATTACK OVER HACKEDWEBSITES
Attacker searches web for vulnerable pages
Vulnerable pages are hacked to attack users
The page contains either direct attack
Or redirection to attack server
Both criminals and spies use web attacks Criminals go after any web page which has users
Spies selectively target pages favored by intended targets
This is called watering hole attack, lie & wait for the victims to come
© F-Secure
ANYTHING GOES FOR ATTACK
It’s not only the naughty pages
Attackers will use any popularsite that they are able to takeover
© F-Secure
SEARCH ENGINE POISONINGWhy chase victims when you can lure them?
Attacker picks searches that interest targets
Uses search engine optimization tricksto get to top hits
And waits for user to click on the result
After user visits the page the flow continues as in hacked site
© F-Secure
TRAFFIC INJECTION
Attacker gets MITM (Man in the Middle) access to traffic Hacked router or “legal” interception interface
“Free” Wifi access point or evil twin
Chinas “great cannon”, traffic injection at border
With MITM attacker can inject traffic Exploits into any web page
On the fly trojanizing of software updates or other executables
Javascript injection, to make victim into DDOS slave
© F-Secure
SOCIAL ENGINEERING ATTACKS
Sometimes attacker does not have exploit kit at his disposal, so he uses scams
Most typical cases are
Fake updates to Flash, codecs, etc
Fake movies, images, etc
Trojanized pirate copies
Sometimes attackers use additional tricks
Such as DNS poisoning to make it look likethat content is coming from trusted domain
© F-Secure
DISTRIBUTION THROUGHAFFILIATES
Sometimes attackerdoes not know how tomonetize victim
So he sells theaccess to victim
Botnet operator buys victims in bulk
And monetizes them
This is called affiliate networks, basically it’s digital slave trade
ZeroAccess BotnetOperator
AffiliatesVictims
Exploit kit
Pay-per-install
Spam
Fake video
$500 per 1000 installs
USB: BRIDGING AIRGAP
USB or other media stick loaded with malware USB autoplay (doesn’t work against up to date OS) Icon or media recognition exploit Use traditional trick of masking executable as document Craft special USB that actually acts as USB keyboard
and use “copy con foo.exe” and then “cmd /c foo.exe” to run it
Emulate network card and have automated exploit kit on the stick, or use DCHP to change users DNS settings
Or just plain document exploit
Introduce USB to victim Hope that victim plugs in said USB device http://hakshop.myshopify.com/products/usb-rubber-ducky-deluxe
© F-Secure12
MOBILE MALWAREMobile malware is almost exclusively Android problem
However there are few that target unlocked iPhones
The Android malware is based on trojansfooling the user to install
Fake Flashplayer or other updates shown by hacked websites Trojanized or fake apps in third party app stores or Google Play URL links in SMS, What’s App, Skype, Email or other spam
Once installed the malware tries to monetize Sending premium SMS Ransomware, lock the phone or files Assisting PC based banker attacks
© F-Secure13
Fastest growing Android malware families
CONCLUSIONAttackers will try to get victims any way they can
And will do anything to get profit from victims
Which means that even if you are not interesting target
Your customers may be, and thus so are you
Or you get hit simply because you are an easy target
This means that as a defender you need comprehensive protection
© F-Secure