Threat LandscapeCyber Security Webinar Series

Webinar 1, May 4th, 2015

Jarno Niemelä

Twitter: @jarnomn

WHAT’S THIS ALL ABOUT

Enemies, every company has them Large or strategically important companies

have enemies who target them specifically

The rest will be targets of opportunity

A normal company has to worry about Undirected malware attacks

For profit criminals

Activists, hackers, script kiddies

Spies who are after your customers and using you as path for attack

© F-Secure2

STAGES OF ATTACK

1. Recon Target and build exploit and malware for attack

2. Get in contact with target and attack

3. Get C&C access to target beach-head malware

4. Move within target network

5. Monetize

6. Persist as long as possible

© F-Secure3

RECONExploits are always specific to certain program, and sometimes even version

Thus in order to weaponize, attacker must know his target Or use mass attacks and rely on luck

Network scanning, banner grabbing, etc basic techniques

OSINT, what software @company.com users have posted or asked about Are any vendors using the company as reference?

DNS timing recon, query target DNS and time the answers Anything that is in use in the company will answer fast

Humint, call people and ask, pretend to be student and send questionnaires

© F-Secure4

ATTACK OVER EMAIL

SPAM: the attacker builds a generic email…

…and hopes that message hits home to someone

Spear Phishing: Victim gets tailored email with a document

The document is from known sender

Topic of document is what could be expected

All in all it looks like regular business mail

Except that it contains an exploit and backdoor

© F-Secure5

ATTACK OVER HACKEDWEBSITES

Attacker searches web for vulnerable pages

Vulnerable pages are hacked to attack users

The page contains either direct attack

Or redirection to attack server

Both criminals and spies use web attacks Criminals go after any web page which has users

Spies selectively target pages favored by intended targets

This is called watering hole attack, lie & wait for the victims to come

© F-Secure

ANYTHING GOES FOR ATTACK

It’s not only the naughty pages

Attackers will use any popularsite that they are able to takeover

© F-Secure

SEARCH ENGINE POISONINGWhy chase victims when you can lure them?

Attacker picks searches that interest targets

Uses search engine optimization tricksto get to top hits

And waits for user to click on the result

After user visits the page the flow continues as in hacked site

© F-Secure

TRAFFIC INJECTION

Attacker gets MITM (Man in the Middle) access to traffic Hacked router or “legal” interception interface

“Free” Wifi access point or evil twin

Chinas “great cannon”, traffic injection at border

With MITM attacker can inject traffic Exploits into any web page

On the fly trojanizing of software updates or other executables

Javascript injection, to make victim into DDOS slave

© F-Secure

SOCIAL ENGINEERING ATTACKS

Sometimes attacker does not have exploit kit at his disposal, so he uses scams

Most typical cases are

Fake updates to Flash, codecs, etc

Fake movies, images, etc

Trojanized pirate copies

Sometimes attackers use additional tricks

Such as DNS poisoning to make it look likethat content is coming from trusted domain

© F-Secure

DISTRIBUTION THROUGHAFFILIATES

Sometimes attackerdoes not know how tomonetize victim

So he sells theaccess to victim

Botnet operator buys victims in bulk

And monetizes them

This is called affiliate networks, basically it’s digital slave trade

ZeroAccess BotnetOperator

AffiliatesVictims

Exploit kit

Pay-per-install

Spam

Fake video

$500 per 1000 installs

USB: BRIDGING AIRGAP

USB or other media stick loaded with malware USB autoplay (doesn’t work against up to date OS) Icon or media recognition exploit Use traditional trick of masking executable as document Craft special USB that actually acts as USB keyboard

and use “copy con foo.exe” and then “cmd /c foo.exe” to run it

Emulate network card and have automated exploit kit on the stick, or use DCHP to change users DNS settings

Or just plain document exploit

Introduce USB to victim Hope that victim plugs in said USB device http://hakshop.myshopify.com/products/usb-rubber-ducky-deluxe

© F-Secure12

MOBILE MALWAREMobile malware is almost exclusively Android problem

However there are few that target unlocked iPhones

The Android malware is based on trojansfooling the user to install

Fake Flashplayer or other updates shown by hacked websites Trojanized or fake apps in third party app stores or Google Play URL links in SMS, What’s App, Skype, Email or other spam

Once installed the malware tries to monetize Sending premium SMS Ransomware, lock the phone or files Assisting PC based banker attacks

© F-Secure13

Fastest growing Android malware families

CONCLUSIONAttackers will try to get victims any way they can

And will do anything to get profit from victims

Which means that even if you are not interesting target

Your customers may be, and thus so are you

Or you get hit simply because you are an easy target

This means that as a defender you need comprehensive protection

© F-Secure