Embed Size (px)
DESCRIPTION
Citation preview
Target Attack (HKUST Gold version)Anthony LAI
{Founder, Researcher}
What is VXRL?Valkyrie-X Security Research Group• Voluntary, officially registered, non-commercial and
hobbyist group; • Focus on Web hacking, reverse engineering/exploitation,
malware analysis, forensics analysis, offensive security and attack analysis;
• Connect to and collaborate with researchers for research opportunity;
• Emphasise skills and knowledge sharing; • “Offensive, Creative and Fun”
Conference and CTF participation
Breaking News: VX@Blackhat USA 2014
About APT Attribution and DNS Profiling
Our research, talks and workshop- Network Forensics Kungfu Workshop, DFRWS Europe 2014 (Amsterdam)- APT Attack and Network Forensics Framework, APWG eCrime 2014- APT Espionage Case Studies, IEEE Malware 2011- Facebook Forensics, published in US government site, workshop done for TCD and HTCIA.
Our research, talks and workshop- China is a victim, too. :) - AVTokyo 2013.5- APT Clustering and Attacker Profiling: DEFCON 19, HITCON, SYSCAN Taipei- DDoS Kungfu - DEFCON 20, AVTokyo - Chinese Malware analysis and Internet Censorship- Blackhat USA 2010 & DEF CON 18- Operation Saving Private Records - Webapp Security “Fengshui”
Who am I?Focus on penetration test, threat analysis and code audit and give private corporate training
Threat advisor and pentest team mentor in various MNCs
CFP Speaker: Blackhat USA, DEFCON 18-20, Codegate, AVTokyo, Hack In Taipei, APWG, DFRWS, HTCIA APAC
Passionate over Capture The Flag games, reverse engineering and exploitation
Research interest: threat correlation, attacker profiling and payload analysis
SANS GREM, GCFA and GWAPT mentor; (ISC)2 ISLA APAC Sr. InfoSec Professional Award
Agenda
What is target attack?Attack symptoms (illustrated with case #1)Our main dish case studiesMore …..
Target Attack or APT?!
Target Attack (a.k.a Advanced Persistent Threat (APT)) is defined as “a long term pattern of targeted, sophisticated attack”
Target Attack or APT?!
Consistent with more adversaries (e.g. nation states or terrorist groups with highly sophisticated levels of expertise and resources that seek to establish permanent footholds in organizations for purposes of impeding aspects of the organizational missions.
ReferenceNational Institute of Science and Technology. 2011. Information Security Risk. [ONLINE] Available at:http://csrc.nist.gov/publications/nistpubs/800-39/SP800-39-final.pdf.
Attack Symptoms
Step 1: Sending speared phishing emailSpoof your fellows, reporters, groupmate, etc.
Attack Symptoms
Step 2: Aha, with an attachmentThe attachment could be a doc, docx, xlsx, xls, ppt, pptx, zip, rar, 7z, pdf files, or shortcut file.
Attack SymptomsStep 3: When a target opens it, several exploits are launched:For this case, CVE-2012-0158
Attack Symptoms
Step 4: Persistence and Connection to Botnet C2 server
Attack SymptomsStep 5: Monitoring: Escalate or RetreatOperator will interact and monitor the compromised target’s machine. If there is no relevant and high value of intelligence, he/she considers uninstalling the payload.
On the contrary, he/she may load more advanced payload(s) to the target.
Overall Observation
<CENSORED>
Observation
Similar observationfrom FireEye
Date: 22 May 2014URL: http://www.infosecurity-magazine.com/view/38532/fireeye-backs-washington-with-new-apt1-data-linking-attacks-to-china/
18 Feb 2013Mandiant released a report named as “APT1” Report, it claims China PLA 61398 Unit is liable to attack at least 141 US organizations and companies.
Report: http://intelreport.mandiant.com/ News:http://blog.ifeng.com/article/23454037.html
APT1 Report SummaryHighlights of the report include:
● APT1 is believed to be the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department, which is most commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398.
● APT1 has systematically stolen hundreds of terabytes of data from at least 141 organizations.● APT1 focuses on compromising organizations across a broad range of industries in English-speaking countries.● APT1 maintains an extensive infrastructure of computer systems around the world.● In over 97% of the 1,905 times Mandiant observed APT1 intruders connecting to their attack infrastructure, APT1
used IP addresses registered in Shanghai and systems set to use the Simplified Chinese language.● The size of APT1’s infrastructure implies a large organization with at least dozens, but potentially hundreds of
human operators.● In an effort to underscore that there are actual individuals behind the keyboard, Mandiant is revealing three
personas that are associated with APT1 activity.● Mandiant is releasing more than 3,000 indicators to bolster defenses against APT1 operations.
APT1 Report
143.89.xxx.xxx? HKUST? Oh yeah!
APT1 Report
What is HTRAN communication?
Okay, HKUST timeVXRL tried to search 143.89.xxx.xxx:
Okay, HKUST time (Y2012)
Okay, HKUST time (Y2011)
Leak of APT domains
URL:http://www.r00tsec.com/2011_08_14_archive.html
Okay 143.89.*.* history :-)
Okay, HKUST time (Y2011)
Reference: http://pastebin.com/yKSQd5Z5http://www.secureworks.com/cyber-threat-intelligence/threats/htran/
Okay, as alumni, I made query to ITSC:<CENSORED>
Okay…..?!
<CENSORED>
Okay, let us talks about HKUST
As an alumni, I made the following query on 11 March 2014:<CENSORED>
Okay, Incident Response policy :-)
http://itsc.ust.hk/services/it-security/incident-responses/
Alright, no policy at all :)
Observation
Y2011-Y2012: Noone knows about the machine was compromised.
Other than the rank, please take care of your information and system, HKUST :-)<CENSORED>
Lesson Learnt
How about your company?React only when incident strikes?Can you take the reputation loss risk?
Recent News
5 PLAs wanted by FBIhttp://www.nytimes.com/2014/05/20/us/us-to-charge-chinese-workers-with-cyberspying.html?_r=0
FBI Most Wantedhttp://www.fbi.gov/wanted/cyber
Counter comments against APT1 ReportRan2, VXRL:Some comments from the report is not sufficient raised by Ran2URL: http://espionageware.blogspot.hk
In fact, China is also a victim :-)China is a victim, too :) @ AVTokyo 2013.5 Conference - Darkfloyd x ZettaURL: http://www.slideshare.net/anthonylai1668/avtokyo-2014-0xdfzetta
Targeted by Fangongheike
Thank you for your listening
Email: Darkfloyd[at]vxrl.orgTwitter: @anthonation
