Targeted Attacks: Then and NowTargeted Attacks: Then and NowKen Dunham, Director of Global ResponseCISSP, GCIH Gold (Honors), GSEC, GCFA, [email protected]
Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved
Kim Grillo, Engineer, [email protected]
Introduction
• BBB Attacks of 2007‐2008BBB Attacks of 2007 2008
• Eastern Europe Attacks
• Operation Aurora attacks
• Mitigation• Mitigation
Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved 2
BBB Attacks of 2007‐2008
Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved 3
BBB Attacks of 2007‐2008
Secondary payloads downloaded from compromised websites hosting c99 shells.
Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved 4
BBB Attacks of 2007‐2008
• July 2008 ‐ a number of attackers were arrested byJuly 2008 a number of attackers were arrested by US and Romanian law enforcement.
• http://webtv realitatea net/actual/cei 19 hackeri• http://webtv.realitatea.net/actual/cei‐19‐hackeri‐retinuti‐au‐fost‐adusi‐la‐tribun for video.
I ti ti i i i US• Investigation is ongoing in US.
Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved 5
Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved
merln.ndu.edu
6
Eastern Europe Attacksp
• 2009 – 3 companies victims of malware attacks with plinks based on attack characteristics
• Company 1 – Zeus variant targeting customers, p y g gkeylogged data used to setup fraudulent accounts that would be used to transfer money to mules.
• Company 2 – Haxdoor variant, C&C hosted at IP address that historically hosted Company 1 attacks.
• Company 3 – Haxdoor variant, same configuration file (MD5) as Company 2. All h k l i ll l if URL d• All three attacks only install malware if correct URL and parameters are used and only once, otherwise downloads non malicious notepad exe
Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved
downloads non malicious notepad.exe.
7
Eastern Europe Attacksp
• September 2009 – Liberty Exploit KitSeptember 2009 Liberty Exploit Kit– Installed Haxdoor variant, same MD5 as Company 2 d 3 tt k2 and 3 attacks.
– Connected to same IP address as Company 2 attacks.
• Haxdoor attack from May 2009 used same yMD5, C&C hosted on IP with money mule recruitment domainsrecruitment domains.
Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved 8
Eastern Europe Attacksp
Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved 9
http://images.astronet.ru/pubd/2007/04/09/0001221491/aurora1_wikipedia.jpg
Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved 10
Operation Aurora Attacksp• The attacker’s social engineer a victim into opening a
malicious website The malicious email may have beenmalicious website. The malicious email may have been delivered to an oversea employee, likely in China, from one of their trusted contacts.their trusted contacts.
• Link to a website which hosts a zero day exploit (CVE‐2010‐0249), vulnerability in Internet Explorer (IE) 6.y p
IE 6 Usage as of February 2010
40%50%60%70%
60 75%
0%10%20%30%
China USA Worldwide
60.75%
5.78% 11.74%
Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved 11
Operation Aurora Attacksp
• Once installed and executed the malwareOnce installed and executed, the malware connects to C&C servers using dynamic DNS
iservices.
• The attackers escalated privileges to gain p g gaccess to the corporate network where they can search for collect and exfiltrate data ofcan search for, collect, and exfiltrate data of interest.
Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved 12
Mitigationg
• Network– Access Control– Blacklisting– Monitoring
• Application– Enable DEP for Windows and IE– Use an alternative PDF reader– Application Policies– PatchingU• Users– Education and Training
Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved 13
Key Trendsy
• All attacks involve highlyAll attacks involve highly targeted attacks against
ifi i di id l fspecific individuals of interest within companies of interest.
• Attacks are becomingAttacks are becoming increasingly sophisticated.
k l b i ifi• Attacks are also becoming sector specific.
Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved 14
Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved 15