This document discusses targeted cyber attacks in 2011 and beyond. It describes how attackers have invested in developing tools and techniques to infiltrate systems using exploits, malware, and social engineering. Specific examples from 2011 are provided, including exploits of Adobe Flash and Reader. The document also discusses how attacks may evolve in a post-Windows environment as mobile devices and tablets become more prominent targets. It suggests attackers may increasingly focus on platforms like Android and iOS, and looks at early research into exploiting HTML5 features.
Axa Assurance Maroc - Insurer Innovation Award 2024
2011 Wintel Targeted Attacks and a Post-Windows Environment APT Toolset
1. 2011 Wintel Targeted Attacks and a Post-
Windows Environment APT Toolset
Extending the APT infiltration into new technologies
SAS 2012
Kurt Baumgartner, Senior Security Researcher
Global Research and Analysis Team
kurt.baumgartner@kaspersky.com
2. The Infiltration
2011 and Prior
Targeted attacks and subsets
“The APT” v “APT” v “APTs”? „It‟s a “who”, not a “how”‟
General targeted attack activity, the APT and targets
2011 attack details and IoC
Post windows world?
Attacks 2012 and beyond
3. The APT Infiltration
2011 and Prior
Timelines!
Corporate organizations are now defending themselves against nation
states?
Note – chart leaves out NGO‟s like Tibet‟s Government in Exile, the Falun
Gong, various political and non-profit orgs, etc
"State of the Hack: It‟s the End of the Year as We Know It 2011", Mandiant,
http://www.mandiant.com/presentations/state_of_the_hack_its_the_end_of_the_year_as_we_know_it_-_2011/
5. The Infiltration
2011 Offensive Security R&D Investment
Indications of Attack Investment
Flash – simple fuzzing, one bit adjustment (fairly low)
Mitsubishi Heavy Industries – low
RSA – medium (0day along with Poison Ivy?)
Lockheed Martin – medium (another 0day + RAT?)
Google – fairly low (IEPeers 0day)
Tibetans, Uyghurs – low
Undisclosed law firms – low
Beltway think tanks – low
Massive Fortune 50 Energy Firms – low
Various overseas political groups – low
Human rights groups – low
Setting up, rotating, maintaining thousands of C2 – fair effort
Email automation – low
Translators/social engineers and schemers – fair effort
6. Targeted Attacks and Infiltration
Email as a Vector of Attack – Schemes, Automation
• Phishing with better bait – themes of relevant geographical, timely
conference discussions, familiar interests, urgenct geopolitical
interests, shared financial interests
• Automated schemes and changing work hours to fit targets
7. Targeted Attacks - “Steal Everything”
Exploitation – Examining the attackers’ work
2011 Exploitation – Adobe Flash, Adobe Reader, Mozilla Firefox, Microsoft
Office documents and Windows system components
Let‟s discuss one of their favorites from this past year (CVE-2011-0611)
Malicious pdf
???
PdfStreamDumper
http://sandsprite.com/blogs/index.php?uid=7&pid=57
Flash Player Debugger (Flash Player Projector content debugger)
http://www.adobe.com/support/flashplayer/downloads.html
Fdb.exe Flex SDK
http://opensource.adobe.com/wiki/display/flexsdk/Downloads
SWFTools with SWFDump, although a Flash Decompiler might help
Olly and patience – there is no crash
Xvi32 or another hexeditor, .AS structures will be obfuscated and mangled
Note – Adobe code can be a lot like Microsoft code - unexpected structures
result in unexpected runtime behaviors
8. Targeted Attacks - “Steal Everything”
Exploitation – Examining the attackers’ work
Laying out the 2 Actionscripts with static and dynamic analysis
replaceString on obfuscated code strings
call hexToBin on the concatenated strings
8.swf/Mainline.as calls loadBytes on the *de-obfuscated* “ddd.swf” and loads it
to run, it is this badly mangled file that triggers the exploit for CVE-2011-0611
ddd.swf attacks authplay.dll with its own actionscript custom function called on
a confused object type
Object type confusion is the name of the game, failure in authplay flow
verification
Heap spray and a chunked multi-stage shellcode deobfuscation stub, kernel32
decomposed api call hash resolution and use (_lcreat, _lwrite, _lread, _lseek)
provides ROP with over 50 links, drops dll from pdf content to %temp%,
LoadLibrary(AdobeARM.dll) writes out rudll.dll, registers it as 6to4 Servicedll,
loads into svchost.exe
http://www.fortiguard.com/sites/default/files/CanSecWest2011_Flash_ActionScript.pdf
9. Targeted Attacks - “Steal Everything”
Post Exploitation - Data Collection, Lateral Movement, Exfiltration
365day and folks that don‟t update “anyone who has an interest in security
has already updated” Really?
Effective but stale exploitation vs
0day and “original research” or the “author”
RATs, backdoors, spyware
Data thievery
Communications - encrypted?
Comments Crew – Shady?
Low investment - Pass-the-Hash utils, WCE
New Active Directory vulnerability
Archivers (rar), 7z, available source
POSTs, FTP, outbound obfuscated communications
10. Targeted Attacks - “Steal Everything”
Post Exploitation – Why “these” tools?
2011 Backdoors – Poison Ivy, Agent, Agent, Agent2…
Why Poison Ivy? Where is it from?
ChaseNET хакер “forums” founded by previous Evil Eye Software Th3ChaS3r
Members included ksv, shapeless, Heike, Digerati (busted in Operation Bot
Roast II because of mistaken C2 config file update)…
ShapeLeSS joined ChaseNET as 18 year old Swedish kid in late October
2005, coded Poison Ivy
Codius assumes the project years later, continues to distribute it for free
SDK allows for new plugins and development, max size 7kb
Connections? No. Continued development today? No.
Stable, available, and FREE builder? Yes. Free SDK? Yes. Free crypters? Yes.
Quantifiable tool? Reliable? Yes. Low investment? Yes.
11. Targeted Attacks – Identifying Details
Indicators of Compromise
Indicators of Compromise – indicators? artifacts?
OpenIOC open source project
IoC Editor
IoC Finder
Isn‟t that what AV provides?
Only it is based on XML format without
the performance considerations?
http://openioc.org/
13. A Post Windows Environment Toolset
Tablets are everywhere
14. Targeted Attacks in a Post-Windows World
Abused Platforms
Android and iOS dominate the market
Smartphones and tablets
Blackberry(?)
Windows Phone(?)
Starting with the .mil space…
2011 – DISA STIG Android v2.2 Dell Mobile
Good Technology “Secure Browser” includes encryption capabilities with a
fallback to Safari
Webkit Dell Native Browser
Attacks start with .gov/.mil? Sign of the times…
15. Targeted Attacks in a Post-Windows World
Originating research
Offensive security and “original research”?
Increased investment…
HTML5 features and native support in browsers
Increased attack surface
Cache poisoning, clickjacking, data leakage
Attacking remote client-side BoF?
http://www.slideshare.net/seguridadapple/attacking-the-webkit-heap-or-how-to-
write-safari-exploits
Flash for mobile replaced with HTML5 and AIR
16. Thank You
Kurt Baumgartner, Senior Security Researcher
Global Research and Analysis Team
kurt.baumgartner@kaspersky.com
Notas del editor
Slide #6Duration: 1.5 minOn this slide you can see common IT security policy mistakes. The biggest mistake is to ignore network shares access rights. There might be an open share on internal file server or on end-user work desktop. (Question to the audience): Does anybody of you ever shared file directory from you work computer (desktop or laptop)? I.e. to transfer files to your co-worker computer.(Next question): Did you open it for unlimited users or just for dedicated person? Did you disable it later or just forgot?Sooner or later this can be a great source of malware redistribution in your organization. Looks now that the slide, this mistake is responsible for about 35% of incidents!There was an interesting case in one of the School Districts in the USA. The customer has several thousand end-users connected to the CSD network. Most of them are school student computers, beginning from 3rd grade. The network included few file share servers with unlimited access to everyone. So, everyone got infected after malware infected this network resource. The students could not do their class work, tests and lab work at school for at least few weeks.Now about missing security patches. Modern malware takes advantage of existing vulnerabilities. The network with even a single patch can be faced a serious risk. This is a common issue that we see mostly in Small organization, where number of end-users is less than 500. They either do not have enough expertise or ignoring patching completely.Partially protected environment means that Antimalware solution is installed on part of the network, leaving other resource unprotected.We have got some incidents related to firmware vulnerabilities. There was a software vulnerability in some DSL Router device. The impact of it was huge – possible lawsuit.And the last mistake is to believe that tools and software downloaded from the Web are always good software.
Slide #6Duration: 1.5 minOn this slide you can see common IT security policy mistakes. The biggest mistake is to ignore network shares access rights. There might be an open share on internal file server or on end-user work desktop. (Question to the audience): Does anybody of you ever shared file directory from you work computer (desktop or laptop)? I.e. to transfer files to your co-worker computer.(Next question): Did you open it for unlimited users or just for dedicated person? Did you disable it later or just forgot?Sooner or later this can be a great source of malware redistribution in your organization. Looks now that the slide, this mistake is responsible for about 35% of incidents!There was an interesting case in one of the School Districts in the USA. The customer has several thousand end-users connected to the CSD network. Most of them are school student computers, beginning from 3rd grade. The network included few file share servers with unlimited access to everyone. So, everyone got infected after malware infected this network resource. The students could not do their class work, tests and lab work at school for at least few weeks.Now about missing security patches. Modern malware takes advantage of existing vulnerabilities. The network with even a single patch can be faced a serious risk. This is a common issue that we see mostly in Small organization, where number of end-users is less than 500. They either do not have enough expertise or ignoring patching completely.Partially protected environment means that Antimalware solution is installed on part of the network, leaving other resource unprotected.We have got some incidents related to firmware vulnerabilities. There was a software vulnerability in some DSL Router device. The impact of it was huge – possible lawsuit.And the last mistake is to believe that tools and software downloaded from the Web are always good software.
Slide #6Duration: 1.5 minOn this slide you can see common IT security policy mistakes. The biggest mistake is to ignore network shares access rights. There might be an open share on internal file server or on end-user work desktop. (Question to the audience): Does anybody of you ever shared file directory from you work computer (desktop or laptop)? I.e. to transfer files to your co-worker computer.(Next question): Did you open it for unlimited users or just for dedicated person? Did you disable it later or just forgot?Sooner or later this can be a great source of malware redistribution in your organization. Looks now that the slide, this mistake is responsible for about 35% of incidents!There was an interesting case in one of the School Districts in the USA. The customer has several thousand end-users connected to the CSD network. Most of them are school student computers, beginning from 3rd grade. The network included few file share servers with unlimited access to everyone. So, everyone got infected after malware infected this network resource. The students could not do their class work, tests and lab work at school for at least few weeks.Now about missing security patches. Modern malware takes advantage of existing vulnerabilities. The network with even a single patch can be faced a serious risk. This is a common issue that we see mostly in Small organization, where number of end-users is less than 500. They either do not have enough expertise or ignoring patching completely.Partially protected environment means that Antimalware solution is installed on part of the network, leaving other resource unprotected.We have got some incidents related to firmware vulnerabilities. There was a software vulnerability in some DSL Router device. The impact of it was huge – possible lawsuit.And the last mistake is to believe that tools and software downloaded from the Web are always good software.
Slide #6Duration: 1.5 minOn this slide you can see common IT security policy mistakes. The biggest mistake is to ignore network shares access rights. There might be an open share on internal file server or on end-user work desktop. (Question to the audience): Does anybody of you ever shared file directory from you work computer (desktop or laptop)? I.e. to transfer files to your co-worker computer.(Next question): Did you open it for unlimited users or just for dedicated person? Did you disable it later or just forgot?Sooner or later this can be a great source of malware redistribution in your organization. Looks now that the slide, this mistake is responsible for about 35% of incidents!There was an interesting case in one of the School Districts in the USA. The customer has several thousand end-users connected to the CSD network. Most of them are school student computers, beginning from 3rd grade. The network included few file share servers with unlimited access to everyone. So, everyone got infected after malware infected this network resource. The students could not do their class work, tests and lab work at school for at least few weeks.Now about missing security patches. Modern malware takes advantage of existing vulnerabilities. The network with even a single patch can be faced a serious risk. This is a common issue that we see mostly in Small organization, where number of end-users is less than 500. They either do not have enough expertise or ignoring patching completely.Partially protected environment means that Antimalware solution is installed on part of the network, leaving other resource unprotected.We have got some incidents related to firmware vulnerabilities. There was a software vulnerability in some DSL Router device. The impact of it was huge – possible lawsuit.And the last mistake is to believe that tools and software downloaded from the Web are always good software.
Slide #6Duration: 1.5 minOn this slide you can see common IT security policy mistakes. The biggest mistake is to ignore network shares access rights. There might be an open share on internal file server or on end-user work desktop. (Question to the audience): Does anybody of you ever shared file directory from you work computer (desktop or laptop)? I.e. to transfer files to your co-worker computer.(Next question): Did you open it for unlimited users or just for dedicated person? Did you disable it later or just forgot?Sooner or later this can be a great source of malware redistribution in your organization. Looks now that the slide, this mistake is responsible for about 35% of incidents!There was an interesting case in one of the School Districts in the USA. The customer has several thousand end-users connected to the CSD network. Most of them are school student computers, beginning from 3rd grade. The network included few file share servers with unlimited access to everyone. So, everyone got infected after malware infected this network resource. The students could not do their class work, tests and lab work at school for at least few weeks.Now about missing security patches. Modern malware takes advantage of existing vulnerabilities. The network with even a single patch can be faced a serious risk. This is a common issue that we see mostly in Small organization, where number of end-users is less than 500. They either do not have enough expertise or ignoring patching completely.Partially protected environment means that Antimalware solution is installed on part of the network, leaving other resource unprotected.We have got some incidents related to firmware vulnerabilities. There was a software vulnerability in some DSL Router device. The impact of it was huge – possible lawsuit.And the last mistake is to believe that tools and software downloaded from the Web are always good software.
Slide #6Duration: 1.5 minOn this slide you can see common IT security policy mistakes. The biggest mistake is to ignore network shares access rights. There might be an open share on internal file server or on end-user work desktop. (Question to the audience): Does anybody of you ever shared file directory from you work computer (desktop or laptop)? I.e. to transfer files to your co-worker computer.(Next question): Did you open it for unlimited users or just for dedicated person? Did you disable it later or just forgot?Sooner or later this can be a great source of malware redistribution in your organization. Looks now that the slide, this mistake is responsible for about 35% of incidents!There was an interesting case in one of the School Districts in the USA. The customer has several thousand end-users connected to the CSD network. Most of them are school student computers, beginning from 3rd grade. The network included few file share servers with unlimited access to everyone. So, everyone got infected after malware infected this network resource. The students could not do their class work, tests and lab work at school for at least few weeks.Now about missing security patches. Modern malware takes advantage of existing vulnerabilities. The network with even a single patch can be faced a serious risk. This is a common issue that we see mostly in Small organization, where number of end-users is less than 500. They either do not have enough expertise or ignoring patching completely.Partially protected environment means that Antimalware solution is installed on part of the network, leaving other resource unprotected.We have got some incidents related to firmware vulnerabilities. There was a software vulnerability in some DSL Router device. The impact of it was huge – possible lawsuit.And the last mistake is to believe that tools and software downloaded from the Web are always good software.
Slide #8Duration: 10 secThis was general information. Now,few practical examples. The first is Zbot outbreak: root cause, risk to the business, suggestions.
Slide #6Duration: 1.5 minOn this slide you can see common IT security policy mistakes. The biggest mistake is to ignore network shares access rights. There might be an open share on internal file server or on end-user work desktop. (Question to the audience): Does anybody of you ever shared file directory from you work computer (desktop or laptop)? I.e. to transfer files to your co-worker computer.(Next question): Did you open it for unlimited users or just for dedicated person? Did you disable it later or just forgot?Sooner or later this can be a great source of malware redistribution in your organization. Looks now that the slide, this mistake is responsible for about 35% of incidents!There was an interesting case in one of the School Districts in the USA. The customer has several thousand end-users connected to the CSD network. Most of them are school student computers, beginning from 3rd grade. The network included few file share servers with unlimited access to everyone. So, everyone got infected after malware infected this network resource. The students could not do their class work, tests and lab work at school for at least few weeks.Now about missing security patches. Modern malware takes advantage of existing vulnerabilities. The network with even a single patch can be faced a serious risk. This is a common issue that we see mostly in Small organization, where number of end-users is less than 500. They either do not have enough expertise or ignoring patching completely.Partially protected environment means that Antimalware solution is installed on part of the network, leaving other resource unprotected.We have got some incidents related to firmware vulnerabilities. There was a software vulnerability in some DSL Router device. The impact of it was huge – possible lawsuit.And the last mistake is to believe that tools and software downloaded from the Web are always good software.
Slide #6Duration: 1.5 minOn this slide you can see common IT security policy mistakes. The biggest mistake is to ignore network shares access rights. There might be an open share on internal file server or on end-user work desktop. (Question to the audience): Does anybody of you ever shared file directory from you work computer (desktop or laptop)? I.e. to transfer files to your co-worker computer.(Next question): Did you open it for unlimited users or just for dedicated person? Did you disable it later or just forgot?Sooner or later this can be a great source of malware redistribution in your organization. Looks now that the slide, this mistake is responsible for about 35% of incidents!There was an interesting case in one of the School Districts in the USA. The customer has several thousand end-users connected to the CSD network. Most of them are school student computers, beginning from 3rd grade. The network included few file share servers with unlimited access to everyone. So, everyone got infected after malware infected this network resource. The students could not do their class work, tests and lab work at school for at least few weeks.Now about missing security patches. Modern malware takes advantage of existing vulnerabilities. The network with even a single patch can be faced a serious risk. This is a common issue that we see mostly in Small organization, where number of end-users is less than 500. They either do not have enough expertise or ignoring patching completely.Partially protected environment means that Antimalware solution is installed on part of the network, leaving other resource unprotected.We have got some incidents related to firmware vulnerabilities. There was a software vulnerability in some DSL Router device. The impact of it was huge – possible lawsuit.And the last mistake is to believe that tools and software downloaded from the Web are always good software.