SlideShare una empresa de Scribd logo

Advanced Persistent Threats: Reality or Myth

Rahul Mohandas
Rahul Mohandas
Tecnología
1 de 20
October 20, 2011 Advanced Persistent Threats – Myth or Reality? Rahul Mohandas Research Manager, McAfee
Advanced Persistent Threats Agenda • Threat Landscape – Past, Present & Future • Advanced Persistent Threats – The definition – Phases – Threat vectors – Associated costs • Recent APT Attacks Demystified – RSA Hack & Adobe Flash zero-day – Stuxnet: A step closer to hardware • Simulating a Real World Attack (DEMO) The information in this presentation is provided only for educational purposes and for the convenience of McAfee customers. The information contained herein is subject to 2 change without notice, and is provided ―AS IS‖ without guarantee or warranty as to the accuracy or applicability of the information to any specific situation or circumstance.
Advanced Persistent Threats The definition • Actors – STATE sponsored / activists / members of organized crime • Motives – Economic & political gain • Targets – IP rich organizations • Goals – Steal sensitive data, monitor communication or disrupt operations 3 January 2, 2012
Advanced Persistent Threats Phases Step • 1 Reconnaissance Step • 2 Establish a backdoor Step • 3 Steal user credentials Step • 4 Data exfiltration Step • 5 Maintain persistence 4 January 2, 2012
Advanced Persistent Threats Threat vectors • Social-Engineering Attacks − Spear phishing − Drive-by downloads − Email attachments • Physical device Infections − Infected memory sticks / storage devices − Tampered equipments • Internet Infections − SQL Injection − Application / network vulnerabilities − DNS Poisoning 5 January 2, 2012
Advanced Persistent Threats Associated costs • APTs are not focusing on costs or revenue. • 0 day cost ~ $100k Vulnerability/Exploit Value Source ―Some exploits‖ $200,000 - $250,000 Various Industry Sources A ―real good‖ exploit over $100,000 Official from SNOsoft research Vista exploit $50,000 Raimund Genes, Trend Micro ―Weaponized exploit‖ $20,000-$30,000 David Maynor, SecureWorks • APTs cost – Stuxnet utilized 4 0-day exploits. If you include the development and weaponized associated cost, the attack was worth well over half a million dollars. 6 January 2, 2012
RSA Hack & Adobe Flash zero day 7 January 2, 2012
Advanced Persistent Threats RSA attack 8 January 2, 2012
Advanced Persistent Threats History of Flash exploits Detection Description First Reported CVE-2007-0071 Vulnerability in June 2008 DefineSceneAndFrameLabelData tag CVE-2010-1297 Vulnerability in AVM2 New June 2010 Function() vulnerability CVE-2010- 2884 Vulnerability in ActionScript Virtual September 2010 Machine 2 CVE-2010-3654 Vulnerability in AVM2 MultiName October 2010 button class CVE-2011-0609 Vulnerability in AVM2 verifier while March 2011 handling branch instructions CVE-2011-0611 Vulnerability in AVM1 bytecode July 2011 9 January 2, 2012
Advanced Persistent Threats CVE-2011-0609 -- vulnerability Clean Malicious 4CC4 10 07 00 00 3EA1 10 29 00 00 jump loc_4CCF jump loc_3ECE … …. 4CCF 80 2C 3ECE 66 D6 02 coerce getproperty <name> 0x10 – unconditional branch is altered 10 January 2, 2012
Advanced Persistent Threats Poison Ivy backdoor - decrypted 11 January 2, 2012
Advanced Persistent Threats Signature evasion techniques • Public function loadBytes (bytes:ByteArray, context:LoaderContext = null):void • Loads from binary data stored in a ByteArray object XOR Key • Bytes:ByteArray — A ByteArray object. The XOR’ed contents of the ByteArray Flash can be any of the file Header formats supported by the Loader class: SWF, GIF, JPEG, or PNG. 12 January 2, 2012
Stuxnet A step closer to the hardware 13 January 2, 2012
Advanced Persistent Threat Stuxnet - overview Siemens PLCs Nuclear Enrichment Centrifuges Propagation exploits FOUR new,enrichment controllers Actual Target: delivery online or via USB drive Initial Specific nuclear unknown vulnerabilities 14 January 2, 2012
Advanced Persistent Threat Stuxnet - under the hood CVE-2010- Rootkit MS10-046 2772 Anti-AV MS10-061 Covert Exploits Digital MS08-067 Certificate Stuxnet Worm MS10-073 MS08-092 Propagation USB Drives P2P Network controller 15 January 2, 2012
Advanced Persistent Threat Stuxnet – working (cont..) • When the folder is opened in Explorer.exe, the .lnk files exploit the 0-day vulnerability to silently load the first file ~WTR4141.tmp (a DLL file) into memory and pass control to it (execute it) in Explorer.exe address space – Once running, the worm’s rootkit features hide all files names ending in *.lnk and starting with ~wtr (including the the above files) by hooking the following APIs: • FindFirstFileW • FindNextFileW • FindFirstFileExW • NtQueryDirectoryFile • ZwQueryDirectoryFile • Then it loads the 2nd .tmp file, ~WTR4132.tmp file (which is a .CPL file) 16 January 2, 2012
Advanced Persistent Threat Stuxnet –MRxCls.sys & MRxNet.sys 0xF8153747BAE8B4AE48837E E17172151E • Injects malicious code into existing processes (services.exe, svchost.exe, lsass.exe) • Creates HKLMSystemCurrentControlSet ServicesServicesMRxCls registry key 0xCC1DB5360109DE3B857654297 D262CA1 • Monitors system events and activities (i.e. – new program loading, hides *.tmp files) • Creates HKLMSystemCurrentControlSet ServicesServicesMRxNet registry key 17 January 2, 2012
Stuxnet Command and Control (C&C/C2) • Stuxnet attempts to access following C&C servers: – www.mypremierfutbol.com – www.todaysfutbol.com • The data is encrypted and sent: – http://mypremierfutbol.com/index.php?data=66a96e2888c9bb53f503e334 d5d775e99b7905ac6e541529e2dadd4640fa3f995391d36ff2a7c058a21d6 99d2fb4a875ec1ce7a0f9e7dd11b6bfa1fe5377d602c39621b7f329 • Malware uses RPC protocol for requesting a service from the client (compromised machine) over the network. • Following actions may be executed as a response to RPC calls: – create process, terminate process, read file, write file, delete file, set file attribute, inject file to a system process 18 January 2, 2012
Simulating a Real World Attack (DEMO) 19 January 2, 2012
McAfee and the McAfee logo are trademarks or registered trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Other names and brands may be claimed as the property of others. Copyright © 2011 McAfee, Inc.

Recomendados

C4 040 r-02
C4 040 r-02C4 040 r-02
C4 040 r-02
97148881557
 
Todd Deshane's PhD Proposal
Todd Deshane's PhD ProposalTodd Deshane's PhD Proposal
Todd Deshane's PhD Proposal
Todd Deshane
 
OMG DDS Security, 3rd revised submission
OMG DDS Security, 3rd revised submissionOMG DDS Security, 3rd revised submission
OMG DDS Security, 3rd revised submission
Gerardo Pardo-Castellote
 
Form4 cd2
Form4 cd2Form4 cd2
Form4 cd2
smktsj2
 
Inside TorrentLocker (Cryptolocker) Malware C&C Server
Inside TorrentLocker (Cryptolocker) Malware C&C Server Inside TorrentLocker (Cryptolocker) Malware C&C Server
Inside TorrentLocker (Cryptolocker) Malware C&C Server
Davide Cioccia
 
A statistical framework to evaluate the "diversity" impact against Advanced P...
A statistical framework to evaluate the "diversity" impact against Advanced P...A statistical framework to evaluate the "diversity" impact against Advanced P...
A statistical framework to evaluate the "diversity" impact against Advanced P...
Davide Cioccia
 
festival ICT 2013: Gli attacchi mirati e la Difesa Personalizzata Trend Micro
festival ICT 2013: Gli attacchi mirati e la Difesa Personalizzata Trend Microfestival ICT 2013: Gli attacchi mirati e la Difesa Personalizzata Trend Micro
festival ICT 2013: Gli attacchi mirati e la Difesa Personalizzata Trend Micro
festival ICT 2016
 
Atc ny friday-talk_slides_20080808
Atc ny friday-talk_slides_20080808Atc ny friday-talk_slides_20080808
Atc ny friday-talk_slides_20080808
Todd Deshane
 

Recomendados

C4 040 r-02
C4 040 r-02C4 040 r-02
C4 040 r-02
97148881557
 
Todd Deshane's PhD Proposal
Todd Deshane's PhD ProposalTodd Deshane's PhD Proposal
Todd Deshane's PhD Proposal
Todd Deshane
 
OMG DDS Security, 3rd revised submission
OMG DDS Security, 3rd revised submissionOMG DDS Security, 3rd revised submission
OMG DDS Security, 3rd revised submission
Gerardo Pardo-Castellote
 
Form4 cd2
Form4 cd2Form4 cd2
Form4 cd2
smktsj2
 
Inside TorrentLocker (Cryptolocker) Malware C&C Server
Inside TorrentLocker (Cryptolocker) Malware C&C Server Inside TorrentLocker (Cryptolocker) Malware C&C Server
Inside TorrentLocker (Cryptolocker) Malware C&C Server
Davide Cioccia
 
A statistical framework to evaluate the "diversity" impact against Advanced P...
A statistical framework to evaluate the "diversity" impact against Advanced P...A statistical framework to evaluate the "diversity" impact against Advanced P...
A statistical framework to evaluate the "diversity" impact against Advanced P...
Davide Cioccia
 
festival ICT 2013: Gli attacchi mirati e la Difesa Personalizzata Trend Micro
festival ICT 2013: Gli attacchi mirati e la Difesa Personalizzata Trend Microfestival ICT 2013: Gli attacchi mirati e la Difesa Personalizzata Trend Micro
festival ICT 2013: Gli attacchi mirati e la Difesa Personalizzata Trend Micro
festival ICT 2016
 
Atc ny friday-talk_slides_20080808
Atc ny friday-talk_slides_20080808Atc ny friday-talk_slides_20080808
Atc ny friday-talk_slides_20080808
Todd Deshane
 
ProxyLogon - MS Exchange Server Vulnerabilities - JS Edited.pptx
ProxyLogon - MS Exchange Server Vulnerabilities - JS Edited.pptxProxyLogon - MS Exchange Server Vulnerabilities - JS Edited.pptx
ProxyLogon - MS Exchange Server Vulnerabilities - JS Edited.pptx
SecPod
 
Dan Guido SOURCE Boston 2011
Dan Guido SOURCE Boston 2011Dan Guido SOURCE Boston 2011
Dan Guido SOURCE Boston 2011
Source Conference
 
The Dynamite of Next Generation (Y) Attack
The Dynamite of Next Generation (Y) AttackThe Dynamite of Next Generation (Y) Attack
The Dynamite of Next Generation (Y) Attack
Prathan Phongthiproek
 
Resume_ChuangCao
Resume_ChuangCaoResume_ChuangCao
Resume_ChuangCao
Chuang Cao
 
I Heart Stuxnet
I Heart StuxnetI Heart Stuxnet
I Heart Stuxnet
Gil Megidish
 
Talk of the hour, the wanna crypt ransomware
Talk of the hour, the wanna crypt ransomwareTalk of the hour, the wanna crypt ransomware
Talk of the hour, the wanna crypt ransomware
shubaira
 
[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities
OWASP
 
Ece seminar 20070927
Ece seminar 20070927Ece seminar 20070927
Ece seminar 20070927
Todd Deshane
 
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextThe Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
Priyanka Aash
 
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextThe Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
Priyanka Aash
 
Cansec West 2009
Cansec West 2009Cansec West 2009
Cansec West 2009
abhicc285
 
Stranger Danger: Your Java Attack Surface Just Got Bigger | JBCNConf 2022
Stranger Danger: Your Java Attack Surface Just Got Bigger | JBCNConf 2022Stranger Danger: Your Java Attack Surface Just Got Bigger | JBCNConf 2022
Stranger Danger: Your Java Attack Surface Just Got Bigger | JBCNConf 2022
Brian Vermeer
 
Hacker Space
Hacker SpaceHacker Space
Hacker Space
Prathan Phongthiproek
 
Introduction to the advanced persistent threat and hactivism
Introduction to the advanced persistent threat and hactivismIntroduction to the advanced persistent threat and hactivism
Introduction to the advanced persistent threat and hactivism
Global Micro Solutions
 
Rootlinux17: An introduction to Xen Project Virtualisation
Rootlinux17: An introduction to Xen Project VirtualisationRootlinux17: An introduction to Xen Project Virtualisation
Rootlinux17: An introduction to Xen Project Virtualisation
The Linux Foundation
 
The Duqu 2.0: Technical Details
The Duqu 2.0: Technical DetailsThe Duqu 2.0: Technical Details
The Duqu 2.0: Technical Details
Kaspersky
 
The Changing Security Landscape
The Changing Security LandscapeThe Changing Security Landscape
The Changing Security Landscape
Arrow ECS UK
 
Chapter 1, Transformasi antivirus
Chapter 1, Transformasi antivirusChapter 1, Transformasi antivirus
Chapter 1, Transformasi antivirus
Adi Saputra
 
Protecting Your organization from WannaCry Ransomware
Protecting Your organization from WannaCry RansomwareProtecting Your organization from WannaCry Ransomware
Protecting Your organization from WannaCry Ransomware
Quick Heal Technologies Ltd.
 
OpenSSF Day Tokyo 2023 Keynote presentation.
OpenSSF Day Tokyo 2023 Keynote presentation.OpenSSF Day Tokyo 2023 Keynote presentation.
OpenSSF Day Tokyo 2023 Keynote presentation.
Kazuki Omo
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 

Más contenido relacionado

Similar a Advanced Persistent Threats: Reality or Myth

ProxyLogon - MS Exchange Server Vulnerabilities - JS Edited.pptx
ProxyLogon - MS Exchange Server Vulnerabilities - JS Edited.pptxProxyLogon - MS Exchange Server Vulnerabilities - JS Edited.pptx
ProxyLogon - MS Exchange Server Vulnerabilities - JS Edited.pptx
SecPod
 
Resume_ChuangCao
Resume_ChuangCaoResume_ChuangCao
Resume_ChuangCao
Chuang Cao
 
[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities
OWASP
 
Ece seminar 20070927
Ece seminar 20070927Ece seminar 20070927
Ece seminar 20070927
Todd Deshane
 
Cansec West 2009
Cansec West 2009Cansec West 2009
Cansec West 2009
abhicc285
 
Rootlinux17: An introduction to Xen Project Virtualisation
Rootlinux17: An introduction to Xen Project VirtualisationRootlinux17: An introduction to Xen Project Virtualisation
Rootlinux17: An introduction to Xen Project Virtualisation
The Linux Foundation
 
The Duqu 2.0: Technical Details
The Duqu 2.0: Technical DetailsThe Duqu 2.0: Technical Details
The Duqu 2.0: Technical Details
Kaspersky
 

Similar a Advanced Persistent Threats: Reality or Myth (20)

ProxyLogon - MS Exchange Server Vulnerabilities - JS Edited.pptx
ProxyLogon - MS Exchange Server Vulnerabilities - JS Edited.pptxProxyLogon - MS Exchange Server Vulnerabilities - JS Edited.pptx
ProxyLogon - MS Exchange Server Vulnerabilities - JS Edited.pptx
 
Dan Guido SOURCE Boston 2011
Dan Guido SOURCE Boston 2011Dan Guido SOURCE Boston 2011
Dan Guido SOURCE Boston 2011
 
The Dynamite of Next Generation (Y) Attack
The Dynamite of Next Generation (Y) AttackThe Dynamite of Next Generation (Y) Attack
The Dynamite of Next Generation (Y) Attack
 
Resume_ChuangCao
Resume_ChuangCaoResume_ChuangCao
Resume_ChuangCao
 
I Heart Stuxnet
I Heart StuxnetI Heart Stuxnet
I Heart Stuxnet
 
Talk of the hour, the wanna crypt ransomware
Talk of the hour, the wanna crypt ransomwareTalk of the hour, the wanna crypt ransomware
Talk of the hour, the wanna crypt ransomware
 
[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities
 
Ece seminar 20070927
Ece seminar 20070927Ece seminar 20070927
Ece seminar 20070927
 
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextThe Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
 
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextThe Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
 
Cansec West 2009
Cansec West 2009Cansec West 2009
Cansec West 2009
 
Stranger Danger: Your Java Attack Surface Just Got Bigger | JBCNConf 2022
Stranger Danger: Your Java Attack Surface Just Got Bigger | JBCNConf 2022Stranger Danger: Your Java Attack Surface Just Got Bigger | JBCNConf 2022
Stranger Danger: Your Java Attack Surface Just Got Bigger | JBCNConf 2022
 
Hacker Space
Hacker SpaceHacker Space
Hacker Space
 
Introduction to the advanced persistent threat and hactivism
Introduction to the advanced persistent threat and hactivismIntroduction to the advanced persistent threat and hactivism
Introduction to the advanced persistent threat and hactivism
 
Rootlinux17: An introduction to Xen Project Virtualisation
Rootlinux17: An introduction to Xen Project VirtualisationRootlinux17: An introduction to Xen Project Virtualisation
Rootlinux17: An introduction to Xen Project Virtualisation
 
The Duqu 2.0: Technical Details
The Duqu 2.0: Technical DetailsThe Duqu 2.0: Technical Details
The Duqu 2.0: Technical Details
 
The Changing Security Landscape
The Changing Security LandscapeThe Changing Security Landscape
The Changing Security Landscape
 
Chapter 1, Transformasi antivirus
Chapter 1, Transformasi antivirusChapter 1, Transformasi antivirus
Chapter 1, Transformasi antivirus
 
Protecting Your organization from WannaCry Ransomware
Protecting Your organization from WannaCry RansomwareProtecting Your organization from WannaCry Ransomware
Protecting Your organization from WannaCry Ransomware
 
OpenSSF Day Tokyo 2023 Keynote presentation.
OpenSSF Day Tokyo 2023 Keynote presentation.OpenSSF Day Tokyo 2023 Keynote presentation.
OpenSSF Day Tokyo 2023 Keynote presentation.
 

Último

Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Principled Technologies
 

Último (20)

Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 

Advanced Persistent Threats: Reality or Myth

  • 1. October 20, 2011 Advanced Persistent Threats – Myth or Reality? Rahul Mohandas Research Manager, McAfee
  • 2. Advanced Persistent Threats Agenda • Threat Landscape – Past, Present & Future • Advanced Persistent Threats – The definition – Phases – Threat vectors – Associated costs • Recent APT Attacks Demystified – RSA Hack & Adobe Flash zero-day – Stuxnet: A step closer to hardware • Simulating a Real World Attack (DEMO) The information in this presentation is provided only for educational purposes and for the convenience of McAfee customers. The information contained herein is subject to 2 change without notice, and is provided ―AS IS‖ without guarantee or warranty as to the accuracy or applicability of the information to any specific situation or circumstance.
  • 3. Advanced Persistent Threats The definition • Actors – STATE sponsored / activists / members of organized crime • Motives – Economic & political gain • Targets – IP rich organizations • Goals – Steal sensitive data, monitor communication or disrupt operations 3 January 2, 2012
  • 4. Advanced Persistent Threats Phases Step • 1 Reconnaissance Step • 2 Establish a backdoor Step • 3 Steal user credentials Step • 4 Data exfiltration Step • 5 Maintain persistence 4 January 2, 2012
  • 5. Advanced Persistent Threats Threat vectors • Social-Engineering Attacks − Spear phishing − Drive-by downloads − Email attachments • Physical device Infections − Infected memory sticks / storage devices − Tampered equipments • Internet Infections − SQL Injection − Application / network vulnerabilities − DNS Poisoning 5 January 2, 2012
  • 6. Advanced Persistent Threats Associated costs • APTs are not focusing on costs or revenue. • 0 day cost ~ $100k Vulnerability/Exploit Value Source ―Some exploits‖ $200,000 - $250,000 Various Industry Sources A ―real good‖ exploit over $100,000 Official from SNOsoft research Vista exploit $50,000 Raimund Genes, Trend Micro ―Weaponized exploit‖ $20,000-$30,000 David Maynor, SecureWorks • APTs cost – Stuxnet utilized 4 0-day exploits. If you include the development and weaponized associated cost, the attack was worth well over half a million dollars. 6 January 2, 2012
  • 7. RSA Hack & Adobe Flash zero day 7 January 2, 2012
  • 8. Advanced Persistent Threats RSA attack 8 January 2, 2012
  • 9. Advanced Persistent Threats History of Flash exploits Detection Description First Reported CVE-2007-0071 Vulnerability in June 2008 DefineSceneAndFrameLabelData tag CVE-2010-1297 Vulnerability in AVM2 New June 2010 Function() vulnerability CVE-2010- 2884 Vulnerability in ActionScript Virtual September 2010 Machine 2 CVE-2010-3654 Vulnerability in AVM2 MultiName October 2010 button class CVE-2011-0609 Vulnerability in AVM2 verifier while March 2011 handling branch instructions CVE-2011-0611 Vulnerability in AVM1 bytecode July 2011 9 January 2, 2012
  • 10. Advanced Persistent Threats CVE-2011-0609 -- vulnerability Clean Malicious 4CC4 10 07 00 00 3EA1 10 29 00 00 jump loc_4CCF jump loc_3ECE … …. 4CCF 80 2C 3ECE 66 D6 02 coerce getproperty <name> 0x10 – unconditional branch is altered 10 January 2, 2012
  • 11. Advanced Persistent Threats Poison Ivy backdoor - decrypted 11 January 2, 2012
  • 12. Advanced Persistent Threats Signature evasion techniques • Public function loadBytes (bytes:ByteArray, context:LoaderContext = null):void • Loads from binary data stored in a ByteArray object XOR Key • Bytes:ByteArray — A ByteArray object. The XOR’ed contents of the ByteArray Flash can be any of the file Header formats supported by the Loader class: SWF, GIF, JPEG, or PNG. 12 January 2, 2012
  • 13. Stuxnet A step closer to the hardware 13 January 2, 2012
  • 14. Advanced Persistent Threat Stuxnet - overview Siemens PLCs Nuclear Enrichment Centrifuges Propagation exploits FOUR new,enrichment controllers Actual Target: delivery online or via USB drive Initial Specific nuclear unknown vulnerabilities 14 January 2, 2012
  • 15. Advanced Persistent Threat Stuxnet - under the hood CVE-2010- Rootkit MS10-046 2772 Anti-AV MS10-061 Covert Exploits Digital MS08-067 Certificate Stuxnet Worm MS10-073 MS08-092 Propagation USB Drives P2P Network controller 15 January 2, 2012
  • 16. Advanced Persistent Threat Stuxnet – working (cont..) • When the folder is opened in Explorer.exe, the .lnk files exploit the 0-day vulnerability to silently load the first file ~WTR4141.tmp (a DLL file) into memory and pass control to it (execute it) in Explorer.exe address space – Once running, the worm’s rootkit features hide all files names ending in *.lnk and starting with ~wtr (including the the above files) by hooking the following APIs: • FindFirstFileW • FindNextFileW • FindFirstFileExW • NtQueryDirectoryFile • ZwQueryDirectoryFile • Then it loads the 2nd .tmp file, ~WTR4132.tmp file (which is a .CPL file) 16 January 2, 2012
  • 17. Advanced Persistent Threat Stuxnet –MRxCls.sys & MRxNet.sys 0xF8153747BAE8B4AE48837E E17172151E • Injects malicious code into existing processes (services.exe, svchost.exe, lsass.exe) • Creates HKLMSystemCurrentControlSet ServicesServicesMRxCls registry key 0xCC1DB5360109DE3B857654297 D262CA1 • Monitors system events and activities (i.e. – new program loading, hides *.tmp files) • Creates HKLMSystemCurrentControlSet ServicesServicesMRxNet registry key 17 January 2, 2012
  • 18. Stuxnet Command and Control (C&C/C2) • Stuxnet attempts to access following C&C servers: – www.mypremierfutbol.com – www.todaysfutbol.com • The data is encrypted and sent: – http://mypremierfutbol.com/index.php?data=66a96e2888c9bb53f503e334 d5d775e99b7905ac6e541529e2dadd4640fa3f995391d36ff2a7c058a21d6 99d2fb4a875ec1ce7a0f9e7dd11b6bfa1fe5377d602c39621b7f329 • Malware uses RPC protocol for requesting a service from the client (compromised machine) over the network. • Following actions may be executed as a response to RPC calls: – create process, terminate process, read file, write file, delete file, set file attribute, inject file to a system process 18 January 2, 2012
  • 19. Simulating a Real World Attack (DEMO) 19 January 2, 2012
  • 20. McAfee and the McAfee logo are trademarks or registered trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Other names and brands may be claimed as the property of others. Copyright © 2011 McAfee, Inc.

Notas del editor

  1. http://www.darkreading.com/security/security-management/208803924/bucks-for-bugs.html
  2. RSA hacked in March 2011 using a Adobe Flash vulnerability.CVE2011-0609 discovered as a zero day in March 2011.The carrier Flash file was embedded inside the Excel file.Upon executing the excel file with a vulnerable version of flash player the exploit is triggered It loads shellcode inside memory, performs heap-spraying, and loads a Flash byte stream from memory to exploit the vulnerability.Once the exploit is successful a backdoor (PoisonIvy) is installed on the machine.
  3. Getproperty- Get the named property of the given target.Coerce -Convert a value to the type given by the name argument. This implements the ES4 implicit conversion.
  4. Discovered in July 2010 by VirusBlokAda company in Minsk, BelarusAffecting 14 plants to-date in Iran, Indonesia, India, UK, North America, KoreaTargets Siemens WinCC and SIMATIC Process Control System (PCS7)A user opens a folder that contains the .lnk template files (.pif files also vulnerable)Rootkit drivers signed with valid certificates (Realtek and Jmicron)UPX packed, XOR encoded everywhereOnce loaded, queries Siemens database with known default passwordConnected to C&amp;C servers, sending sensitive dataManipulating the database to control the HMI output and manipulating the PLC’s
  5. Using four 0-day vulnerabilities plus Conficker (MS08-067) *Shortcut icon vulnerability (CVE-2010-2568/MS10-046) – affecting every version of Windows since Windows 2000 (even Win95) (patched Aug. 2)Design flaw in Print Spooler (MS10-061/CVE-2010-2729) (patched on Tues)Two privilege escalations exploits [win32k.sys] (yet to be patched) *
  6. Decrypt the configuration data used by the threatDrop two .sys files and install them as a kernel level rootkitAccess files created by the Siemens Step 7 software packageUpdate itselfDrop more .dll and .dat filesInfect removable drives with custom .lnk filesInject into the lsass.exe process and execute custom codeInject into the iexplore.exe processCheck if certain antivirus applications are runningScan the network for serversRemove itselfCommunicate with the C&amp;C server