SlideShare une entreprise Scribd logo

Tracking Exploit Kits - Virus Bulletin 2016

Télécharger en tant que PPTX, PDF
John Bambenek
John Bambenek

John Bambenek discusses tracking exploit kits by monitoring their infrastructure and operations. He explains that by disrupting entire exploit kit ecosystems, more can be done than taking down individual malware operators. Bambenek describes how exploit kits work and outlines strategies for gathering intelligence on exploit kits, such as decoding landing pages, using PCREs to find new sites, and leveraging resources like Bing's malicious URL feed to collect potential targets for dynamic analysis. The goal is to develop intelligence that can be used to disrupt the operations of exploit kit operators and affiliates.

Internet
1  sur  39
Tracking Exploit Kits John Bambenek, Manager of Threat Systems Fidelis Cybersecurity Virus Bulletin 2016 – Denver, Colorado
© Fidelis Cybersecurity Introduction • Manager of Threat Systems with Fidelis Cybersecurity • Part-Time Faculty at University of Illinois in CS • Provider of open-source intelligence feeds • Run several takedown oriented groups and surveil threats 2
© Fidelis Cybersecurity Why track exploit kits? • After investigating and occasionally getting malware operators prosecuted, new malware always shows up to take its place. • Operation Tovar ended Gameover Zeus and Cryptolocker, now have Vawtrak and Locky. 3
© Fidelis Cybersecurity Why track exploit kits? • Law enforcement operations for cybercrime take months or years and only pursue a limited amount of threats. • However, almost all criminal malware comes via two methods, spam botnets or exploit kits. • What if you could smash the entire malware delivery ecosystem instead? 4
© Fidelis Cybersecurity Cybercrime ecosystem 5
© Fidelis Cybersecurity EK Ecosystem • Malware writers/operators • EK operators • Exploit writers • Traffic generators • Selling of compromised websites • “Marketplace” operators • The ecosystem behind malware (i.e. mules, carders, etc) • Bitcoin washing services   6
© Fidelis Cybersecurity Why track exploit kits? • Earlier this year, Russian authorities arrested the Lurk group who had direct connections to Angler Exploit Kit (EK) operations. • Angler EK went away overnight. 7
© Fidelis Cybersecurity Intelligence Priorities • Priority 1: Ensure current products detect new malware and changes in EKs to protect customers. • Priority 2: Develop intelligence to track EK operators and customers ultimately to disrupt an entire ecosystem instead of one small crime group. 8
© Fidelis Cybersecurity What is an Exploit Kit? • Set of tools (prominently web-based) that exploit vulnerabilities in software (browser, Adobe, Java, etc) to spread malware. • Relatively static list of exploits each kit uses and they vary. • Rarely (but sometimes) use 0-days. • They operate as a criminal service and “sell infections” of whatever provided malware. • Primary defense: patch your OS and applications. 9
© Fidelis Cybersecurity Exploit Kits • RIG • Nuclear • Neutrino • Magnitude • Angler • Many more… 10
© Fidelis Cybersecurity Campaign IDs • Many, but not all, malware operators use multiple means of delivery and they compartmentalize using Campaign IDs. • Sometimes the campaign ID refers to an affiliate. • Sometimes it’s just for a specific run of their malware. • Correlating affiliates across malware delivery mechanisms can provide interesting insights into the marketplace behind the malware delivery. 11
© Fidelis Cybersecurity Locky Example 12
© Fidelis Cybersecurity Data-mining malware • Taking data downloaded from malware, you can rip configs and get information. • Cross-correlate based on delivery method and now you have insight in who is buying service from whom. • Now you have raw building blocks for an operation similar to what Russia did to the Lurk group that ended Angler. 13
© Fidelis Cybersecurity Basic EK Process • Victim clicks on (usually compromised) webpage. • There is validation of suitability. • Geo-blacklisting • Likely vulnerable browser • Blacklisting of suspected sandboxes, security researchers • Victim is directed to actual exploit. • Victim downloads and installs malware. 14
© Fidelis Cybersecurity Magnitude to Cerber example 15 From malware-traffic-analysis.net – has great blogs on EK traffic
© Fidelis Cybersecurity Exploit Kit URLs often have patterns • Some older Nuclear EK URL patterns in PCRE: • .(su|ru)/mod_articles-auth.*d/(ajax|jquery)//b/shoe/[0-9]{4,10} • ^[^/n]{1,99}?/url?([w]+=([w.]+)?&){5,10}url=https://[w]+.[a- z]{2,3}&([w]+=([w.]+)?&){2,6}[w]+=[w.]+$ • ^[^/n]{1,99}?/search?(?=.*[a-z]+=utf- 8&)(?=.*ei=.*(p{Ll}p{Lu}|p{Lu}p{Ll}))(?=.*ei=.{20,})(?!=/)([a- z_]{1,8}=[w+-.x20]+&?){2,5}$ • ^[^/n]{1,99}?/(?-i)([a-z0-9]+/){0,3}d{2,3}(_|-)[a-z]+(_|-)d+.[a-z]{3,6}$ • ^[^/n]{1,99}?/(?-i)([a-z0-9]+/){0,3}[a-z-]+?(([a-z_-]|[0-9]){3,}=([a-z_- ]|[0-9]){3,}&){1,5}[a-z0-9_-]{2,}=[a-z0-9]{8,}$ 16
© Fidelis Cybersecurity Non-Attributable Networks • EKs do have a tendency to block obvious security researchers and security company netblocks. • They don’t do a good job blocking commodity VPN services. • You can pick what country you want to appear from.  • Still limits to what you can retrieve using a VPN. • VPN inside or outside cuckoo VM? 17
© Fidelis Cybersecurity Non-Attributable Networks 18
© Fidelis Cybersecurity Non-Attributable Network • At present, there is no easy central way to manage multiple cuckoo instances that reach out to multiple geographies from the same instance. • Solution is to run multiple physical cuckoo instances with VPN outside the VM and rotate IPs inside a geo each batch run. 19
© Fidelis Cybersecurity Exploit hunting • Each exploit kit has a partially overlapping but unique set of exploits they use. • To get cuckoo to execute the exploit, some care needs to be spent in choosing the images and vulnerable software based on exploit kit. • An older tracking spreadsheet is available at: https://docs.google.com/spreadsheet/ccc?key=0AjvsQV3iSLa 1dE9EVGhjeUhvQTNReko3c2xhTmphLUE#gid=10 but a new version should be at ContagioDump.blogspot.com soon. 20
© Fidelis Cybersecurity Exploit Hunting 21
© Fidelis Cybersecurity Exploit Hunting • Easiest way is to have a set of VM images for specific exploit kits. • Still need to monitor for addition of new exploits. • 0-days happen maybe once a year. 22
© Fidelis Cybersecurity Decoding EK landing pages • Open source tools available here: https://github.com/mak/ekdeco for Neutrino, Nuclear and Angler. • Can export config and encryption keys, intermediate flash files, and the exploit outputs that are used and save those to files. • Requires landing pages or first SWF file (available in PCAP or via Cuckoo). 23
© Fidelis Cybersecurity Example$ python neutrino.py -d out -e -i strong-special-green-tread-motive-happiness-warm-stre-slap-happy.swf [+] embeded swf (SHA256: d977a418fa1cf5a0a78c768fade3223ead531ee25d766fa64a2e27ade0616a82) extracted,and saved to out/d977a418fa1cf5a0a78c768fade3223ead531ee25d766fa64a2e27ade0616a82.swf [+] cfg key: uturwhahhdm820991, exploit key: czynukeclllu385015 {u'debug': {u'flash': False}, u'exploit': {u'nw22': {u'enabled': True}, u'nw23': {u'enabled': True}, u'nw24': {u'enabled': True}, u'nw25': {u'enabled': True}, u'nw8': {u'enabled': True}}, u'key': {u'payload': u'yykrnnfwet'}, u'link': {u'backUrl': u'', u'bot': u'http://muusikkopruflin.earclearclinic.co.uk/1994/05/16/jump/loom/have-september-meal-borrow-normal.html', u'flPing': u'http://muusikkopruflin.earclearclinic.co.uk/wobbler/1440055/carrot-every-hasten', u'jsPing': u'http://muusikkopruflin.earclearclinic.co.uk/1978/12/12/alley/knock-trial-guilty-knee-younger-sigh-suffer-fault-lamp.html', u'pnw22': u'http://muusikkopruflin.earclearclinic.co.uk/dull/aXF4Y21nYw', u'pnw23': u'http://muusikkopruflin.earclearclinic.co.uk/consciousness/clever-13253660', u'pnw24': u'http://muusikkopruflin.earclearclinic.co.uk/hospital/d2dxY3dkZw', u'pnw25': u'http://muusikkopruflin.earclearclinic.co.uk/disappointment/battle-31593215', u'pnw8': u'http://muusikkopruflin.earclearclinic.co.uk/another/hideous-33550406', u'soft': u'http://muusikkopruflin.earclearclinic.co.uk/belong/animal-none-western-14473008'}, u'marker': u'rtConfig'} [+] Exploit saved to …. 24
© Fidelis Cybersecurity Example $ xxd 7ccc54cd4e819ee0a8b291917cf321acc058ccc6e4d35ad6f21db09491e05332.ek.bin 0000000: 5a57 5312 c741 0000 6820 0000 5d00 0020 ZWS..A..h ..].. 0000010: 0000 3bff fc8e 19fa dfe7 6608 a03d 3e85 ..;.......f..=>. 0000020: f575 6fd0 7e61 351b 1a8b 164d df05 32fe .uo.~a5....M..2. 0000030: a44c 4649 b77b 6b75 f92b 5c37 290b 9137 .LFI.{ku.+7)..7 0000040: 0137 0ee9 f2e1 fc9e 64da 6c11 2133 eda0 .7......d.l.!3.. 0000050: 0e76 70a0 cd98 2e76 80f0 e059 5606 08e9 .vp....v...YV... 0000060: caeb a2c6 db5a 867b 47de 995d 6876 3816 .....Z.{G..]hv8. 0000070: bd93 3cd3 d09e d355 635a dab0 db27 e67c ..<....UcZ...'.| 0000080: 213d accc 90a1 7658 7308 c858 95d6 680b !=....vXs..X..h. 0000090: f2b8 c7c7 1255 4087 e759 c04e df21 aee8 .....U@..Y.N.!.. 00000a0: a06a 8ec4 ecd8 3838 a5f4 55b9 284e 31d5 .j....88..U.(N1. 00000b0: 1256 5f00 c2ea 9c36 e8be b710 5aa6 2909 .V_....6....Z.). 00000c0: 3d49 3471 1ec5 14ee 224f 7b31 40e3 fb00 =I4q...."O{1@... 00000d0: d5f1 bfe2 2fbe 4458 10a8 01f4 3108 fa24 ..../.DX....1..$ 00000e0: 0d9a aefd c5cf cfa2 350b aeed dc41 39c8 ........5....A9. 00000f0: 4f5f 1f63 6f38 20e8 69e4 4785 e82e ba36 O_.co8 .i.G....6 25
© Fidelis Cybersecurity Other Cuckoo considerations • Cuckoo stores tons of information, but for EKs we are only interested in getting the dropped binary. • Turn off all the logging except that directly related to dropped files. • Running Yara and using volatility can help quickly identify dropped files. • Remember, use a non-attributable network. :) 26
© Fidelis Cybersecurity Finding EK landing pages • All this automation still has to be fed with targets to sandbox. • Work backwards from an infection event. • Use web proxy logs / telemetry and PCREs. • Use a crawler. • Trick EK to give you the initial gates. 27
© Fidelis Cybersecurity Working backwards from an infection • Least efficient way of doing it but in some cases (new EK, significant changes to an existing EK) it’s all we can do. • Initial gates are transient resources, so manually identifying them has limited utility. • Also limited only by what is attacking you or your customer. 28
© Fidelis Cybersecurity Using PCREs to hunt • Still requires users to visit but can be programmatically pipelined into a sandbox system for relatively real time analysis. • Everyone has a user-base and telemetry that has geographic or demographic biases that create holes in visibility. 29
© Fidelis Cybersecurity Using a crawler • Inefficient because it will request more than what you are looking for. • Crawlers are also resource intensive the broader you are looking for behavior. • It can, however, have a global footprint and be thorough. 30
© Fidelis Cybersecurity Using a crawler • Luckily, we don’t have to make our own crawler when Microsoft will give Bing crawler malicious URLs to MAPP/VIA members. • On 4 August 2016, over 26M malicious webpages were seen which Microsoft gives a 99% confidence interval too. • Much more than EKs. 31
© Fidelis Cybersecurity Using Bing Malicious URLs 8/4/2016 4:58:27 PM http://0000-programasnet.blogspot.com.ar/2011/03/my-defragmenter-my- defragmenter-es- un.html?action=backlinks&widgetId=Blog1&widgetType=Blog&responseType=js&postID=699478954130775 3585 216.58.216.193 us 15169 MalwareNetwork 8/4/2016 4:51:46 PM http://0000-programasnet.blogspot.com.ar/2011/03/pocopique-tv-programa-para- ver- tv.html?action=backlinks&widgetId=Blog1&widgetType=Blog&responseType=js&postID=7841830628282890 204 216.58.192.129 us 15169 ES 8/4/2016 6:06:13 PM http://0000-programasnet.blogspot.com.ar/2011/07/reparacion-de- impresoras.html 216.58.192.129 us 15169 ES 8/4/2016 6:26:04 PM http://0000-programasnet.blogspot.com.ar/2011_02_24_archive.html 216.58.192.129 us 15169 MalwareNetwork 8/4/2016 4:34:23 PM http://0000-programasnet.blogspot.com.es/2011/02/descarga-chat-para- facebook.html?action=backlinks&widgetId=Blog1&widgetType=Blog&responseType=js&postID=2134381520 774268527 216.58.192.225 us 15169 MalwareNetwork 32
© Fidelis Cybersecurity Bing Malicious URLs • On 4 August, 524,713 of those URLs pointed to IPs inside China. • Number is misleading because it includes multiple URLs under same domain. • Also flags “interesting” advertiser behavior. • Need to filter based on the PCREs we have seen before or other alerting technology. • We are running all these URLs through cURL with a spoofed user agent just to see request and first response. 33
© Fidelis Cybersecurity Bing Malicious URLs • Dealing with compromised websites and bulk malicious behavior is hard to do. • With proper filtering of the above, it also becomes possible to programmatically start notifying hosting providers of such content so they can start cleaning these websites. • Subscribe to Shadowserver’s Netblock Reporting Service to get alerts on malicious activity seen on your network. • https://www.shadowserver.org/wiki/pmwiki.php/Involve/GetRe portsOnYourNetwork 34
© Fidelis Cybersecurity Bing Malicious URLs # grep –P ‘$pcre’ Bing_mUrls_2016_08_04_8.tsv http://melnoosh.narod.ru/p3aa1.html http://mr-hijacker.blogspot.com/indexEN.html http://peterbronkhorst.rusa.nl/pag013l.htm http://peterscott.0catch.com/vk3en62w.htm http://portvein777.narod.ru/MirChiselChast10.htm http://portvein777.narod.ru/MirChiselChast26.htm http://redirectionn.weebly.com/fadi7a.html http://remeslo.okis.ru/15moda2.html http://remeslo.okis.ru/15moda3.html http://ruza-gimnazia.narod.ru/p13aa1.html http://ruza-gimnazia.narod.ru/p15aa1.html 35
© Fidelis Cybersecurity Trick EKs to give you landing pages • EKs have a hierarchical structure but the deeper levels also need to be aware of the landing pages to prevent people artificially getting malware directly from the source. 2|http://amabamque-cibohpor.brazcon.co.uk/band/observe-otherwise-17797287|amabamque- cibohpor.brazcon.co.uk|212.48.74.196|168.1.99.232 3|http://raperon.drauk.com/john/1981037/mark-gasp-frequent-loss-unknown- mingle|raperon.drauk.com|184.154.146.157|185.125.168.248 4|http://tajuason.agencyconveyancing.com/measure/1381170/bare-dare-themself-corp-jump-cave- feast-disappear-flower-bush|tajuason.agencyconveyancing.com|81.21.76.62| 5|http://zaczepneepeios.sadie-maymiles.com/dwell/1960713/fair-opposite-anxiety- worst|zaczepneepeios.sadie-maymiles.com|188.138.41.20|179.43.188.214 …. 36
© Fidelis Cybersecurity Putting it together • Now we have all the pieces. Use telemetry/web logs, Bing Malicious URLs and EK bugs to put URLs into your sandbox. • Use non-attributed network from multiple geographies to maximize visibility. • Retrieve first landing page / exploit file and dropped malware. 37
© Fidelis Cybersecurity Putting it together • Tie dropped malware to country and exploit kit (note, repeat visits from same IP will not give you malware). • EKs sell “by infection” so often the same landing page will drop other malware as the infection orders are fulfilled. • Further mine dropped malware for intelligence and correlate to other malware delivery networks. 38
Questions & Thank You! John Bambenek / john.bambenek@fidelissecurity.com If you are interested in Exploit Kit tracking and disruption, please get in touch.

Recommandé

Corporate Espionage without the Hassle of Committing Felonies
Corporate Espionage without the Hassle of Committing FeloniesCorporate Espionage without the Hassle of Committing Felonies
Corporate Espionage without the Hassle of Committing FeloniesJohn Bambenek
 
Defcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using CryptoDefcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using CryptoJohn Bambenek
 
Yet Another YARA Allocution (YAYA)
Yet Another YARA Allocution (YAYA) Yet Another YARA Allocution (YAYA)
Yet Another YARA Allocution (YAYA) John Laycock
 
ANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at ScaleANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at ScaleJohn Bambenek
 
2014: Mid-Year Threat Review
2014: Mid-Year Threat Review2014: Mid-Year Threat Review
2014: Mid-Year Threat ReviewESET
 
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptxChi En (Ashley) Shen
 
Security by Weston Hecker
Security by Weston HeckerSecurity by Weston Hecker
Security by Weston HeckerEC-Council
 
Defending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael BanksDefending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael BanksEC-Council
 

Recommandé

Corporate Espionage without the Hassle of Committing Felonies
Corporate Espionage without the Hassle of Committing FeloniesCorporate Espionage without the Hassle of Committing Felonies
Corporate Espionage without the Hassle of Committing FeloniesJohn Bambenek
 
Defcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using CryptoDefcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using CryptoJohn Bambenek
 
Yet Another YARA Allocution (YAYA)
Yet Another YARA Allocution (YAYA) Yet Another YARA Allocution (YAYA)
Yet Another YARA Allocution (YAYA) John Laycock
 
ANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at ScaleANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at ScaleJohn Bambenek
 
2014: Mid-Year Threat Review
2014: Mid-Year Threat Review2014: Mid-Year Threat Review
2014: Mid-Year Threat ReviewESET
 
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptxChi En (Ashley) Shen
 
Security by Weston Hecker
Security by Weston HeckerSecurity by Weston Hecker
Security by Weston HeckerEC-Council
 
Defending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael BanksDefending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael BanksEC-Council
 
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...Andrew Morris
 
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsUsing GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsAndrew Morris
 
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...EC-Council
 
Hunting Layered Malware by Raul Alvarez
Hunting Layered Malware by Raul AlvarezHunting Layered Malware by Raul Alvarez
Hunting Layered Malware by Raul AlvarezEC-Council
 
Break IT Down by Josh Smith
Break IT Down by Josh SmithBreak IT Down by Josh Smith
Break IT Down by Josh SmithEC-Council
 
GreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseGreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseAndrew Morris
 
HITCON 2015 - DGAs, DNS and Threat Intelligence
HITCON 2015 - DGAs, DNS and Threat IntelligenceHITCON 2015 - DGAs, DNS and Threat Intelligence
HITCON 2015 - DGAs, DNS and Threat IntelligenceJohn Bambenek
 
Light, Dark and... a Sunburst... dissection of a very sophisticated attack.
Light, Dark and... a Sunburst... dissection of a very sophisticated attack.Light, Dark and... a Sunburst... dissection of a very sophisticated attack.
Light, Dark and... a Sunburst... dissection of a very sophisticated attack.Stefano Maccaglia
 
Hacking Web Apps by Brent White
Hacking Web Apps by Brent WhiteHacking Web Apps by Brent White
Hacking Web Apps by Brent WhiteEC-Council
 
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...BlueHat Security Conference
 
Weekend Malware Research 2012
Weekend Malware Research 2012Weekend Malware Research 2012
Weekend Malware Research 2012Andrew Morris
 
CoinMiners are Evasive - BsidesTLV
CoinMiners are Evasive - BsidesTLVCoinMiners are Evasive - BsidesTLV
CoinMiners are Evasive - BsidesTLVThomas Roccia
 
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Zoltan Balazs
 
The Rising Threat of Fileless Malware
The Rising Threat of Fileless MalwareThe Rising Threat of Fileless Malware
The Rising Threat of Fileless MalwareChelsea Sisson
 
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE - ATT&CKcon
 
Capture the Flag Exercise Using Active Deception Defense
Capture the Flag Exercise Using Active Deception DefenseCapture the Flag Exercise Using Active Deception Defense
Capture the Flag Exercise Using Active Deception DefenseFidelis Cybersecurity
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016Matthew Dunwoody
 
What you need to know about ExPetr ransomware
What you need to know about ExPetr ransomwareWhat you need to know about ExPetr ransomware
What you need to know about ExPetr ransomwareKaspersky
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzChristopher Gerritz
 
Another Side of Hacking
Another Side of HackingAnother Side of Hacking
Another Side of HackingSatria Ady Pradana
 
Hunting For Exploit Kits
Hunting For Exploit KitsHunting For Exploit Kits
Hunting For Exploit KitsJoe Desimone
 
Insights into the Cybercrime Ecosystem
Insights into the Cybercrime EcosystemInsights into the Cybercrime Ecosystem
Insights into the Cybercrime EcosystemAlbert Hui
 

Contenu connexe

Tendances

BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...Andrew Morris
 
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsUsing GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsAndrew Morris
 
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...EC-Council
 
Hunting Layered Malware by Raul Alvarez
Hunting Layered Malware by Raul AlvarezHunting Layered Malware by Raul Alvarez
Hunting Layered Malware by Raul AlvarezEC-Council
 
Break IT Down by Josh Smith
Break IT Down by Josh SmithBreak IT Down by Josh Smith
Break IT Down by Josh SmithEC-Council
 
GreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseGreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseAndrew Morris
 
HITCON 2015 - DGAs, DNS and Threat Intelligence
HITCON 2015 - DGAs, DNS and Threat IntelligenceHITCON 2015 - DGAs, DNS and Threat Intelligence
HITCON 2015 - DGAs, DNS and Threat IntelligenceJohn Bambenek
 
Light, Dark and... a Sunburst... dissection of a very sophisticated attack.
Light, Dark and... a Sunburst... dissection of a very sophisticated attack.Light, Dark and... a Sunburst... dissection of a very sophisticated attack.
Light, Dark and... a Sunburst... dissection of a very sophisticated attack.Stefano Maccaglia
 
Hacking Web Apps by Brent White
Hacking Web Apps by Brent WhiteHacking Web Apps by Brent White
Hacking Web Apps by Brent WhiteEC-Council
 
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...BlueHat Security Conference
 
Weekend Malware Research 2012
Weekend Malware Research 2012Weekend Malware Research 2012
Weekend Malware Research 2012Andrew Morris
 
CoinMiners are Evasive - BsidesTLV
CoinMiners are Evasive - BsidesTLVCoinMiners are Evasive - BsidesTLV
CoinMiners are Evasive - BsidesTLVThomas Roccia
 
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Zoltan Balazs
 
The Rising Threat of Fileless Malware
The Rising Threat of Fileless MalwareThe Rising Threat of Fileless Malware
The Rising Threat of Fileless MalwareChelsea Sisson
 
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE - ATT&CKcon
 
Capture the Flag Exercise Using Active Deception Defense
Capture the Flag Exercise Using Active Deception DefenseCapture the Flag Exercise Using Active Deception Defense
Capture the Flag Exercise Using Active Deception DefenseFidelis Cybersecurity
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016Matthew Dunwoody
 
What you need to know about ExPetr ransomware
What you need to know about ExPetr ransomwareWhat you need to know about ExPetr ransomware
What you need to know about ExPetr ransomwareKaspersky
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzChristopher Gerritz
 

Tendances (20)

BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
 
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsUsing GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
 
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
 
Hunting Layered Malware by Raul Alvarez
Hunting Layered Malware by Raul AlvarezHunting Layered Malware by Raul Alvarez
Hunting Layered Malware by Raul Alvarez
 
Break IT Down by Josh Smith
Break IT Down by Josh SmithBreak IT Down by Josh Smith
Break IT Down by Josh Smith
 
GreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseGreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To Noise
 
HITCON 2015 - DGAs, DNS and Threat Intelligence
HITCON 2015 - DGAs, DNS and Threat IntelligenceHITCON 2015 - DGAs, DNS and Threat Intelligence
HITCON 2015 - DGAs, DNS and Threat Intelligence
 
Light, Dark and... a Sunburst... dissection of a very sophisticated attack.
Light, Dark and... a Sunburst... dissection of a very sophisticated attack.Light, Dark and... a Sunburst... dissection of a very sophisticated attack.
Light, Dark and... a Sunburst... dissection of a very sophisticated attack.
 
Hacking Web Apps by Brent White
Hacking Web Apps by Brent WhiteHacking Web Apps by Brent White
Hacking Web Apps by Brent White
 
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
 
Weekend Malware Research 2012
Weekend Malware Research 2012Weekend Malware Research 2012
Weekend Malware Research 2012
 
CoinMiners are Evasive - BsidesTLV
CoinMiners are Evasive - BsidesTLVCoinMiners are Evasive - BsidesTLV
CoinMiners are Evasive - BsidesTLV
 
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
 
The Rising Threat of Fileless Malware
The Rising Threat of Fileless MalwareThe Rising Threat of Fileless Malware
The Rising Threat of Fileless Malware
 
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
 
Capture the Flag Exercise Using Active Deception Defense
Capture the Flag Exercise Using Active Deception DefenseCapture the Flag Exercise Using Active Deception Defense
Capture the Flag Exercise Using Active Deception Defense
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016
 
What you need to know about ExPetr ransomware
What you need to know about ExPetr ransomwareWhat you need to know about ExPetr ransomware
What you need to know about ExPetr ransomware
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
 
Another Side of Hacking
Another Side of HackingAnother Side of Hacking
Another Side of Hacking
 

En vedette

Hunting For Exploit Kits
Hunting For Exploit KitsHunting For Exploit Kits
Hunting For Exploit KitsJoe Desimone
 
Insights into the Cybercrime Ecosystem
Insights into the Cybercrime EcosystemInsights into the Cybercrime Ecosystem
Insights into the Cybercrime EcosystemAlbert Hui
 
Ola Wittenby - Hotlandskapet på Internet
Ola Wittenby - Hotlandskapet på Internet Ola Wittenby - Hotlandskapet på Internet
Ola Wittenby - Hotlandskapet på Internet IBM Sverige
 
BSides 2016 Presentation
BSides 2016 PresentationBSides 2016 Presentation
BSides 2016 PresentationAngelo Rago
 
I/O, You Own: Regaining Control of Your Disk in the Presence of Bootkits
I/O, You Own: Regaining Control of Your Disk in the Presence of BootkitsI/O, You Own: Regaining Control of Your Disk in the Presence of Bootkits
I/O, You Own: Regaining Control of Your Disk in the Presence of BootkitsCrowdStrike
 
CrowdCasts Monthly: When Pandas Attack
CrowdCasts Monthly: When Pandas AttackCrowdCasts Monthly: When Pandas Attack
CrowdCasts Monthly: When Pandas AttackCrowdStrike
 
Be Social. Use CrowdRE.
Be Social. Use CrowdRE.Be Social. Use CrowdRE.
Be Social. Use CrowdRE.CrowdStrike
 
The Enemy Within: Stopping Advanced Attacks Against Local Users
The Enemy Within: Stopping Advanced Attacks Against Local UsersThe Enemy Within: Stopping Advanced Attacks Against Local Users
The Enemy Within: Stopping Advanced Attacks Against Local UsersTal Be'ery
 
CrowdCasts Monthly: Mitigating Pass the Hash
CrowdCasts Monthly: Mitigating Pass the HashCrowdCasts Monthly: Mitigating Pass the Hash
CrowdCasts Monthly: Mitigating Pass the HashCrowdStrike
 
Hacking Exposed Live: Mobile Targeted Threats
Hacking Exposed Live: Mobile Targeted ThreatsHacking Exposed Live: Mobile Targeted Threats
Hacking Exposed Live: Mobile Targeted ThreatsCrowdStrike
 
Java Journal & Pyresso: A Python-Based Framework for Debugging Java
Java Journal & Pyresso: A Python-Based Framework for Debugging JavaJava Journal & Pyresso: A Python-Based Framework for Debugging Java
Java Journal & Pyresso: A Python-Based Framework for Debugging JavaCrowdStrike
 
Bear Hunting: History and Attribution of Russian Intelligence Operations
Bear Hunting: History and Attribution of Russian Intelligence OperationsBear Hunting: History and Attribution of Russian Intelligence Operations
Bear Hunting: History and Attribution of Russian Intelligence OperationsCrowdStrike
 
End-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware FamilyEnd-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware FamilyCrowdStrike
 
TOR... ALL THE THINGS
TOR... ALL THE THINGSTOR... ALL THE THINGS
TOR... ALL THE THINGSCrowdStrike
 
You Can't Stop The Breach Without Prevention And Detection
You Can't Stop The Breach Without Prevention And DetectionYou Can't Stop The Breach Without Prevention And Detection
You Can't Stop The Breach Without Prevention And DetectionCrowdStrike
 
CrowdCast Monthly: Operationalizing Intelligence
CrowdCast Monthly: Operationalizing IntelligenceCrowdCast Monthly: Operationalizing Intelligence
CrowdCast Monthly: Operationalizing IntelligenceCrowdStrike
 

En vedette (20)

Hunting For Exploit Kits
Hunting For Exploit KitsHunting For Exploit Kits
Hunting For Exploit Kits
 
Insights into the Cybercrime Ecosystem
Insights into the Cybercrime EcosystemInsights into the Cybercrime Ecosystem
Insights into the Cybercrime Ecosystem
 
Ola Wittenby - Hotlandskapet på Internet
Ola Wittenby - Hotlandskapet på Internet Ola Wittenby - Hotlandskapet på Internet
Ola Wittenby - Hotlandskapet på Internet
 
Fidelis Cybersecurity Overview
Fidelis Cybersecurity OverviewFidelis Cybersecurity Overview
Fidelis Cybersecurity Overview
 
BSides 2016 Presentation
BSides 2016 PresentationBSides 2016 Presentation
BSides 2016 Presentation
 
Hunting gh0st rat using memory forensics
Hunting gh0st rat using memory forensics Hunting gh0st rat using memory forensics
Hunting gh0st rat using memory forensics
 
I/O, You Own: Regaining Control of Your Disk in the Presence of Bootkits
I/O, You Own: Regaining Control of Your Disk in the Presence of BootkitsI/O, You Own: Regaining Control of Your Disk in the Presence of Bootkits
I/O, You Own: Regaining Control of Your Disk in the Presence of Bootkits
 
CrowdCasts Monthly: When Pandas Attack
CrowdCasts Monthly: When Pandas AttackCrowdCasts Monthly: When Pandas Attack
CrowdCasts Monthly: When Pandas Attack
 
Be Social. Use CrowdRE.
Be Social. Use CrowdRE.Be Social. Use CrowdRE.
Be Social. Use CrowdRE.
 
The Enemy Within: Stopping Advanced Attacks Against Local Users
The Enemy Within: Stopping Advanced Attacks Against Local UsersThe Enemy Within: Stopping Advanced Attacks Against Local Users
The Enemy Within: Stopping Advanced Attacks Against Local Users
 
CrowdCasts Monthly: Mitigating Pass the Hash
CrowdCasts Monthly: Mitigating Pass the HashCrowdCasts Monthly: Mitigating Pass the Hash
CrowdCasts Monthly: Mitigating Pass the Hash
 
Hacking Exposed Live: Mobile Targeted Threats
Hacking Exposed Live: Mobile Targeted ThreatsHacking Exposed Live: Mobile Targeted Threats
Hacking Exposed Live: Mobile Targeted Threats
 
Pycon Sec
Pycon SecPycon Sec
Pycon Sec
 
Java Journal & Pyresso: A Python-Based Framework for Debugging Java
Java Journal & Pyresso: A Python-Based Framework for Debugging JavaJava Journal & Pyresso: A Python-Based Framework for Debugging Java
Java Journal & Pyresso: A Python-Based Framework for Debugging Java
 
Venom
Venom Venom
Venom
 
Bear Hunting: History and Attribution of Russian Intelligence Operations
Bear Hunting: History and Attribution of Russian Intelligence OperationsBear Hunting: History and Attribution of Russian Intelligence Operations
Bear Hunting: History and Attribution of Russian Intelligence Operations
 
End-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware FamilyEnd-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware Family
 
TOR... ALL THE THINGS
TOR... ALL THE THINGSTOR... ALL THE THINGS
TOR... ALL THE THINGS
 
You Can't Stop The Breach Without Prevention And Detection
You Can't Stop The Breach Without Prevention And DetectionYou Can't Stop The Breach Without Prevention And Detection
You Can't Stop The Breach Without Prevention And Detection
 
CrowdCast Monthly: Operationalizing Intelligence
CrowdCast Monthly: Operationalizing IntelligenceCrowdCast Monthly: Operationalizing Intelligence
CrowdCast Monthly: Operationalizing Intelligence
 

Similaire à Tracking Exploit Kits - Virus Bulletin 2016

Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2ShapeBlue
 
Securing your Cloud Environment
Securing your Cloud EnvironmentSecuring your Cloud Environment
Securing your Cloud EnvironmentShapeBlue
 
Malware Analysis For The Enterprise
Malware Analysis For The EnterpriseMalware Analysis For The Enterprise
Malware Analysis For The EnterpriseJason Ross
 
Zero Day Malware Detection/Prevention Using Open Source Software
Zero Day Malware Detection/Prevention Using Open Source SoftwareZero Day Malware Detection/Prevention Using Open Source Software
Zero Day Malware Detection/Prevention Using Open Source SoftwareMyNOG
 
DEF CON 27 - workshop - RICHARD GOLD - mind the gap
DEF CON 27 - workshop - RICHARD GOLD - mind the gapDEF CON 27 - workshop - RICHARD GOLD - mind the gap
DEF CON 27 - workshop - RICHARD GOLD - mind the gapFelipe Prado
 
Threat Modelling - It's not just for developers
Threat Modelling - It's not just for developersThreat Modelling - It's not just for developers
Threat Modelling - It's not just for developersMITRE ATT&CK
 
Cloud Device Insecurity
Cloud Device InsecurityCloud Device Insecurity
Cloud Device InsecurityJeremy Brown
 
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptxThe Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptxlior mazor
 
Mitigate potential compliance risks
Mitigate potential compliance risksMitigate potential compliance risks
Mitigate potential compliance risksJürgen Brüder
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera SoftwareOWASP
 
100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdfMAHESHUMANATHGOPALAK
 
SOC-BlueTEam.pdf
SOC-BlueTEam.pdfSOC-BlueTEam.pdf
SOC-BlueTEam.pdfBeratAkit
 
100 Security Operation Center Tools EMERSON EDUARDO RODRIGUES
100 Security Operation Center Tools EMERSON EDUARDO RODRIGUES100 Security Operation Center Tools EMERSON EDUARDO RODRIGUES
100 Security Operation Center Tools EMERSON EDUARDO RODRIGUESEMERSON EDUARDO RODRIGUES
 
Webinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical AppsWebinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical AppsSynopsys Software Integrity Group
 
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...Tzung-Bi Shih
 
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】Hacks in Taiwan (HITCON)
 
Malware collection and analysis
Malware collection and analysisMalware collection and analysis
Malware collection and analysisChong-Kuan Chen
 

Similaire à Tracking Exploit Kits - Virus Bulletin 2016 (20)

Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2
 
Securing your Cloud Environment
Securing your Cloud EnvironmentSecuring your Cloud Environment
Securing your Cloud Environment
 
Malware Analysis For The Enterprise
Malware Analysis For The EnterpriseMalware Analysis For The Enterprise
Malware Analysis For The Enterprise
 
Zero Day Malware Detection/Prevention Using Open Source Software
Zero Day Malware Detection/Prevention Using Open Source SoftwareZero Day Malware Detection/Prevention Using Open Source Software
Zero Day Malware Detection/Prevention Using Open Source Software
 
DEF CON 27 - workshop - RICHARD GOLD - mind the gap
DEF CON 27 - workshop - RICHARD GOLD - mind the gapDEF CON 27 - workshop - RICHARD GOLD - mind the gap
DEF CON 27 - workshop - RICHARD GOLD - mind the gap
 
Threat Modelling - It's not just for developers
Threat Modelling - It's not just for developersThreat Modelling - It's not just for developers
Threat Modelling - It's not just for developers
 
Cloud Device Insecurity
Cloud Device InsecurityCloud Device Insecurity
Cloud Device Insecurity
 
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptxThe Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
 
log4j.pdf
log4j.pdflog4j.pdf
log4j.pdf
 
Mitigate potential compliance risks
Mitigate potential compliance risksMitigate potential compliance risks
Mitigate potential compliance risks
 
Webinar–OWASP Top 10 for JavaScript for Developers
Webinar–OWASP Top 10 for JavaScript for DevelopersWebinar–OWASP Top 10 for JavaScript for Developers
Webinar–OWASP Top 10 for JavaScript for Developers
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software
 
100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf
 
SOC-BlueTEam.pdf
SOC-BlueTEam.pdfSOC-BlueTEam.pdf
SOC-BlueTEam.pdf
 
100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf
 
100 Security Operation Center Tools EMERSON EDUARDO RODRIGUES
100 Security Operation Center Tools EMERSON EDUARDO RODRIGUES100 Security Operation Center Tools EMERSON EDUARDO RODRIGUES
100 Security Operation Center Tools EMERSON EDUARDO RODRIGUES
 
Webinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical AppsWebinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical Apps
 
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...
 
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
 
Malware collection and analysis
Malware collection and analysisMalware collection and analysis
Malware collection and analysis
 

Plus de John Bambenek

THOTCON - The War over your DNS Queries
THOTCON - The War over your DNS QueriesTHOTCON - The War over your DNS Queries
THOTCON - The War over your DNS QueriesJohn Bambenek
 
SANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
SANSFIRE18: War Stories on Using Automated Threat Intelligence for DefenseSANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
SANSFIRE18: War Stories on Using Automated Threat Intelligence for DefenseJohn Bambenek
 
I'm All Up in Your Blockchain - Hunting Down the Nazis
I'm All Up in Your Blockchain - Hunting Down the NazisI'm All Up in Your Blockchain - Hunting Down the Nazis
I'm All Up in Your Blockchain - Hunting Down the NazisJohn Bambenek
 
HITCON 2017: Building a Public RPZ Service to Protect the World's Consumers
HITCON 2017: Building a Public RPZ Service to Protect the World's ConsumersHITCON 2017: Building a Public RPZ Service to Protect the World's Consumers
HITCON 2017: Building a Public RPZ Service to Protect the World's ConsumersJohn Bambenek
 
MISP Summit 2018: Barncat: Using MISP for Bulk Malware Surveillance
MISP Summit 2018: Barncat: Using MISP for Bulk Malware SurveillanceMISP Summit 2018: Barncat: Using MISP for Bulk Malware Surveillance
MISP Summit 2018: Barncat: Using MISP for Bulk Malware SurveillanceJohn Bambenek
 
SANSFIRE - Elections, Deceptions and Political Breaches
SANSFIRE - Elections, Deceptions and Political BreachesSANSFIRE - Elections, Deceptions and Political Breaches
SANSFIRE - Elections, Deceptions and Political BreachesJohn Bambenek
 
PHDAYS: DGAs and Threat Intelligence
PHDAYS: DGAs and Threat IntelligencePHDAYS: DGAs and Threat Intelligence
PHDAYS: DGAs and Threat IntelligenceJohn Bambenek
 
THOTCON 0x6: Going Kinetic on Electronic Crime Networks
THOTCON 0x6: Going Kinetic on Electronic Crime NetworksTHOTCON 0x6: Going Kinetic on Electronic Crime Networks
THOTCON 0x6: Going Kinetic on Electronic Crime NetworksJohn Bambenek
 
Blackhat USA 2014 - The New Scourge of Ransomware
Blackhat USA 2014 - The New Scourge of RansomwareBlackhat USA 2014 - The New Scourge of Ransomware
Blackhat USA 2014 - The New Scourge of RansomwareJohn Bambenek
 
IESBGA 2014 Cybercrime Seminar by John Bambenek
IESBGA 2014 Cybercrime Seminar by John BambenekIESBGA 2014 Cybercrime Seminar by John Bambenek
IESBGA 2014 Cybercrime Seminar by John BambenekJohn Bambenek
 
Thotcon 0x5 - Retroactive Wiretapping VPN over DNS
Thotcon 0x5 - Retroactive Wiretapping VPN over DNSThotcon 0x5 - Retroactive Wiretapping VPN over DNS
Thotcon 0x5 - Retroactive Wiretapping VPN over DNSJohn Bambenek
 
Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014
Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014
Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014John Bambenek
 
Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 2...
Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 2...Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 2...
Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 2...John Bambenek
 
Cybercrime & Computer Forensics - ISBA Master Series CLE, Nov 18, 2011
Cybercrime & Computer Forensics - ISBA Master Series CLE, Nov 18, 2011Cybercrime & Computer Forensics - ISBA Master Series CLE, Nov 18, 2011
Cybercrime & Computer Forensics - ISBA Master Series CLE, Nov 18, 2011John Bambenek
 
Introduction to Computer Crime - John Bambenek talk to Champaign Seniors Poli...
Introduction to Computer Crime - John Bambenek talk to Champaign Seniors Poli...Introduction to Computer Crime - John Bambenek talk to Champaign Seniors Poli...
Introduction to Computer Crime - John Bambenek talk to Champaign Seniors Poli...John Bambenek
 

Plus de John Bambenek (15)

THOTCON - The War over your DNS Queries
THOTCON - The War over your DNS QueriesTHOTCON - The War over your DNS Queries
THOTCON - The War over your DNS Queries
 
SANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
SANSFIRE18: War Stories on Using Automated Threat Intelligence for DefenseSANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
SANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
 
I'm All Up in Your Blockchain - Hunting Down the Nazis
I'm All Up in Your Blockchain - Hunting Down the NazisI'm All Up in Your Blockchain - Hunting Down the Nazis
I'm All Up in Your Blockchain - Hunting Down the Nazis
 
HITCON 2017: Building a Public RPZ Service to Protect the World's Consumers
HITCON 2017: Building a Public RPZ Service to Protect the World's ConsumersHITCON 2017: Building a Public RPZ Service to Protect the World's Consumers
HITCON 2017: Building a Public RPZ Service to Protect the World's Consumers
 
MISP Summit 2018: Barncat: Using MISP for Bulk Malware Surveillance
MISP Summit 2018: Barncat: Using MISP for Bulk Malware SurveillanceMISP Summit 2018: Barncat: Using MISP for Bulk Malware Surveillance
MISP Summit 2018: Barncat: Using MISP for Bulk Malware Surveillance
 
SANSFIRE - Elections, Deceptions and Political Breaches
SANSFIRE - Elections, Deceptions and Political BreachesSANSFIRE - Elections, Deceptions and Political Breaches
SANSFIRE - Elections, Deceptions and Political Breaches
 
PHDAYS: DGAs and Threat Intelligence
PHDAYS: DGAs and Threat IntelligencePHDAYS: DGAs and Threat Intelligence
PHDAYS: DGAs and Threat Intelligence
 
THOTCON 0x6: Going Kinetic on Electronic Crime Networks
THOTCON 0x6: Going Kinetic on Electronic Crime NetworksTHOTCON 0x6: Going Kinetic on Electronic Crime Networks
THOTCON 0x6: Going Kinetic on Electronic Crime Networks
 
Blackhat USA 2014 - The New Scourge of Ransomware
Blackhat USA 2014 - The New Scourge of RansomwareBlackhat USA 2014 - The New Scourge of Ransomware
Blackhat USA 2014 - The New Scourge of Ransomware
 
IESBGA 2014 Cybercrime Seminar by John Bambenek
IESBGA 2014 Cybercrime Seminar by John BambenekIESBGA 2014 Cybercrime Seminar by John Bambenek
IESBGA 2014 Cybercrime Seminar by John Bambenek
 
Thotcon 0x5 - Retroactive Wiretapping VPN over DNS
Thotcon 0x5 - Retroactive Wiretapping VPN over DNSThotcon 0x5 - Retroactive Wiretapping VPN over DNS
Thotcon 0x5 - Retroactive Wiretapping VPN over DNS
 
Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014
Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014
Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014
 
Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 2...
Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 2...Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 2...
Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 2...
 
Cybercrime & Computer Forensics - ISBA Master Series CLE, Nov 18, 2011
Cybercrime & Computer Forensics - ISBA Master Series CLE, Nov 18, 2011Cybercrime & Computer Forensics - ISBA Master Series CLE, Nov 18, 2011
Cybercrime & Computer Forensics - ISBA Master Series CLE, Nov 18, 2011
 
Introduction to Computer Crime - John Bambenek talk to Champaign Seniors Poli...
Introduction to Computer Crime - John Bambenek talk to Champaign Seniors Poli...Introduction to Computer Crime - John Bambenek talk to Champaign Seniors Poli...
Introduction to Computer Crime - John Bambenek talk to Champaign Seniors Poli...
 

Dernier

VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call GirlVIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girladitipandeya
 
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls KolkataVIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...SofiyaSharma5
 
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607dollysharma2066
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGAPNIC
 
AlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsAlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsThierry TROUIN ☁
 
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...tanu pandey
 
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With RoomVIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Roomdivyansh0kumar0
 
Russian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsRussian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsstephieert
 
Challengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya Shirtrahman018755
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...APNIC
 
How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)Damian Radcliffe
 
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Callshivangimorya083
 

Dernier (20)

VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call GirlVIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
 
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICECall Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
 
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝
 
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls KolkataVIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
 
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOG
 
AlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsAlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with Flows
 
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
 
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
 
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
 
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With RoomVIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
 
Russian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsRussian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girls
 
Challengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya Shirt
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
 
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)
 
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
 
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
 
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
 

Tracking Exploit Kits - Virus Bulletin 2016

  • 1. Tracking Exploit Kits John Bambenek, Manager of Threat Systems Fidelis Cybersecurity Virus Bulletin 2016 – Denver, Colorado
  • 2. © Fidelis Cybersecurity Introduction • Manager of Threat Systems with Fidelis Cybersecurity • Part-Time Faculty at University of Illinois in CS • Provider of open-source intelligence feeds • Run several takedown oriented groups and surveil threats 2
  • 3. © Fidelis Cybersecurity Why track exploit kits? • After investigating and occasionally getting malware operators prosecuted, new malware always shows up to take its place. • Operation Tovar ended Gameover Zeus and Cryptolocker, now have Vawtrak and Locky. 3
  • 4. © Fidelis Cybersecurity Why track exploit kits? • Law enforcement operations for cybercrime take months or years and only pursue a limited amount of threats. • However, almost all criminal malware comes via two methods, spam botnets or exploit kits. • What if you could smash the entire malware delivery ecosystem instead? 4
  • 6. © Fidelis Cybersecurity EK Ecosystem • Malware writers/operators • EK operators • Exploit writers • Traffic generators • Selling of compromised websites • “Marketplace” operators • The ecosystem behind malware (i.e. mules, carders, etc) • Bitcoin washing services   6
  • 7. © Fidelis Cybersecurity Why track exploit kits? • Earlier this year, Russian authorities arrested the Lurk group who had direct connections to Angler Exploit Kit (EK) operations. • Angler EK went away overnight. 7
  • 8. © Fidelis Cybersecurity Intelligence Priorities • Priority 1: Ensure current products detect new malware and changes in EKs to protect customers. • Priority 2: Develop intelligence to track EK operators and customers ultimately to disrupt an entire ecosystem instead of one small crime group. 8
  • 9. © Fidelis Cybersecurity What is an Exploit Kit? • Set of tools (prominently web-based) that exploit vulnerabilities in software (browser, Adobe, Java, etc) to spread malware. • Relatively static list of exploits each kit uses and they vary. • Rarely (but sometimes) use 0-days. • They operate as a criminal service and “sell infections” of whatever provided malware. • Primary defense: patch your OS and applications. 9
  • 10. © Fidelis Cybersecurity Exploit Kits • RIG • Nuclear • Neutrino • Magnitude • Angler • Many more… 10
  • 11. © Fidelis Cybersecurity Campaign IDs • Many, but not all, malware operators use multiple means of delivery and they compartmentalize using Campaign IDs. • Sometimes the campaign ID refers to an affiliate. • Sometimes it’s just for a specific run of their malware. • Correlating affiliates across malware delivery mechanisms can provide interesting insights into the marketplace behind the malware delivery. 11
  • 13. © Fidelis Cybersecurity Data-mining malware • Taking data downloaded from malware, you can rip configs and get information. • Cross-correlate based on delivery method and now you have insight in who is buying service from whom. • Now you have raw building blocks for an operation similar to what Russia did to the Lurk group that ended Angler. 13
  • 14. © Fidelis Cybersecurity Basic EK Process • Victim clicks on (usually compromised) webpage. • There is validation of suitability. • Geo-blacklisting • Likely vulnerable browser • Blacklisting of suspected sandboxes, security researchers • Victim is directed to actual exploit. • Victim downloads and installs malware. 14
  • 15. © Fidelis Cybersecurity Magnitude to Cerber example 15 From malware-traffic-analysis.net – has great blogs on EK traffic
  • 16. © Fidelis Cybersecurity Exploit Kit URLs often have patterns • Some older Nuclear EK URL patterns in PCRE: • .(su|ru)/mod_articles-auth.*d/(ajax|jquery)//b/shoe/[0-9]{4,10} • ^[^/n]{1,99}?/url?([w]+=([w.]+)?&){5,10}url=https://[w]+.[a- z]{2,3}&([w]+=([w.]+)?&){2,6}[w]+=[w.]+$ • ^[^/n]{1,99}?/search?(?=.*[a-z]+=utf- 8&)(?=.*ei=.*(p{Ll}p{Lu}|p{Lu}p{Ll}))(?=.*ei=.{20,})(?!=/)([a- z_]{1,8}=[w+-.x20]+&?){2,5}$ • ^[^/n]{1,99}?/(?-i)([a-z0-9]+/){0,3}d{2,3}(_|-)[a-z]+(_|-)d+.[a-z]{3,6}$ • ^[^/n]{1,99}?/(?-i)([a-z0-9]+/){0,3}[a-z-]+?(([a-z_-]|[0-9]){3,}=([a-z_- ]|[0-9]){3,}&){1,5}[a-z0-9_-]{2,}=[a-z0-9]{8,}$ 16
  • 17. © Fidelis Cybersecurity Non-Attributable Networks • EKs do have a tendency to block obvious security researchers and security company netblocks. • They don’t do a good job blocking commodity VPN services. • You can pick what country you want to appear from.  • Still limits to what you can retrieve using a VPN. • VPN inside or outside cuckoo VM? 17
  • 19. © Fidelis Cybersecurity Non-Attributable Network • At present, there is no easy central way to manage multiple cuckoo instances that reach out to multiple geographies from the same instance. • Solution is to run multiple physical cuckoo instances with VPN outside the VM and rotate IPs inside a geo each batch run. 19
  • 20. © Fidelis Cybersecurity Exploit hunting • Each exploit kit has a partially overlapping but unique set of exploits they use. • To get cuckoo to execute the exploit, some care needs to be spent in choosing the images and vulnerable software based on exploit kit. • An older tracking spreadsheet is available at: https://docs.google.com/spreadsheet/ccc?key=0AjvsQV3iSLa 1dE9EVGhjeUhvQTNReko3c2xhTmphLUE#gid=10 but a new version should be at ContagioDump.blogspot.com soon. 20
  • 22. © Fidelis Cybersecurity Exploit Hunting • Easiest way is to have a set of VM images for specific exploit kits. • Still need to monitor for addition of new exploits. • 0-days happen maybe once a year. 22
  • 23. © Fidelis Cybersecurity Decoding EK landing pages • Open source tools available here: https://github.com/mak/ekdeco for Neutrino, Nuclear and Angler. • Can export config and encryption keys, intermediate flash files, and the exploit outputs that are used and save those to files. • Requires landing pages or first SWF file (available in PCAP or via Cuckoo). 23
  • 24. © Fidelis Cybersecurity Example$ python neutrino.py -d out -e -i strong-special-green-tread-motive-happiness-warm-stre-slap-happy.swf [+] embeded swf (SHA256: d977a418fa1cf5a0a78c768fade3223ead531ee25d766fa64a2e27ade0616a82) extracted,and saved to out/d977a418fa1cf5a0a78c768fade3223ead531ee25d766fa64a2e27ade0616a82.swf [+] cfg key: uturwhahhdm820991, exploit key: czynukeclllu385015 {u'debug': {u'flash': False}, u'exploit': {u'nw22': {u'enabled': True}, u'nw23': {u'enabled': True}, u'nw24': {u'enabled': True}, u'nw25': {u'enabled': True}, u'nw8': {u'enabled': True}}, u'key': {u'payload': u'yykrnnfwet'}, u'link': {u'backUrl': u'', u'bot': u'http://muusikkopruflin.earclearclinic.co.uk/1994/05/16/jump/loom/have-september-meal-borrow-normal.html', u'flPing': u'http://muusikkopruflin.earclearclinic.co.uk/wobbler/1440055/carrot-every-hasten', u'jsPing': u'http://muusikkopruflin.earclearclinic.co.uk/1978/12/12/alley/knock-trial-guilty-knee-younger-sigh-suffer-fault-lamp.html', u'pnw22': u'http://muusikkopruflin.earclearclinic.co.uk/dull/aXF4Y21nYw', u'pnw23': u'http://muusikkopruflin.earclearclinic.co.uk/consciousness/clever-13253660', u'pnw24': u'http://muusikkopruflin.earclearclinic.co.uk/hospital/d2dxY3dkZw', u'pnw25': u'http://muusikkopruflin.earclearclinic.co.uk/disappointment/battle-31593215', u'pnw8': u'http://muusikkopruflin.earclearclinic.co.uk/another/hideous-33550406', u'soft': u'http://muusikkopruflin.earclearclinic.co.uk/belong/animal-none-western-14473008'}, u'marker': u'rtConfig'} [+] Exploit saved to …. 24
  • 25. © Fidelis Cybersecurity Example $ xxd 7ccc54cd4e819ee0a8b291917cf321acc058ccc6e4d35ad6f21db09491e05332.ek.bin 0000000: 5a57 5312 c741 0000 6820 0000 5d00 0020 ZWS..A..h ..].. 0000010: 0000 3bff fc8e 19fa dfe7 6608 a03d 3e85 ..;.......f..=>. 0000020: f575 6fd0 7e61 351b 1a8b 164d df05 32fe .uo.~a5....M..2. 0000030: a44c 4649 b77b 6b75 f92b 5c37 290b 9137 .LFI.{ku.+7)..7 0000040: 0137 0ee9 f2e1 fc9e 64da 6c11 2133 eda0 .7......d.l.!3.. 0000050: 0e76 70a0 cd98 2e76 80f0 e059 5606 08e9 .vp....v...YV... 0000060: caeb a2c6 db5a 867b 47de 995d 6876 3816 .....Z.{G..]hv8. 0000070: bd93 3cd3 d09e d355 635a dab0 db27 e67c ..<....UcZ...'.| 0000080: 213d accc 90a1 7658 7308 c858 95d6 680b !=....vXs..X..h. 0000090: f2b8 c7c7 1255 4087 e759 c04e df21 aee8 .....U@..Y.N.!.. 00000a0: a06a 8ec4 ecd8 3838 a5f4 55b9 284e 31d5 .j....88..U.(N1. 00000b0: 1256 5f00 c2ea 9c36 e8be b710 5aa6 2909 .V_....6....Z.). 00000c0: 3d49 3471 1ec5 14ee 224f 7b31 40e3 fb00 =I4q...."O{1@... 00000d0: d5f1 bfe2 2fbe 4458 10a8 01f4 3108 fa24 ..../.DX....1..$ 00000e0: 0d9a aefd c5cf cfa2 350b aeed dc41 39c8 ........5....A9. 00000f0: 4f5f 1f63 6f38 20e8 69e4 4785 e82e ba36 O_.co8 .i.G....6 25
  • 26. © Fidelis Cybersecurity Other Cuckoo considerations • Cuckoo stores tons of information, but for EKs we are only interested in getting the dropped binary. • Turn off all the logging except that directly related to dropped files. • Running Yara and using volatility can help quickly identify dropped files. • Remember, use a non-attributable network. :) 26
  • 27. © Fidelis Cybersecurity Finding EK landing pages • All this automation still has to be fed with targets to sandbox. • Work backwards from an infection event. • Use web proxy logs / telemetry and PCREs. • Use a crawler. • Trick EK to give you the initial gates. 27
  • 28. © Fidelis Cybersecurity Working backwards from an infection • Least efficient way of doing it but in some cases (new EK, significant changes to an existing EK) it’s all we can do. • Initial gates are transient resources, so manually identifying them has limited utility. • Also limited only by what is attacking you or your customer. 28
  • 29. © Fidelis Cybersecurity Using PCREs to hunt • Still requires users to visit but can be programmatically pipelined into a sandbox system for relatively real time analysis. • Everyone has a user-base and telemetry that has geographic or demographic biases that create holes in visibility. 29
  • 30. © Fidelis Cybersecurity Using a crawler • Inefficient because it will request more than what you are looking for. • Crawlers are also resource intensive the broader you are looking for behavior. • It can, however, have a global footprint and be thorough. 30
  • 31. © Fidelis Cybersecurity Using a crawler • Luckily, we don’t have to make our own crawler when Microsoft will give Bing crawler malicious URLs to MAPP/VIA members. • On 4 August 2016, over 26M malicious webpages were seen which Microsoft gives a 99% confidence interval too. • Much more than EKs. 31
  • 32. © Fidelis Cybersecurity Using Bing Malicious URLs 8/4/2016 4:58:27 PM http://0000-programasnet.blogspot.com.ar/2011/03/my-defragmenter-my- defragmenter-es- un.html?action=backlinks&widgetId=Blog1&widgetType=Blog&responseType=js&postID=699478954130775 3585 216.58.216.193 us 15169 MalwareNetwork 8/4/2016 4:51:46 PM http://0000-programasnet.blogspot.com.ar/2011/03/pocopique-tv-programa-para- ver- tv.html?action=backlinks&widgetId=Blog1&widgetType=Blog&responseType=js&postID=7841830628282890 204 216.58.192.129 us 15169 ES 8/4/2016 6:06:13 PM http://0000-programasnet.blogspot.com.ar/2011/07/reparacion-de- impresoras.html 216.58.192.129 us 15169 ES 8/4/2016 6:26:04 PM http://0000-programasnet.blogspot.com.ar/2011_02_24_archive.html 216.58.192.129 us 15169 MalwareNetwork 8/4/2016 4:34:23 PM http://0000-programasnet.blogspot.com.es/2011/02/descarga-chat-para- facebook.html?action=backlinks&widgetId=Blog1&widgetType=Blog&responseType=js&postID=2134381520 774268527 216.58.192.225 us 15169 MalwareNetwork 32
  • 33. © Fidelis Cybersecurity Bing Malicious URLs • On 4 August, 524,713 of those URLs pointed to IPs inside China. • Number is misleading because it includes multiple URLs under same domain. • Also flags “interesting” advertiser behavior. • Need to filter based on the PCREs we have seen before or other alerting technology. • We are running all these URLs through cURL with a spoofed user agent just to see request and first response. 33
  • 34. © Fidelis Cybersecurity Bing Malicious URLs • Dealing with compromised websites and bulk malicious behavior is hard to do. • With proper filtering of the above, it also becomes possible to programmatically start notifying hosting providers of such content so they can start cleaning these websites. • Subscribe to Shadowserver’s Netblock Reporting Service to get alerts on malicious activity seen on your network. • https://www.shadowserver.org/wiki/pmwiki.php/Involve/GetRe portsOnYourNetwork 34
  • 35. © Fidelis Cybersecurity Bing Malicious URLs # grep –P ‘$pcre’ Bing_mUrls_2016_08_04_8.tsv http://melnoosh.narod.ru/p3aa1.html http://mr-hijacker.blogspot.com/indexEN.html http://peterbronkhorst.rusa.nl/pag013l.htm http://peterscott.0catch.com/vk3en62w.htm http://portvein777.narod.ru/MirChiselChast10.htm http://portvein777.narod.ru/MirChiselChast26.htm http://redirectionn.weebly.com/fadi7a.html http://remeslo.okis.ru/15moda2.html http://remeslo.okis.ru/15moda3.html http://ruza-gimnazia.narod.ru/p13aa1.html http://ruza-gimnazia.narod.ru/p15aa1.html 35
  • 36. © Fidelis Cybersecurity Trick EKs to give you landing pages • EKs have a hierarchical structure but the deeper levels also need to be aware of the landing pages to prevent people artificially getting malware directly from the source. 2|http://amabamque-cibohpor.brazcon.co.uk/band/observe-otherwise-17797287|amabamque- cibohpor.brazcon.co.uk|212.48.74.196|168.1.99.232 3|http://raperon.drauk.com/john/1981037/mark-gasp-frequent-loss-unknown- mingle|raperon.drauk.com|184.154.146.157|185.125.168.248 4|http://tajuason.agencyconveyancing.com/measure/1381170/bare-dare-themself-corp-jump-cave- feast-disappear-flower-bush|tajuason.agencyconveyancing.com|81.21.76.62| 5|http://zaczepneepeios.sadie-maymiles.com/dwell/1960713/fair-opposite-anxiety- worst|zaczepneepeios.sadie-maymiles.com|188.138.41.20|179.43.188.214 …. 36
  • 37. © Fidelis Cybersecurity Putting it together • Now we have all the pieces. Use telemetry/web logs, Bing Malicious URLs and EK bugs to put URLs into your sandbox. • Use non-attributed network from multiple geographies to maximize visibility. • Retrieve first landing page / exploit file and dropped malware. 37
  • 38. © Fidelis Cybersecurity Putting it together • Tie dropped malware to country and exploit kit (note, repeat visits from same IP will not give you malware). • EKs sell “by infection” so often the same landing page will drop other malware as the infection orders are fulfilled. • Further mine dropped malware for intelligence and correlate to other malware delivery networks. 38
  • 39. Questions & Thank You! John Bambenek / john.bambenek@fidelissecurity.com If you are interested in Exploit Kit tracking and disruption, please get in touch.