My Cocon Presentation this was presented at the Non-technical tracks .So slides does not contain any technical details of the malware. If you need the samples mentioned in the slides, please do emails me.
2. About Me
[Rahul Sasi ]
I work as a Researcher.
One of the admins of
www.Garage4Hackers.com.
https://twitter.com/fb1h2s
I spend my free time researching on new attack
vectors.
Garage4Hackers
4. APT - Attacks
Advance Persistent threats: Any exploit |
malware that particularly targets a specific
organization, country in order to steal confidential
information.
Garage4Hackers
5. About this Talk
With the rise in number of targeted attacks
against government and private companies,
there is a certain requirement for an intelligent
method for determining these attacks.
This talk would be on an un-detected APT attack
targeting Indian police organizations which we
identified a week back.
Sandy is a free tool we have build that is capable
of doing exploit analysis on Doc, RTF, XLS,PPT,
Jar, Urls.
We also will explain the implications and policy
Garage4Hackers
guidelines for the prevention of these attacks.
6. APT: Who should be concerned.
You need ask yourself what have u got that other
people would want .
Commercially sensitive information, Intellectual
property that has designs.
What I have seen is mostly, government,
manufactures, financial services.
Garage4Hackers
7. My organization is small!
Many attacks I have seen were
attacking small companies.
And most of the times its the startup that have the innovative
technology that can be used.
Or could be small organization
working for the government.
We have seen smaller organizations
targeted as much as the larger
organizations.
Garage4Hackers
8. Recent APT Incident in news.
FBI released a notice on
targeted attack on US aviation
Industry.
Many professionals from the
aviation industry was targeted
and there computers were
infected or an attempt to infect
was made.
Steal blueprints, new airspace
technology and lots of stuffs .
Garage4Hackers
10. Step 1: Establishing the backdoor.
Use of various Exploits .
Uses malicious attachments via email to infect
victims.
These contained exploits targeting various
applications like Adobe Reader and Microsoft
Office.
Browser based exploits where you visit a
particular a web page crafted with an exploits
Garage4Hackers
11. Document Exploits.
Uses an exploit.
File comes in the form of .doc
.rtf file that has the exploit
embedded.
Once you open these doc files
you would be infected.
These exploits affect OS with
office | pdf installed.
Garage4Hackers
12. What is Sandy
A tool built under Indian Honeynet project.
Sandy is an online tool (sandbox) capable of doing
both static and dynamic analysis of Malicious Office,
PDF, Jar, Flash, HTML.
The input would be the above mentioned file formats
and output would be extracted malwares, controllers,
Urls.
In the talk I will share information on a particular
sample targeting Indian police department that we
received via sandy .
Garage4Hackers
14. Sandy Submission:
On 2013-09-03 we received a .doc file on sandy.
The exploit email was sent to the company’s top
executives of an IT security company.
At the time of analysis only 2/34 Anti Virus was
detecting it as malicious.
The document when opened on windows based
machines dropped a backdoor on the users
computer.
Garage4Hackers
15. Research on the Attackers
We managed to collect 30 other exploits that
were used by the same group over a period of 1
year and analyzed them.
We tried to understand the attackers tools and
techniques, Modus operandi and targets.
Out of the 30 exploits none of them was made on
a Saturday or Sunday .
Garage4Hackers
16. Based on our research on the Malware
infrastructure .
We were able to identify that the same group of
attackers were targeting Indian police agencies .
We were able to locate a new persistence
malware with no AV detection, which is digitally
signed and is used by this team.
Except 1 Chinese AV no other AV company was
detecting the threat.
The attacks were part of a Cyber spying [
campaign].
Garage4Hackers
17. Modus operandi
&
Tools and Techniques
The attacker were mainly using phishing based
attacks via email to infect there targets.
The attackers were manually verifying the
infected machines and were adding the new
persistence malware to it.
So if they found the infected machine of high
importance then they added a secondary
advance monitoring tool to there systems.
Garage4Hackers
18. Targets
Targets were mainly government organizations.
Small private companies and contractors to the
government.
Most of the infected computers were that of the
secretaries .
Garage4Hackers
20. Lessons Learned and Policy
Implications.
Knowing what you need to protect is the most
important task.
Active Government and community partnership is
necessary.
Security awareness among employees: the
human firewall.
No single layer of fraud prevention or
authentication is enough to stop determined
attackers.
Garage4Hackers
21. Thank You
Contact me at if you need malware samples :
https://twitter.com/fb1h2s
https://www.facebook.com/loverahulsas
fb1h2s@gmail.com
Garage4Hackers
Notes de l'éditeur
I was privilaged to publish my research papers in many prominent Security conferecnes.
So in simple terms, the bad guys will install a malicious program on your computer that would allow them to monitor all your confidential data. The malicious programs either uploads all confidential records to a central attaker controlled computer or provides live monitoring.
We will introduce a tool named sandy that we build and is free, that helped us in the identification of this risk.
It does not mean t
Attacker backdoor your system with a malicious program , Then the enumerate the network looking for more valid credentials like user account and passwords. Then then install more persistent utlities .
The input of sandy is fileformats. In this talk I will share about the various samples we collected on sandy.
The tool has got a web interface and could be accessed from the following locations. So if you receive an email with a suspicious file, you can upload on our tool and the tool would be able to provide you information on whether it is an exploit or a clean file.
It is always good to study ur attackers.This means the attackers work form an organized office environment and does not work on week ends.
So what we observed was, when a successful attack takes place the attacker log in to there victims computers remotely and then verify whether the infection is of high/low priority .
As part of the re-assessment process, an organisation must ensure it understands why it may be attacked. "Every organisation should draw up a risk register that will allow the allocation of funds and resources to protect the assets that are most valuable to the organisation, which may include business processes as well as information. As bessi mentioned an Active gov community partnership is needed where individual researchers are able to communicate identified issues to the gov directly. If the CEO of a company is getting security awarness and all his emails are operated by his secretary , then she is as mush as a target than him.