Documente Academic
Documente Profesional
Documente Cultură
TENDENCIAS
www.ccn-cert.cni.es
Alvaro Garcia
FireEye
alvaro.garcia@fireeye.com
www.ccn-cert.cni.es
ndice
1.
2.
3.
4.
www.ccn-cert.cni.es
www.ccn-cert.cni.es
And.. Of course
Thanks to Jens Monrad
and iSight team.
www.ccn-cert.cni.es
Scale
Scale operations & sophistication level.
TTPs
Tactics, Techniques, and Procedures.
Motivation
Based on the group targets, and themes
present present on any communications.
www.ccn-cert.cni.es
www.ccn-cert.cni.es
APT19, APT10,APT26,
APT30.
Therefore
Diplomacy matters.
Conventional TTPs:
Phishing, known APT backdoors, DDOS.
US and Europe
financial services,
space. education
APT28, APT29
a.k.a (TSAR TEAM, Pawn Storm,
Sednit, Sofacy, Fancy Bear, Strontium /
CozyDuke, CozyBear, SeaDuke,
MiniDionis).
www.ccn-cert.cni.es
Ad-Hoc Sites
Initial
Compromise
Legitime Sites
SOURFACE
Establish
Foothold
www.ccn-cert.cni.es
10
OLDBAIT
CHOPSTICK
Escalate
Privileges
Internal
Recon
WCE, MIMIKATZ ,
PROCDUMP, Golden
Kerberos Ticket
NET windows
command / VBS
www.ccn-cert.cni.es
CHOPSTICK+PSEXEC
Lateral
Movement
MIMIKATZ PTT + PS /
Forged Kerberos T
CHOPSTICK / EVILTOSS
/
Maintain
Persistence
WMI + PS / PS (GDOCS
backdoor)
11
CnC+SSL+RAR
Complete
Mission
Steganography / Social
networks tunnel /
Satellite
www.ccn-cert.cni.es
12
APT28, APT29
a.k.a (TSAR TEAM, Pawn Storm,
Sednit, Sofacy, Fancy Bear, Strontium /
CozyDuke, CozyBear, SeaDuke,
MiniDionis).
Therefore
13
www.ccn-cert.cni.es
14
Group Profile:
The 'Vendetta Crew'
Key Findings:
Team of 2 hackers.
Outsourcing compromised POS / R.Sharing.
Reselling of skimmers / Tools / Know-how.
Customer satisfaction / 24h ICQ Support.
1nsider
p0s3id0n
www.ccn-cert.cni.es
15
www.ccn-cert.cni.es
16
E-Mails
info@ccn-cert.cni.es
ccn@cni.es
sat-inet@ccn-cert.cni.es
sat-sara@ccn-cert.cni.es
organismo.certificacion@cni.es
Websites
www.ccn.cni.es
www.ccn-cert.cni.es
www.oc.ccn.cni.es
Sguenos en
www.ccn-cert.cni.es