Scribd Logo
Încărcați

Bine ați venit la Scribd!

  • Evolucion APT 2016-FireEye

    Încărcat de

    Nestor Soiza
    20 vizualizări17 pagini
    FIREEYE

    Titlu original

    Evolucion_APT_2016-FireEye

    Drepturi de autor

    © © All Rights Reserved

    Formate disponibile

    PDF, TXT sau citiți online pe Scribd

    Vi se pare util acest document?

    Este necorespunzător acest conținut?

    Raportați acest document
    FIREEYE

    Drepturi de autor:

    © All Rights Reserved
    Descărcați ca PDF, TXT sau citiți online pe Scribd
    Indicator pentru conținut neadecvat
    20 vizualizări17 pagini

    Evolucion APT 2016-FireEye

    Încărcat de

    Nestor Soiza
    FIREEYE

    Drepturi de autor:

    © All Rights Reserved
    Descărcați ca PDF, TXT sau citiți online pe Scribd
    Indicator pentru conținut neadecvat
    din 17

    EVOLUCIN DE LAS APT EN 2016.

    TENDENCIAS

    www.ccn-cert.cni.es

    Alvaro Garcia
    FireEye
    alvaro.garcia@fireeye.com

    www.ccn-cert.cni.es

    X JORNADAS STIC CCN-CERT

    ndice
    1.

    Panorama y evolucin en el ciberespionaje.

    2.

    Detalle de las TTPs de APT28 y APT29.

    3.

    Cibercrimen y las tcticas empresariales.

    4.

    Previsiones para el 2017.

    www.ccn-cert.cni.es

    www.ccn-cert.cni.es

    X JORNADAS STIC CCN-CERT

    And.. Of course
    Thanks to Jens Monrad
    and iSight team.

    www.ccn-cert.cni.es

    X JORNADAS STIC CCN-CERT

    Scale
    Scale operations & sophistication level.

    TTPs
    Tactics, Techniques, and Procedures.

    Motivation
    Based on the group targets, and themes
    present present on any communications.

    www.ccn-cert.cni.es

    X JORNADAS STIC CCN-CERT

    www.ccn-cert.cni.es

    APT19, APT10,APT26,
    APT30.

    X JORNADAS STIC CCN-CERT

    Therefore

    Diplomacy matters.
    Conventional TTPs:
    Phishing, known APT backdoors, DDOS.

    Army takes control of


    cybersecurity op.
    Evolving to sophisticated TTPs:
    ScanBox recon y new CnC methodology
    (aka Nflog, IsSpace, or Smac).

    High OPSEC commercial


    targets.

    Reduce activity in 90% since Jun-2014.


    China sea conflict.
    Taiwan independency.

    US and Europe
    financial services,
    space. education

    Complete new set of tools:


    CnC Infrastructure, malware, etc.

    Low OPSEC political


    targets.

    72 active groups, no monolith behavior.


    www.ccn-cert.cni.es

    APT28, APT29
    a.k.a (TSAR TEAM, Pawn Storm,
    Sednit, Sofacy, Fancy Bear, Strontium /
    CozyDuke, CozyBear, SeaDuke,
    MiniDionis).

    X JORNADAS STIC CCN-CERT

    Exclusive set of tools:


    Malware and scripting-based techniques.

    Tailored, practiced and


    disciplined.
    Due to Syria conflict & USA elections.
    Novel TTPs:
    Ukraine and Syria
    conflict.

    Not focus on financial


    interests.

    From steganography, social networks


    exfiltration to compromised satellites.

    Play offensive to from foreign espionage.


    www.ccn-cert.cni.es

    X JORNADAS STIC CCN-CERT

    www.ccn-cert.cni.es

    X JORNADAS STIC CCN-CERT

    Ad-Hoc Sites

    Initial
    Compromise

    Legitime Sites

    SOURFACE

    Establish
    Foothold

    COZYCAR (On demand


    4 plug-inns)

    www.ccn-cert.cni.es

    10

    X JORNADAS STIC CCN-CERT

    OLDBAIT

    CHOPSTICK

    Escalate
    Privileges

    Internal
    Recon

    WCE, MIMIKATZ ,
    PROCDUMP, Golden
    Kerberos Ticket

    NET windows
    command / VBS

    www.ccn-cert.cni.es

    CHOPSTICK+PSEXEC

    Lateral
    Movement

    MIMIKATZ PTT + PS /
    Forged Kerberos T

    CHOPSTICK / EVILTOSS
    /

    Maintain
    Persistence

    WMI + PS / PS (GDOCS
    backdoor)

    11

    X JORNADAS STIC CCN-CERT

    CnC+SSL+RAR

    Complete
    Mission

    Steganography / Social
    networks tunnel /
    Satellite

    www.ccn-cert.cni.es

    12

    APT28, APT29
    a.k.a (TSAR TEAM, Pawn Storm,
    Sednit, Sofacy, Fancy Bear, Strontium /
    CozyDuke, CozyBear, SeaDuke,
    MiniDionis).

    X JORNADAS STIC CCN-CERT

    Therefore

    Exclusive set of tools:


    Malware and scripting-based techniques.

    Tailored, practiced and


    disciplined.

    Military dictates their


    activities in cyberspace.

    Extending fast its


    activitys scope.

    Due to Syria conflict & USA elections.


    Novel TTPs:
    Ukraine and Syria
    conflict.

    Not focus on financial


    interests.

    From steganography, social networks


    exfiltration to compromised satellites.

    Not enough OPSEC (more


    visible).

    Play offensive to from foreign espionage.


    www.ccn-cert.cni.es

    13

    X JORNADAS STIC CCN-CERT

    www.ccn-cert.cni.es

    14

    X JORNADAS STIC CCN-CERT

    Group Profile:
    The 'Vendetta Crew'

    Key Findings:
    Team of 2 hackers.
    Outsourcing compromised POS / R.Sharing.
    Reselling of skimmers / Tools / Know-how.
    Customer satisfaction / 24h ICQ Support.

    1nsider

    p0s3id0n

    639 banks, 40 countries. U.S, and Nordics.

    www.ccn-cert.cni.es

    15

    X JORNADAS STIC CCN-CERT

    Use of PPTM and DOTM formats on phishing attacks.

    Use of scripting recon tools + encrypted malware payload.

    ICS will be on the spot. 30% of the vulnerabilities doesnt


    have patch.

    IoT will lead new cybercrime abuses. I.E Ransomware over


    vehicles, public transport (I.E San Francisco Metro Nov-2016).

    www.ccn-cert.cni.es

    16

    E-Mails
    info@ccn-cert.cni.es
    ccn@cni.es
    sat-inet@ccn-cert.cni.es
    sat-sara@ccn-cert.cni.es
    organismo.certificacion@cni.es

    Websites
    www.ccn.cni.es
    www.ccn-cert.cni.es
    www.oc.ccn.cni.es

    Sguenos en

    www.ccn-cert.cni.es

    S-ar putea să vă placă și