ShadyRAT: Anatomy of targeted attack

Embed Size (px)

Text of ShadyRAT: Anatomy of targeted attack

ShadyRAT : Anatomy of targeted attackVladislav Radetskiyvr@bakotech.comHello everyone. My name is Vlad and I want to tell you a story. Story about one attack _ ShadyRAT1About meStart in 2007 as Help Desk > System Administrator.4 years experience in IT Outsourcing.From 2011 working in BAKOTECH Group.

Information security previously was my hobby, now it`s my job.I am responsible for technical support of McAfee solutions.

https://radetskiy.wordpress.com/http://www.slideshare.net/Glok17/http://ua.linkedin.com/pub/vladislav-radetskiy/47/405/809

Vladislav RadetskiyTechnical LeadC|EH applicantWhat you need to know about me? I am technical person, who is responsible for Intel (McAfee) solutions support.To be extremely short thank God I`d really like my job. When we talk about information security there are always 50/50 = 50% technical engineering and 50% of communication with people. (I will get back to this sentence on the end of my speech)2AgendaTerminology, today battleground of cybersecurity

ShadyRAT _ successful long-term complex cybercrime operation

How can we protect our clients from such advanced attacks?Before we move to the story let`s spend couple minutes on basics to be sure that we understand each other.Then, after you will be prepared I will tell you a story.I will give you some examples and solutions of protection in the end of my speech.3Basics #1Open-source intelligence getting information from public sources.Usual OSINT sources are Google, Facebook, LinkedIn etc.

Social Engineering act of deception and manipulation of human to get profit: money, information disclosure, access to restricted area etc.Famous: Frank William Abagnale (Catch Me If You Can), Kevin Mitnick. Let`s start from non-technical concepts.

OSINT came to us from military force. It starts from World War 2 and was extremely evolve during Cold War.(Decryption picture of Urals Electric Power System from magazine Ogonyok in 1958)Literally it means obtaining some data from public sources. In the past these sources were books, magazines etc.Nowadays the major source of OSINT is Internet, I mean such resources like Google, facebook, twitter, linkedin etc.

Social Engineering is an act of psychological manipulation or deception against someone.This is explanation from me, if you want you can find more in Internet.The best example of Soc. Eng. is movie Catch Me If You Can, I suppose many of you watched this film with Tom hanks and Di Kaprio.The plot of this movie was based on real-life person Frank Abagnale, he posing as PAN American Pilot and make quick money on check fraud. FBI was turned him to help with investigations of finance crimes. It`s a very nice example of Soc. Eng.4OSINT during Cold WarThe decryption of a picture from CIA library

3 month of analysisby Charles V. ReevesFrom Boston EdisonHistorical example of OSINT from 1958https://www.cia.gov/library/center-for-the-study-of-intelligence/kent-csi/vol11no3/html/v11i3a03p_0001.htmCharlie was to get confirmation of his theories and deductions within the year, an event that happens all too seldom in the intelligence businessexcept when catastrophe strikes. In July 1959 a U-2 photographed both Nizhnyaya Tura and Verkh Neyvinsk, Kyshtyrn being cloud-covered. Charlie was right on the substation array at the Nizhnyaya Tura complex, which turned out to be a nuclear weapons fabrication and stockpile site. The Verkh Neyvinsk gaseous diffusion plant had substations much like Charlie had deduced, though one had been cropped from the Ogonek picture. His view that the dots nearest the transmission lines represented switches rather than transformers proved correct, and his decision to estimate power usage from lines and generating stations rather than from substations was vindicated. Detailed examination of the U-2 photography showed that his estimate on power usage at Verkh Neyvinsk was only about 10 percent high, a truly remarkable achievement from a censored photograph.

5OSINT nowadaysGetting information about someone it`s not rocket scienceCouple hours or evenless with tools

Name, DOB, job, family statusHabits, likes & dislikes, complexYou Are What You Google Steven Rambam lawAnything you post in this thread will be on the Internet forever, so be careful!6Basics #2Cyber-Attack sequence of steps to compromise IT system

Advanced Persistent Threat (APT) targeted, covered, long-term attack

Vulnerability defect (a bug) in software (Microsoft, Adobe, Java)

Exploit tool for take advantage of vulnerability (exploit-db.com)Technical concepts here:

Cyber-Attack or Attack is aggressive act against IT system to get data, DOS, remote control Target may be single server/desktop or whole infrastructure

APT is dangerous type of attack.There is simple analogy. I hope many of you watched The HEAT (1995), movie about bank robbery with Al Pacino and De Niro? Nice film with canonical gunfight directed by Andy McNab (Special Air Service (SAS) patrol Bravo Two Zero)But stick to the pointCommon Cyber-Attack is like De Niro team go in & go out with money. It`s harm and loud, but it`s notable.APT is more complicated and more hidden, usually long-term action.It`s like put our men in foreign organization to steal data over the month or even years - Manchurian CandidateDo you see what I mean? ATP are more dangerous because sometimes victim did not knew about source of data/money leak.

Vulnerability is a bug in software, some defect which can be used by attackers to compromise system or make come action for which software was not intended.

Exploit is a tool which anyone can get/buy and try to take advantage of bug system/application.7Basics #3Remote Access Tool (RAT) tool for remote control of hacked systemTrojan / Backdoor / meterpreter etc

Command and Control (C&C) servers on Internet which attackers used to control compromised systems and interact with persistent malware

Steganography method of hiding data/code in to files (images)(This is the last one, I promise)

Story which I prepared for you has name ShadyRAT.RAT is acronym from Remote Access Tool. This is an instrument for remote control of compromised system.It can be any sort of Trojan or other backdoor.

C&C is server which ruining somewhere on Internet and give attackers possibility to send commands to RAT on compromised system. It`s like a HQ of crime-organization.

Steganography is all about hiding data in files. As an example: hide part of text in file usually in pictures.Those technics used sometimes by criminals to cover their tracks.8Briefing about modern battlegroundCyber-criminals:

make attacks for information or money

can use prepared tools (regardless of their technical skills)

can chose anyone as their target

use OSINT and social engineering (to make perfect lure) You should know some things about our enemy.Internet and people who use IT are two factors which changed rules of hacking/cyber-crime.First of all we must agree that now cyber-crimes is business to make money.From my humble experience I can say that many people has stereotype of hackerPeople think that attackers are always high-skilled tech experts. Its not true. Not for every case.I want to explain you that today anyone can download tools or buy them and try to attack. I mean there is no secret-knowledge.I must say also about great _delusion_ attacker can choose anyone as target.Position, salary, industry and other criteria it doesn`t really matter.Anyone, who use IT can be target.Maybe not personally, but like input point, like the weakest link.And I remind you one more time about pair of OSINT + Soc. Eng.9ShadyRATIn 2011 McAfee Labs gain access to one C&C server.From server logs:

Duration of operation: 5+ years

Number of victims: 70+

Average duration persistence: ~ 9 months

Outcome: stolen data

Scope of targets: government, private, non-profit orgThe story about ShayRATOk, now your are prepared to my story and I hope you will enjoy it.In 2011 McAfee engineers get access to cyber-crime C&C server.Result of log analyzing get McAfee details about APT.This operation was run about 5 years and amount number of victims was about 70.Average persistence in particular victim`s infrastructure was about 9months.All this was used to gain access to information (intellectual property, private data, source code, bug databases, emails, negotiation plans, contracts etc)

10

As you can see attack was all around the world.This is the first notable aspect usually APT targeted on limited group of people or one organization.ShadyRAT has wide victims geography about 14 countries.More targets was from US and Canada and other European and Asian Countries.11

There we have more details about the victims.McAfee filtered all victims regarding their type/business field.Please, pay attention on marked types.When we talk about non-profit organization we can assume that they do not have enough budget for cyber security or we can suppose that they do not pay enough attention.But look, we have organizations from Government, Industry and Technology in our list.Even some DoD contractors was compromised.This is the main message of my report.APT which involve OSINT and Soc.Eng. are dangerous even for solid companies which have money for security.The main problem is that we should pay much more attention to people which works in company not only technical measurements. Because anyone can be used as entry-point.12ShadyRAT

Hi, Bob.Remember me?It`s me, John.We was together on last Yankees game.Listen, I can give you a great discount on ___________ .Thanks in advance

1st stepAttacker use collected information from Facebook/Linkedin for example to create fake email for Bob.It can be wide range of d