ShadyRAT: Anatomy of targeted attack

  • Published on

  • View

  • Download

Embed Size (px)


<p>ShadyRAT : Anatomy of targeted attackVladislav Radetskiyvr@bakotech.comHello everyone. My name is Vlad and I want to tell you a story. Story about one attack _ ShadyRAT1About meStart in 2007 as Help Desk &gt; System Administrator.4 years experience in IT Outsourcing.From 2011 working in BAKOTECH Group.</p> <p>Information security previously was my hobby, now it`s my job.I am responsible for technical support of McAfee solutions.</p> <p></p> <p>Vladislav RadetskiyTechnical LeadC|EH applicantWhat you need to know about me? I am technical person, who is responsible for Intel (McAfee) solutions support.To be extremely short thank God I`d really like my job. When we talk about information security there are always 50/50 = 50% technical engineering and 50% of communication with people. (I will get back to this sentence on the end of my speech)2AgendaTerminology, today battleground of cybersecurity</p> <p>ShadyRAT _ successful long-term complex cybercrime operation</p> <p>How can we protect our clients from such advanced attacks?Before we move to the story let`s spend couple minutes on basics to be sure that we understand each other.Then, after you will be prepared I will tell you a story.I will give you some examples and solutions of protection in the end of my speech.3Basics #1Open-source intelligence getting information from public sources.Usual OSINT sources are Google, Facebook, LinkedIn etc.</p> <p>Social Engineering act of deception and manipulation of human to get profit: money, information disclosure, access to restricted area etc.Famous: Frank William Abagnale (Catch Me If You Can), Kevin Mitnick. Let`s start from non-technical concepts.</p> <p>OSINT came to us from military force. It starts from World War 2 and was extremely evolve during Cold War.(Decryption picture of Urals Electric Power System from magazine Ogonyok in 1958)Literally it means obtaining some data from public sources. In the past these sources were books, magazines etc.Nowadays the major source of OSINT is Internet, I mean such resources like Google, facebook, twitter, linkedin etc.</p> <p>Social Engineering is an act of psychological manipulation or deception against someone.This is explanation from me, if you want you can find more in Internet.The best example of Soc. Eng. is movie Catch Me If You Can, I suppose many of you watched this film with Tom hanks and Di Kaprio.The plot of this movie was based on real-life person Frank Abagnale, he posing as PAN American Pilot and make quick money on check fraud. FBI was turned him to help with investigations of finance crimes. It`s a very nice example of Soc. Eng.4OSINT during Cold WarThe decryption of a picture from CIA library</p> <p>3 month of analysisby Charles V. ReevesFrom Boston EdisonHistorical example of OSINT from 1958 was to get confirmation of his theories and deductions within the year, an event that happens all too seldom in the intelligence businessexcept when catastrophe strikes. In July 1959 a U-2 photographed both Nizhnyaya Tura and Verkh Neyvinsk, Kyshtyrn being cloud-covered. Charlie was right on the substation array at the Nizhnyaya Tura complex, which turned out to be a nuclear weapons fabrication and stockpile site. The Verkh Neyvinsk gaseous diffusion plant had substations much like Charlie had deduced, though one had been cropped from the Ogonek picture. His view that the dots nearest the transmission lines represented switches rather than transformers proved correct, and his decision to estimate power usage from lines and generating stations rather than from substations was vindicated. Detailed examination of the U-2 photography showed that his estimate on power usage at Verkh Neyvinsk was only about 10 percent high, a truly remarkable achievement from a censored photograph.</p> <p>5OSINT nowadaysGetting information about someone it`s not rocket scienceCouple hours or evenless with tools</p> <p>Name, DOB, job, family statusHabits, likes &amp; dislikes, complexYou Are What You Google Steven Rambam lawAnything you post in this thread will be on the Internet forever, so be careful!6Basics #2Cyber-Attack sequence of steps to compromise IT system</p> <p>Advanced Persistent Threat (APT) targeted, covered, long-term attack</p> <p>Vulnerability defect (a bug) in software (Microsoft, Adobe, Java)</p> <p>Exploit tool for take advantage of vulnerability ( concepts here:</p> <p>Cyber-Attack or Attack is aggressive act against IT system to get data, DOS, remote control Target may be single server/desktop or whole infrastructure</p> <p>APT is dangerous type of attack.There is simple analogy. I hope many of you watched The HEAT (1995), movie about bank robbery with Al Pacino and De Niro? Nice film with canonical gunfight directed by Andy McNab (Special Air Service (SAS) patrol Bravo Two Zero)But stick to the pointCommon Cyber-Attack is like De Niro team go in &amp; go out with money. It`s harm and loud, but it`s notable.APT is more complicated and more hidden, usually long-term action.It`s like put our men in foreign organization to steal data over the month or even years - Manchurian CandidateDo you see what I mean? ATP are more dangerous because sometimes victim did not knew about source of data/money leak.</p> <p>Vulnerability is a bug in software, some defect which can be used by attackers to compromise system or make come action for which software was not intended.</p> <p>Exploit is a tool which anyone can get/buy and try to take advantage of bug system/application.7Basics #3Remote Access Tool (RAT) tool for remote control of hacked systemTrojan / Backdoor / meterpreter etc</p> <p>Command and Control (C&amp;C) servers on Internet which attackers used to control compromised systems and interact with persistent malware</p> <p>Steganography method of hiding data/code in to files (images)(This is the last one, I promise)</p> <p>Story which I prepared for you has name ShadyRAT.RAT is acronym from Remote Access Tool. This is an instrument for remote control of compromised system.It can be any sort of Trojan or other backdoor.</p> <p>C&amp;C is server which ruining somewhere on Internet and give attackers possibility to send commands to RAT on compromised system. It`s like a HQ of crime-organization.</p> <p>Steganography is all about hiding data in files. As an example: hide part of text in file usually in pictures.Those technics used sometimes by criminals to cover their tracks.8Briefing about modern battlegroundCyber-criminals:</p> <p>make attacks for information or money</p> <p>can use prepared tools (regardless of their technical skills)</p> <p>can chose anyone as their target</p> <p>use OSINT and social engineering (to make perfect lure) You should know some things about our enemy.Internet and people who use IT are two factors which changed rules of hacking/cyber-crime.First of all we must agree that now cyber-crimes is business to make money.From my humble experience I can say that many people has stereotype of hackerPeople think that attackers are always high-skilled tech experts. Its not true. Not for every case.I want to explain you that today anyone can download tools or buy them and try to attack. I mean there is no secret-knowledge.I must say also about great _delusion_ attacker can choose anyone as target.Position, salary, industry and other criteria it doesn`t really matter.Anyone, who use IT can be target.Maybe not personally, but like input point, like the weakest link.And I remind you one more time about pair of OSINT + Soc. Eng.9ShadyRATIn 2011 McAfee Labs gain access to one C&amp;C server.From server logs:</p> <p>Duration of operation: 5+ years</p> <p>Number of victims: 70+</p> <p>Average duration persistence: ~ 9 months</p> <p>Outcome: stolen data</p> <p>Scope of targets: government, private, non-profit orgThe story about ShayRATOk, now your are prepared to my story and I hope you will enjoy it.In 2011 McAfee engineers get access to cyber-crime C&amp;C server.Result of log analyzing get McAfee details about APT.This operation was run about 5 years and amount number of victims was about 70.Average persistence in particular victim`s infrastructure was about 9months.All this was used to gain access to information (intellectual property, private data, source code, bug databases, emails, negotiation plans, contracts etc)</p> <p>10</p> <p>As you can see attack was all around the world.This is the first notable aspect usually APT targeted on limited group of people or one organization.ShadyRAT has wide victims geography about 14 countries.More targets was from US and Canada and other European and Asian Countries.11</p> <p>There we have more details about the victims.McAfee filtered all victims regarding their type/business field.Please, pay attention on marked types.When we talk about non-profit organization we can assume that they do not have enough budget for cyber security or we can suppose that they do not pay enough attention.But look, we have organizations from Government, Industry and Technology in our list.Even some DoD contractors was compromised.This is the main message of my report.APT which involve OSINT and Soc.Eng. are dangerous even for solid companies which have money for security.The main problem is that we should pay much more attention to people which works in company not only technical measurements. Because anyone can be used as entry-point.12ShadyRAT</p> <p>Hi, Bob.Remember me?It`s me, John.We was together on last Yankees game.Listen, I can give you a great discount on ___________ .Thanks in advance</p> <p>1st stepAttacker use collected information from Facebook/Linkedin for example to create fake email for Bob.It can be wide range of different pretext: nice old friends, ask for help, propose of great discount etc.The more data about Bob the more real will be lure.All this to force Bob open URL, file etc make one step in wrong direction to begin attack.13ShadyRAT</p> <p>Bob trustfully opened attached file, which use vulnerability to install RAT on Bob`s system.</p> <p>If Bob was not enough careful he take the lure and open file from fake email.Wrong step for Bob, but for Attacker is a small step forward.In attached file was exploit, which use vulnerability in software to silently install RAT on to Bob system.14ShadyRAT</p> <p>RAT communicate with C&amp;C server to get instructions2nd step. RAT was deployed and communicate with C&amp;C to get directions.15ShadyRAT</p> <p>Attacker sends command:Sleep / Download / Upload RAT communicate with C&amp;C server to get instructions3rd step - attacker manipulate RAT through C&amp;C, send command.16ShadyRAT</p> <p>RAT transfer private data from Bob system to C&amp;C serverChannel between RAT and C&amp;C wasencrypted by steganographyIt`s like smokescreen for security staffRAT get command to collect and send data.Another notable difference is that all communication between RAT and C&amp;C was encrypted by steganography to hide any clues.So even if company where Bob works has some security staff and equipment they did not noticed nothing suspicious.Compromised system often request some web pages (HTML) and images. It`s like smokescreen for guards.17ShadyRAT</p> <p>It`s a payday for attacker collecting stolen data.Which can be sold for real money4th step payday.Attacker download collected data from C&amp;C server.This information can be sold for money later or used for blackmail18ShadyRAT</p> <p>This can be repeat again &amp; again3-9 monthsAnd Bob didn't noticed anything.Meanwhile his company go down..</p> <p>The biggest danger is that Bob may even not know about breach and data leak.Company where Bob works may go down because competitors will be outstrip.All because competitors pay for stolen information (negotiation / finance plans, source codes etc.)19ShadyRATAttackers chose company-victimGathering info about employees by OSINTUse Social Engineering to compose fake emails with attached filesVictims receive fake email and .. open attached file (.xls)Exploit from attached file used to deploy RATRAT establish outbound connections to C&amp;C and transfer dataCommands to RAT hidden by steganography (HTML, images)</p> <p>Again step-by-step20ShadyRATWhat the matter?!</p> <p>Attackers used vulnerabilities in system along with social engineeringAttackers has ability to search and collect data for monthsOperation was not so complex (technically), rather simpleRAT was undetected by months (9 - 28)Outcome = big amount of data which can be sold by money or used later for blackmail</p> <p>You can ask me So what? Someone opened .XLS file and lost data.. Not a big storyIt`s a normal question, but listen.ShadyRAT is only one example.They (Attackers) used only one vulnerability, not complex.This attack can be more complicated but event on simple level they get success.RAT was undetected in 90% long period of time.Even if protection measurements was enough to detect RAT the companies usually did not make full investigation to track leaked data.</p> <p>21Any lessons learned after ShadyRAT? No!July 2014 January 2015 Meet CTB-Locker (Critrony)Crypto ransomware &gt; 350 700 $ for unencrypt dataSpreads by random! not targeted SPAM</p> <p>It`s not APT.It was couple month ago.Email was totally fake, no OSINT, no custom textBut still someone open those files22Any lessons learned after ShadyRAT? No!Meet CTB-Locker (Critrony)</p> <p>Sample of STB screen23How can we protect against APT</p> <p>ComponentsLet`s talk about protection.Single AV is not the answer.Intel (McAfee) provide complex endpoint protection to minimize risk of APT.24How can we protect against APT</p> <p>Just imagine protection system which act like human immune system it means reacts on threat and self-learning capable.TIE is DB of threads, storage of profiles.ATD is sandbox which provide static and dynamic analysis of potential harm file/attachment/URL.We can not get patch for human vulnerability.Even trained people can make a mistake.But we can run and test behavior of potential harm files before they will executed on desktops/servers.25ConclusionsCybercrime today it`s a way to make money &gt; business</p> <p>Almost anyone can take tools and try to brake in (Kali Linux, msf etc)</p> <p>At the same time anyone can be chosen like a target</p> <p>Be aware about targeted attacks, OSINT and Social EngineeringAfter all let`s repeat the key points.Cyber-crimes is only business.There are prepared tools so attacker can be non-technical person (now it`s not a problem).Anyone who works with computers, IT in general are in risk.26SourcesDmitri Alperovitch, Vice President of McAfee Threat ResearchRevealed: Operation Shady RAT (August 2011)</p> <p>Bruce Schneier, computer security and privacy specialistThe State of Incident Response (Black Hat USA 2014)</p> <p>Steven Rambam, private investigator which use OSINT, Pallorium, Inc.Privacy is Dead - Get Over It (2010)Privacy: A Postmortem (2012)Taking Anonymity (2014)</p> <p>I really need additional 30 seconds of your attention.Despite of time limit my story was shor...</p>