全球重大apt攻擊事件剖析 - trend micro › micro › cloudsec › event › slides ›...
TRANSCRIPT
全球重大APT攻擊事件剖析
Paul J.S. Oliveria TrendLabs, Trend Micro
趨勢科技全球技術支援與研發中心
Paul J.S. Oliveria TrendLabs, Trend Micro
Trends in Cyber Attacks and Targeted Threats
8/27/2012 2 Confidential | Copyright 2012 Trend Micro Inc.
Classification 8/27/2012 3
Classification 8/27/2012 4
The Wikipedia Description of APTs
What are Advanced Persistent Threats?
• Advanced persistent threats (APTs) or targeted attacks are computer intrusions staged by threat actors that aggressively pursue and compromise specific targets.
• They often leverage social engineering and malware, seeking to maintain a persistent presence inside the network.
• They move laterally throughout the network to extract sensitive information.
8/27/2012 5 Confidential | Copyright 2012 Trend Micro Inc.
8/27/2012 6 Confidential | Copyright 2012 Trend Micro Inc.
Classification 8/27/2012 7
Classification 8/27/2012 8
1,465 compromised
computers in 61 countries
Th LURID Campaign
Some Observed Characteristics of APTs
• The attacks are typically part of broader campaigns.
• They may exploit vulnerabilities in popular software.
• Unlike traditional profit-oriented cybercrime, they are not automated, indiscriminate, or opportunistic in nature.
• They are deliberate, purposeful and persistent.
• Distribution is low, impact is high.
8/27/2012 9 Confidential | Copyright 2012 Trend Micro Inc.
Inside an APT attack
8/27/2012 10 Confidential | Copyright 2012 Trend Micro Inc.
Stages of an APT
8/27/2012 11 Confidential | Copyright 2012 Trend Micro Inc.
Stages of an APT
8/27/2012 12 Confidential | Copyright 2012 Trend Micro Inc.
8/27/2012 13 Confidential | Copyright 2012 Trend Micro Inc.
Stages of an APT
8/27/2012 14 Confidential | Copyright 2012 Trend Micro Inc.
Stages of an APT
8/27/2012 15 Confidential | Copyright 2012 Trend Micro Inc.
Stages of an APT
8/27/2012 16 Confidential | Copyright 2012 Trend Micro Inc.
Stages of an APT
8/27/2012 17 Confidential | Copyright 2012 Trend Micro Inc.
Classification 8/27/2012 18
8/27/2012 19 Confidential | Copyright 2012 Trend Micro Inc.
8/27/2012 20 Confidential | Copyright 2012 Trend Micro Inc.
Some Documented APT Targets
• Civil society organizations
– Activist groups
• Business enterprises
– Utilities
– Energy
– Financial institutions
• Government and military networks
8/27/2012 21 Confidential | Copyright 2012 Trend Micro Inc.
Sample APT investigation by Trend Micro researchers
Inside the Luckycat Investigation
8/27/2012 22 Confidential | Copyright 2012 Trend Micro Inc.
Classification 8/27/2012 23
APT investigations
take time
Luckycat Modus Operandi
8/27/2012 24 Confidential | Copyright 2012 Trend Micro Inc.
• Victims: Aerospace, Energy, Engineering, Shipping, Military research, Tibetan activists
• Victim Locations: India, Japan, Tibet
• Preferred Malware: TROJ_WIMMIE
• Modus Operandi:
– Social engineered targeted email
– Exploit MS doc, Adobe Reader or Adobe Flash attachment
– Free web hosting domains as C&C
– Identifiable HTTP C&C communication fingerprint
count.php?m=c&n=[HOSTNAME]
[MAC ADDRES]_[CAMPAIGN_CODE]@
Classification 8/27/2012 25
POST/count/count.php?m=c&n=[HOSTNAME][MAC ADDRES]_[CAMPAIGN_CODE]@
HTTP/1.0
Accept: */*
UA-CPU: x86
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET
CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: [HOSTNAME]
Content-Length: 0
Connection: Keep-Alive
Pragma: no-cache
Luckycat Modus Operandi
Classification 8/27/2012 26
Luckycat Modus Operandi
Classification 8/27/2012 27
Luckycat Modus Operandi
Luckycat Modus Operandi
• Be on the lookout for the same password and/or mutex in Poison Ivy
Password
Default: admin
Mutex
Default: )!VoqA.I4
Company: Military
Organization in EU
84e11e5b64295ef0bdbf
fb2a90cc8597
Password: menuPass
Mutex: DKD&SHJ#A
Company: Heavy
Industry in JP
3E5633CB2BD4FE1405A2
33C9190F027
Password: menuPass
Mutex: *^%fahk)F
Company: Government
Organization in
EU
D9d33223596ebf47c3de
8f6ccae9a6bb
Password: admin
Mutex: rdgSxQc12
Luckycat Modus Operandi
d9d33223596ebf47c3
de8f6ccae9a6bb - EU
mutex: rdgSxQc12:
Fe20e5bb2cf5108c19
209b03fb08f259 - SK
F0ee1f777d1c6a009c
37cbcbf81f3a5a - SK
IP: 180.178.60.126
4ccd860931feb04
a340833e0ad2628
33 - JP
IP: 112.121.171.94
Recent Developments
8/27/2012 30 Confidential | Copyright 2012 Trend Micro Inc.
8/27/2012 31 Confidential | Copyright 2012 Trend Micro Inc.
Campaigns used
compromised
machines belonging
to entities associated
with the original
target as their C&C
servers
IXESHE
8/27/2012 32 Confidential | Copyright 2012 Trend Micro Inc.
APTs GO MOBILE
• Android malware were found in
Luckycat servers
• The malicious apps had a RAT-like
functionality, allowing them to:
• Explore the device to seek out
sensitive information
• Upload this information to
remote servers
• Download a newer version of the
malware
Traditional security paradigms no longer apply
How enterprises can deal with APTs
8/27/2012 33 Confidential | Copyright 2012 Trend Micro Inc.
Classification 8/27/2012 34
Enhance the network visibility
and monitoring for insight and
control
Consider solutions that can do
integrity checks
Empower the humans.
Classification 8/27/2012 35
8/27/2012 36 Confidential | Copyright 2012 Trend Micro Inc.
Thank You!
8/27/2012 37 Confidential | Copyright 2012 Trend Micro Inc.