全球重大apt攻擊事件剖析 - trend micro › micro › cloudsec › event › slides ›...

全球重大APT攻擊事件剖析

Paul J.S. Oliveria TrendLabs, Trend Micro

趨勢科技全球技術支援與研發中心

Paul J.S. Oliveria TrendLabs, Trend Micro

Trends in Cyber Attacks and Targeted Threats

8/27/2012 2 Confidential | Copyright 2012 Trend Micro Inc.

Classification 8/27/2012 3


The Wikipedia Description of APTs

What are Advanced Persistent Threats?

• Advanced persistent threats (APTs) or targeted attacks are computer intrusions staged by threat actors that aggressively pursue and compromise specific targets.

• They often leverage social engineering and malware, seeking to maintain a persistent presence inside the network.

• They move laterally throughout the network to extract sensitive information.



1,465 compromised

computers in 61 countries

Th LURID Campaign

Some Observed Characteristics of APTs

• The attacks are typically part of broader campaigns.

• They may exploit vulnerabilities in popular software.

• Unlike traditional profit-oriented cybercrime, they are not automated, indiscriminate, or opportunistic in nature.

• They are deliberate, purposeful and persistent.

• Distribution is low, impact is high.


Inside an APT attack


Stages of an APT


Some Documented APT Targets

• Civil society organizations

– Activist groups

• Business enterprises

– Utilities

– Energy

– Financial institutions

• Government and military networks


Sample APT investigation by Trend Micro researchers

Inside the Luckycat Investigation



APT investigations

take time

Luckycat Modus Operandi


• Victims: Aerospace, Energy, Engineering, Shipping, Military research, Tibetan activists

• Victim Locations: India, Japan, Tibet

• Preferred Malware: TROJ_WIMMIE

• Modus Operandi:

– Social engineered targeted email

– Exploit MS doc, Adobe Reader or Adobe Flash attachment

– Free web hosting domains as C&C

– Identifiable HTTP C&C communication fingerprint

count.php?m=c&n=[HOSTNAME]

[MAC ADDRES]_[CAMPAIGN_CODE]@


POST/count/count.php?m=c&n=[HOSTNAME][MAC ADDRES]_[CAMPAIGN_CODE]@

HTTP/1.0

Accept: */*

UA-CPU: x86

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET

CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)

Host: [HOSTNAME]

Content-Length: 0

Connection: Keep-Alive

Pragma: no-cache



• Be on the lookout for the same password and/or mutex in Poison Ivy

Password

Default: admin

Mutex

Default: )!VoqA.I4

Company: Military

Organization in EU

84e11e5b64295ef0bdbf

fb2a90cc8597

Password: menuPass

Mutex: DKD&SHJ#A

Company: Heavy

Industry in JP

3E5633CB2BD4FE1405A2

33C9190F027

Password: menuPass

Mutex: *^%fahk)F

Company: Government

Organization in

EU

D9d33223596ebf47c3de

8f6ccae9a6bb

Password: admin

Mutex: rdgSxQc12


d9d33223596ebf47c3

de8f6ccae9a6bb - EU

mutex: rdgSxQc12:

Fe20e5bb2cf5108c19

209b03fb08f259 - SK

F0ee1f777d1c6a009c

37cbcbf81f3a5a - SK

IP: 180.178.60.126

4ccd860931feb04

a340833e0ad2628

33 - JP

IP: 112.121.171.94

Recent Developments



Campaigns used

compromised

machines belonging

to entities associated

with the original

target as their C&C

servers

IXESHE


APTs GO MOBILE

• Android malware were found in

Luckycat servers

• The malicious apps had a RAT-like

functionality, allowing them to:

• Explore the device to seek out

sensitive information

• Upload this information to

remote servers

• Download a newer version of the

malware

Traditional security paradigms no longer apply

How enterprises can deal with APTs



Enhance the network visibility

and monitoring for insight and

control

Consider solutions that can do

integrity checks

Empower the humans.

Thank You!


[email protected]

mailto:[email protected]

全球重大apt攻擊事件剖析 - trend micro › micro › cloudsec › event › slides ›...

Documents