shadyrat: anatomy of targeted attack
TRANSCRIPT
![Page 1: ShadyRAT: Anatomy of targeted attack](https://reader030.vdocuments.mx/reader030/viewer/2022032421/55a869f81a28abc71b8b45aa/html5/thumbnails/1.jpg)
ShadyRAT : Anatomy of targeted attack
Vladislav Radetskiy
![Page 2: ShadyRAT: Anatomy of targeted attack](https://reader030.vdocuments.mx/reader030/viewer/2022032421/55a869f81a28abc71b8b45aa/html5/thumbnails/2.jpg)
About me…
Start in 2007 as Help Desk > System Administrator.
4 years experience in IT Outsourcing.
From 2011 working in BAKOTECH® Group.
Information security previously was my hobby, now it`s my job.
I am responsible for technical support of McAfee solutions.
https://radetskiy.wordpress.com/
http://www.slideshare.net/Glok17/
http://ua.linkedin.com/pub/vladislav-radetskiy/47/405/809
Vladislav Radetskiy
Technical Lead
C|EH applicant
![Page 3: ShadyRAT: Anatomy of targeted attack](https://reader030.vdocuments.mx/reader030/viewer/2022032421/55a869f81a28abc71b8b45aa/html5/thumbnails/3.jpg)
Agenda
Terminology, today battleground of cybersecurity
ShadyRAT _ successful long-term complex cybercrime operation
How can we protect our clients from such advanced attacks?
![Page 4: ShadyRAT: Anatomy of targeted attack](https://reader030.vdocuments.mx/reader030/viewer/2022032421/55a869f81a28abc71b8b45aa/html5/thumbnails/4.jpg)
Basics #1
Open-source intelligence – getting information from public sources.
Usual OSINT sources are Google, Facebook, LinkedIn etc.
Social Engineering – act of deception and manipulation of human to get profit: money, information disclosure, access to restricted area etc.
Famous: Frank William Abagnale (Catch Me If You Can), Kevin Mitnick.
![Page 5: ShadyRAT: Anatomy of targeted attack](https://reader030.vdocuments.mx/reader030/viewer/2022032421/55a869f81a28abc71b8b45aa/html5/thumbnails/5.jpg)
OSINT during Cold War
“The decryption of a picture” from CIA library
3 month of analysisby Charles V. ReevesFrom Boston Edison
![Page 6: ShadyRAT: Anatomy of targeted attack](https://reader030.vdocuments.mx/reader030/viewer/2022032421/55a869f81a28abc71b8b45aa/html5/thumbnails/6.jpg)
OSINT nowadays
Getting information about someone it`s not rocket science
Couple hours or evenless with tools
Name, DOB, job, family statusHabits, likes & dislikes, complex
![Page 7: ShadyRAT: Anatomy of targeted attack](https://reader030.vdocuments.mx/reader030/viewer/2022032421/55a869f81a28abc71b8b45aa/html5/thumbnails/7.jpg)
Basics #2
Cyber-Attack – sequence of steps to compromise IT system
Advanced Persistent Threat (APT) – targeted, covered, long-term attack
Vulnerability – defect (a bug) in software (Microsoft, Adobe, Java)
Exploit – tool for take advantage of vulnerability (exploit-db.com)
![Page 8: ShadyRAT: Anatomy of targeted attack](https://reader030.vdocuments.mx/reader030/viewer/2022032421/55a869f81a28abc71b8b45aa/html5/thumbnails/8.jpg)
Basics #3
Remote Access Tool (RAT) – tool for remote control of hacked system
Trojan / Backdoor / meterpreter etc
Command and Control (C&C) – servers on Internet which attackers used to control compromised systems and interact with persistent malware
Steganography – method of hiding data/code in to files (images)
![Page 9: ShadyRAT: Anatomy of targeted attack](https://reader030.vdocuments.mx/reader030/viewer/2022032421/55a869f81a28abc71b8b45aa/html5/thumbnails/9.jpg)
Briefing about modern battleground
Cyber-criminals:
make attacks for information or money
can use prepared tools (regardless of their technical skills)
can chose anyone as their target
use OSINT and social engineering (to make perfect lure)
![Page 10: ShadyRAT: Anatomy of targeted attack](https://reader030.vdocuments.mx/reader030/viewer/2022032421/55a869f81a28abc71b8b45aa/html5/thumbnails/10.jpg)
ShadyRAT
In 2011 McAfee Labs gain access to one C&C server.From server logs:
Duration of operation: 5+ years
Number of victims: 70+
Average duration persistence: ~ 9 months
Outcome: stolen data
Scope of targets: government, private, non-profit org…
![Page 11: ShadyRAT: Anatomy of targeted attack](https://reader030.vdocuments.mx/reader030/viewer/2022032421/55a869f81a28abc71b8b45aa/html5/thumbnails/11.jpg)
![Page 12: ShadyRAT: Anatomy of targeted attack](https://reader030.vdocuments.mx/reader030/viewer/2022032421/55a869f81a28abc71b8b45aa/html5/thumbnails/12.jpg)
![Page 13: ShadyRAT: Anatomy of targeted attack](https://reader030.vdocuments.mx/reader030/viewer/2022032421/55a869f81a28abc71b8b45aa/html5/thumbnails/13.jpg)
ShadyRAT
Hi, Bob.Remember me?It`s me, John.We was together on last Yankees game.Listen, I can give you a great discount on ___________ .Thanks in advance
![Page 14: ShadyRAT: Anatomy of targeted attack](https://reader030.vdocuments.mx/reader030/viewer/2022032421/55a869f81a28abc71b8b45aa/html5/thumbnails/14.jpg)
ShadyRATBob trustfully opened attached file, which use vulnerability to install RAT on Bob`s system.
![Page 15: ShadyRAT: Anatomy of targeted attack](https://reader030.vdocuments.mx/reader030/viewer/2022032421/55a869f81a28abc71b8b45aa/html5/thumbnails/15.jpg)
ShadyRATRAT communicate with C&C server to get instructions
![Page 16: ShadyRAT: Anatomy of targeted attack](https://reader030.vdocuments.mx/reader030/viewer/2022032421/55a869f81a28abc71b8b45aa/html5/thumbnails/16.jpg)
ShadyRAT
Attacker sends command:Sleep / Download / Upload …
RAT communicate with C&C server to get instructions
![Page 17: ShadyRAT: Anatomy of targeted attack](https://reader030.vdocuments.mx/reader030/viewer/2022032421/55a869f81a28abc71b8b45aa/html5/thumbnails/17.jpg)
ShadyRATRAT transfer private data from Bob system to C&C server
Channel between RAT and C&C wasencrypted by steganographyIt`s like smokescreen for security staff
![Page 18: ShadyRAT: Anatomy of targeted attack](https://reader030.vdocuments.mx/reader030/viewer/2022032421/55a869f81a28abc71b8b45aa/html5/thumbnails/18.jpg)
ShadyRAT
It`s a payday for attacker –collecting stolen data.Which can be sold for real money
![Page 19: ShadyRAT: Anatomy of targeted attack](https://reader030.vdocuments.mx/reader030/viewer/2022032421/55a869f81a28abc71b8b45aa/html5/thumbnails/19.jpg)
ShadyRATThis can be repeat again & again3-9 monthsAnd Bob didn't noticed anything.Meanwhile his company go down..
![Page 20: ShadyRAT: Anatomy of targeted attack](https://reader030.vdocuments.mx/reader030/viewer/2022032421/55a869f81a28abc71b8b45aa/html5/thumbnails/20.jpg)
ShadyRAT
1. Attackers chose company-victim
2. Gathering info about employees by OSINT
3. Use Social Engineering to compose fake emails with attached files
4. Victims receive fake email and .. open attached file (.xls)
5. Exploit from attached file used to deploy RAT
6. RAT establish outbound connections to C&C and transfer data
7. Commands to RAT hidden by steganography (HTML, images)
![Page 21: ShadyRAT: Anatomy of targeted attack](https://reader030.vdocuments.mx/reader030/viewer/2022032421/55a869f81a28abc71b8b45aa/html5/thumbnails/21.jpg)
ShadyRAT
What the matter?!
Attackers used vulnerabilities in system along with social engineering
Attackers has ability to search and collect data for months
Operation was not so complex (technically), rather simple
RAT was undetected by months (9 - 28)
Outcome = big amount of data which can be sold by money or used later for blackmail
![Page 22: ShadyRAT: Anatomy of targeted attack](https://reader030.vdocuments.mx/reader030/viewer/2022032421/55a869f81a28abc71b8b45aa/html5/thumbnails/22.jpg)
Any lessons learned after ShadyRAT? No!
July 2014 – January 2015 Meet CTB-Locker (Critrony)
Crypto ransomware > 350 – 700 $ for unencrypt data
Spreads by random! not targeted SPAM
![Page 23: ShadyRAT: Anatomy of targeted attack](https://reader030.vdocuments.mx/reader030/viewer/2022032421/55a869f81a28abc71b8b45aa/html5/thumbnails/23.jpg)
Any lessons learned after ShadyRAT? No!
Meet CTB-Locker (Critrony)
![Page 24: ShadyRAT: Anatomy of targeted attack](https://reader030.vdocuments.mx/reader030/viewer/2022032421/55a869f81a28abc71b8b45aa/html5/thumbnails/24.jpg)
How can we protect against APT
Components
![Page 25: ShadyRAT: Anatomy of targeted attack](https://reader030.vdocuments.mx/reader030/viewer/2022032421/55a869f81a28abc71b8b45aa/html5/thumbnails/25.jpg)
How can we protect against APT
![Page 26: ShadyRAT: Anatomy of targeted attack](https://reader030.vdocuments.mx/reader030/viewer/2022032421/55a869f81a28abc71b8b45aa/html5/thumbnails/26.jpg)
Conclusions
Cybercrime today it`s a way to make money > business
Almost anyone can take tools and try to brake in (Kali Linux, msf etc)
At the same time anyone can be chosen like a target
Be aware about targeted attacks, OSINT and Social Engineering
![Page 27: ShadyRAT: Anatomy of targeted attack](https://reader030.vdocuments.mx/reader030/viewer/2022032421/55a869f81a28abc71b8b45aa/html5/thumbnails/27.jpg)
Sources
• Dmitri Alperovitch, Vice President of McAfee Threat Research
Revealed: Operation Shady RAT (August 2011)
• Bruce Schneier, computer security and privacy specialist
The State of Incident Response (Black Hat USA 2014)
• Steven Rambam, private investigator which use OSINT, Pallorium, Inc.
“Privacy is Dead - Get Over It” (2010)
“Privacy: A Postmortem” (2012)
“…Taking Anonymity” (2014)
![Page 28: ShadyRAT: Anatomy of targeted attack](https://reader030.vdocuments.mx/reader030/viewer/2022032421/55a869f81a28abc71b8b45aa/html5/thumbnails/28.jpg)
Example of human vulnerabilities
![Page 29: ShadyRAT: Anatomy of targeted attack](https://reader030.vdocuments.mx/reader030/viewer/2022032421/55a869f81a28abc71b8b45aa/html5/thumbnails/29.jpg)
Example of human vulnerabilities
2012 - Photos of Prince William Expose Royal Air Force Passwords
![Page 30: ShadyRAT: Anatomy of targeted attack](https://reader030.vdocuments.mx/reader030/viewer/2022032421/55a869f81a28abc71b8b45aa/html5/thumbnails/30.jpg)
Example of human vulnerabilities
2014 - FIFA World Cup Brazilian Security Command Center Wi-Fi Pass
b5a2112014
![Page 31: ShadyRAT: Anatomy of targeted attack](https://reader030.vdocuments.mx/reader030/viewer/2022032421/55a869f81a28abc71b8b45aa/html5/thumbnails/31.jpg)
Example of human vulnerabilities
2015 – French TV5Monde exposed pass during TV interview > hacked
![Page 32: ShadyRAT: Anatomy of targeted attack](https://reader030.vdocuments.mx/reader030/viewer/2022032421/55a869f81a28abc71b8b45aa/html5/thumbnails/32.jpg)
And please don’t forget …
Sometimes (usually always) Google, Facebook, twitter and LinkedIn are the primarysources about private information about whole companies and their employees.
Information about predilections, habits and complexes of chosen people can berecovered by OSINT and used by attacker as pre-text for Social Engineering.
![Page 33: ShadyRAT: Anatomy of targeted attack](https://reader030.vdocuments.mx/reader030/viewer/2022032421/55a869f81a28abc71b8b45aa/html5/thumbnails/33.jpg)
Thank you for your attention
Vladislav Radetskiy
radetskiy.wordpress.com