2 50 SHADES OF CRIMEWARE Manu Quintans // Frank Ruiz
3 ABOUT US Frank Ruiz - Threat Intelligence Analyst at Fox IT y miembro de la organización sin animo de lucro mlw.re. Manu Quintans - Threat Intelligence Manager at Buguroo / Deloitte, miembro fundador de la organización sin anímo de lucro mlw.re focalizada en combatir amenazas en Internet.
4 Index What we know about Cyber-Crime?! Reality Bites! Intelligence! Understand Cyber-Crime activities! New trends at Cyber-Crime! DEMO TIME!! Previously on 2013! Examples (We have a Target) :)! Bye bye!! It s Time Back To Reality! Cyber-Crime Evolutions ! Infrastructures!
5 WHAT WE KNOW ABOUT! CYBER-CRIME?
6 Conventions ciber-. 1. Elemento compositivo prefijo, creado por acortamiento del adjetivo cibernético, que forma parte de términos relacionados con el mundo de las computadoras u ordenadores y de la realidad virtual. SEÑORA! Soy un T800, he venido del futuro a robarle la tarjeta monedero.
7 WHAT WE KNOW ABOUT CYBER-CRIME?! ARAB WINTER SMS INTERCEPTADOS
8 WHAT WE KNOW ABOUT CYBER-CRIME?! MOAR PONY! 1.580,00 WEBSITE LOGIN CREDENTIALS! 320,000 ACCOUNTS! 41,000 FTP ACCOUNT CREDENTIALS! RDP! SSH ACCESS
9 WHAT WE KNOW ABOUT CYBER-CRIME?! APT1 Obama runs first law about cybersecurity. CISPA (Cyber Intelligence Sharing and Protection Act) is runing again Mandiant, presents at RSA Conference new SOC. Securestate talk at 2005 about this group and there tools
10 WHAT WE KNOW ABOUT CYBER-CRIME?!
11 WHAT WE KNOW ABOUT CYBER-CRIME?! APT1
12 It s time back to reality
13 It s time back to reality
14 It s time back to reality
15 It s time back to reality
16 Understand! Cyber-Crime activities
17 Understand Cyber-Crime activities Indetectables! DamageLabs! LAYER #1 HackForums! The Undercoat! Just for kiddies DarkC0de! ExploitIN! Antichat!
18 LAYER #1 Understand Cyber-Crime activities
19 LAYER #1 Understand Cyber-Crime activities
20 LAYER #1 Understand Cyber-Crime activities
21 LAYER #1 Understand Cyber-Crime activities
22 Understand Cyber-Crime activities Pustota! Verified! LAYER #2 The Limbo! Semi Pro Infraud! CCPRO!
23 LAYER #2 Understand Cyber-Crime activities
24 LAYER #2 Understand Cyber-Crime activities
25 Understand Cyber-Crime activities LAYER #3 Maza! TopSecurity The Heaven s door! Gang stha! Korovka! Commuizn!
26 LAYER #3 Understand Cyber-Crime activities
27 LAYER #3 Understand Cyber-Crime activities
28 Understand Cyber-Crime activities Cryptolocker! Sinowall! LAYER #4 Gozi Private! From russia with love! ZeusP2P!
29 WHAT WE KNOW ABOUT CYBER-CRIME?! Indetectables! Pustota! Cryptolocker! Sinowall! DamageLabs! Verified! FINAL SCENARIO Maza! HackForums! TopSecurity Infraud! ExploitIN! Gozi The The The Heaven s Undercoat! Private! Limbo! door! From Just Gang stha! Semi russia for kiddies Pro with love! ZeusP2P! Korovka! Commuizn! CCPRO! Antichat! DarkC0de!
30 Previously on!
31 Previously Previously on First year, without new Banking Trojans. (Except s KINS aka Kasper)! Symlink Arrested (January)! Paunch Arrested (BlackHole Exploit Kit) (OCTOBER)! FBI shut down SilkRoad and they arrest Ross Willian Ulbrich. (OCTOBER)! Target Breach. :-) (NOVEMBER/DECEMBER)! FBI With Spanish Police Cooperation take s down Liberty Reserver and arrest CEO. (MAY 2013)! ZeusP2P (Game Over) and CryptoLocker Take down. - (MAY/JUN 2014)
32 Previously Has been a special year in the volition of the industry of cyber-crime!! The feeling of impunity begins to disappear.! Groups midlevel begin to close and professionalize their assets.! Ironically, the vetted gang s start to show some gaps.
33 Previously These Changes are due to! Detentions.! Proliferation of bloggers / twitters 'investigating' cybercrime scene. (Pr0n stars)! Insider Researchers.! Leaks (Pasties, services )
34 SWOT ANALYSIS Conclusions! The industry of Cyber-Crime,! now are more than closed! than ever.
35 New trends
36 OUR SERVICES New Trends at Cyber-Crime Industry 01 POS POS Malware - POINT OF SALES SYSTEM 02 TOR BASED NEW MOBILE MALWARE (EG: TOR BASED)! CRYPTOCURRENCIES Bitcoin, Litecoin, DogeCoin just Crypto Malware Miners!
37 OUR SERVICES POS POINT OF SALE, BUT WHY? The lack of a Banking Trojan for sale and the large increase in demand for cards has moved many players in this business. Citadel users move there business to this new system. Grows offer POS malware sales.
38 OUR SERVICES POS POINT OF SALE, What we found on markets? Alina Malware Dexter Malware BlackPos The Beauty,! the Bad,! the Ugly! and! Guest start 04 Soraya
39 OUR SERVICES POS POINT OF SALE, Sofware as Service? of course!
40 OUR SERVICES Mobile Malware Uses new resources like TOR. Increase of injections with support for mobile malware. Mobile malware for sale:! ibanking (as Service).! Perkele!
41 OUR SERVICES IBanking Malware
42 OUR SERVICES Perkele Malware
46 OUR SERVICES CryptoCurrencies TOTAL HASH RATE 24H HASH RATE
48 Examples Example! TimeLine! Brian Krebs! 18/Dec/2013: Sources: Target Investigating Data Breach! 20/Dec/2013: Cards Stolen in Target Breach Flood Underground Markets! 22/Dec/2013: Non-US Cards Used At Target Fetch Premium! 24/Dec/2013: Who s Selling Credit Cards from Target?! 10/Jan/2014: Target: Names, s, Phone Numbers on Up To 70 Million Customers Stolen! 15/Jan/2014: A First Look at the Target Intrusion, Malware! 16/Jan/2014: A Closer Look at the Target Malware, Part II! 29/Jan/2014: New Clues in the Target Breach! 04/Feb/2014: These Guys Battled BlackPOS at a Retailer! 05/Feb/2014: Target Hackers Broke in Via HVAC Company! 12/Feb/2014: Attack on Vendor Set Up Breach at Target! 19/Feb/2014: Fire Sale on Cards Stolen in Target Breach! 25/Feb/2014: Card Backlog Extends Pain from Target Breach
49 Examples Example
50 Examples Example
52 Intelligence INTELLIGENCE
53 INTELL! INTELLIGENCE and remember Emerging threat research Strategic partnerships to share intelligence Tailored threat focus areas Live, dynamic intelligence feeds with advanced Actively tracking of cybercrime element Daily emerging threat reviews Awareness of the changing technology and business environment Metrics and rending data for multiple key threat indicators Recommendations on improved and refined processes + IN-TE-LLI-GEN-CE Botnet monitoring and analysis Malware reverse engineering Social media monitor Reputation scans Deep web monitoring Social engineering threats Spoofed websites All Source Intelligence Emerging tech review Loss management Vendor management Executive identity monitoring +
55 OUR SERVICES Simple Botnet INTERNET BOTNET
56 OUR SERVICES Simple Botnet With Proxy INTERNET BOTNET
57 OUR SERVICES Botnet With Double Proxy PROXY - 1 VICTIMS BOTNET INTERNET PROXY - 2
58 OUR SERVICES FAST FLUX + C&C VICTIM HTTP GET GET REDIRECT RESPONSE CONTENT FASTFLUX RESPONSE CONTENT
59 OUR SERVICES FAST FLUX + PROXY+ C&C VICTIM HTTP GET GET REDIRECT RESPONSE CONTENT FASTFLUX RESPONSE CONTENT
60 OUR SERVICES BulletProft Hosters Backend Server INTERNET BP HOSTER
61 OUR SERVICES OWN INFRASTRUCTURES OpenVPN Server Backend Server VICTIMS INTERNET Backend Server VPN Client IPIP Tunel Backend Server
62 OUR SERVICES TOR INFRASTRUCTURES Web Panel VICTIMS INTERNET TOR Network
63 OUR SERVICES P2P INFRASTRUCTURE INTERNET Web Panel VICTIMS P2P Network Backup Server
64 DEMO TIME
65 DEMO Concept BUILD POS ENVIROMENT SWIPE OUR CREDIT CARD BREATHE DEEPLY INFECT OUR POS CALM DOWN PWN THE BOTNET AND GET OUR MONEY BACK!
66 DEMO RESULTS Me robo mi tarjeta Yo quemé su botnet
IBM Global Technology Services Managed Security Services Research Report IBM Security Services 2014 Cyber Security Intelligence Index Analysis of cyber attack and incident data from IBM s worldwide security
ii IBM MSS INDUSTRY OVERVIEW: RETAIL RESEARCH AND INTELLIGENCE REPORT RELEASE DATE: JANUARY 5, 215 BY: DAVID MCMILLEN, SENIOR THREAT RESEARCHER Copyright IBM Corporation 214. All rights reserved. IBM and
Cyber Security Current Trends & Emerging Threats Michael Saylor Executive Director Cyber Defense Labs Page 1 Michael Saylor, CISM, CISA Michael (Mike) possesses over 19 years of experience with both domestic
Global Cyber Executive Briefing Lessons from the front lines Read more Global Cyber Sectors Executive Briefing Lessons from the front lines In a world increasingly driven by digital technologies and information,
CYBERSECURITY A Resource Guide for BANK EXECUTIVES Executive Leadership of Cybersecurity CEO LETTER I am proud to present to you the CSBS Executive Leadership of Cybersecurity Resource Guide. The number
in depth report Managing digital risk Trends, issues and implications for business about lloyd s Lloyd s is the world s leading specialist insurance market, conducting business in over 200 countries and
TrendLabs SM 3Q 2013 Security Roundup The Invisible Web Unmasked Contents 1 CYBERCRIME: Takedowns, Banking Trojans, Site Compromises, and Refined Malware Techniques Seen 6 MOBILE: Mobile Malware and High-Risk
Current Threat Scenario and Recent Attack Trends Anil Sagar Additional Director Indian Computer Emergency Response Team (CERT-In) Objectives Current Cyber space Nature of cyberspace and associated risks
Current Trends in Corporate Criminal Activity 1:15 PM - 2:15 PM 4/28/2015 Presenters: John McCullough, Financial Crimes Service firstname.lastname@example.org Fred Laing, Upper Midwest Automated Clearing House Association
Magnified Losses, Amplified Need for Cyber-Attack Preparedness TrendLabs SM 214 Annual Security Roundup TREND MICRO LEGAL DISCLAIMER The information provided herein is for general information and educational
A Trend Micro Research Paper Suggestions to Help Companies with the Fight Against Targeted Attacks Jim Gogolinski Forward-Looking Threat Research Team Contents Introduction...3 Targeted Attacks...4 Defining
Cybercrime Security Risks and Challenges Facing Business Sven Hansen Technical Manager South Africa East Africa Security Conference August 2013 1 Agenda 1 What is Cyber Crime? 2 Cyber Crime Trends 3 Impact
Can Collective Cloud Intelligence Combat Today s Financial and E-Commerce Threats? A Webroot publication featuring research from Gartner Issue 1 2 Welcome 3 From the Gartner Files: Arming Financial and
ACHIEVING CYBER SECURITY READINESS WITHIN AN EVOLVING THREAT LANDSCAPE February 2013 Rev. A 02/13 SPIRENT 1325 Borregas Avenue Sunnyvale, CA 94089 USA Email: Web: email@example.com http://www.spirent.com
IT THREAT EVOLUTION Q3 2014 DAVID EMM MARIA GARNAEVA VICTOR CHEBYSHEV ROMAN UNUCHEK DENIS MAKRUSHIN ANTON IVANOV CONTENTS CONTENTS OVERVIEW 3 > > Targeted attacks and malware campaigns 3 > > On the trail
CERT Polska operates within the framework of the Research and Academic Computer Network CERT POLSKA REPORT AN ANALYSIS OF NETWORK SECURITY INCIDENTS FIRST HALF OF 2011 2 Contents How to read this document?
Defending Against Application-Based DDoS Attacks with the Barracuda Web Application Firewall White Paper Executive Summary In the past, DDoS attacks were largely volume-based with the intent to overwhelm
Knowlton Project Analysis Study: Examining Trends in Cyber Security: Merging Network Defense and Analysis March 2013 Security is a journey, not a destination www.praescientanalytics.com INTRODUCTION Somewhere
Targeted Attacks 8-Step Plan To Safeguard Your Organization Plus 8 Case Studies 1 Targeted Attacks U.S. companies lose about $250 billion per year through intellectual property theft, with another $114
JUNE 2011 Email Attacks: This Time It s Personal Executive Summary...2 The Business of Cybercrime: The Role of Email...2 Reduction in Mass Attacks...2 Attack Classifications...3 Mass Attacks...3 Targeted
A white paper analysis from Orasi Software Enterprise Security Attacking the problems of application and mobile security Introduction: Securing the Mobile Enterprise The mobile enterprise has created vast
A Trend Micro Research Paper Cybercriminal Underground Economy Series The Brazilian Underground Market The Market for Cybercriminal Wannabes? Fernando Mercês Forward-Looking Threat Research Team CONTENTS
95 95 9. Exercise: Large Scale Incident Handling Main Objective Targeted Audience Total Duration Time Schedule The main objective of the exercise is to teach incident handlers the key information and actions
Botnets: The Advanced Malware Threat in Kenya's Cyberspace AfricaHackon 28 th February 2014 Who we Are! Paula Musuva-Kigen Research Associate Director, Centre for Informatics Research and Innovation (CIRI)