Inception: APT Campaign Spanning PCs, Mobile, the Cloud, and Home Routers

Similar documents
BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

Dictamus Manual. Dictamus is a professional dictation app for iphone, ipod touch and ipad. This manual describes setup and use of Dictamus version 10.

Operation Liberpy : Keyloggers and information theft in Latin America

The Epic Turla Operation: Information on Command and Control Server infrastructure

Architecture and Data Flow Overview. BlackBerry Enterprise Service Version: Quick Reference

Last modified: November 22, 2013 This manual was updated for the TeamDrive Android client version

WildFire Overview. WildFire Administrator s Guide 1. Copyright Palo Alto Networks

Tutorial on Smartphone Security

Marble & MobileIron Mobile App Risk Mitigation

How Attackers are Targeting Your Mobile Devices. Wade Williamson

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

Trend Micro Incorporated Research Paper Adding Android and Mac OS X Malware to the APT Toolbox

Kaspersky Fraud Prevention: a Comprehensive Protection Solution for Online and Mobile Banking

Sophos Mobile Encryption Help. Product version: 1.0 Document date: April 2012

USER MANUAL. v Windows Client January

Utilizing Dropbox to Share Files

Junos Pulse for Google Android

Cloud Services MDM. ios User Guide

GO!Enterprise MDM Device Application User Guide Installation and Configuration for Android with TouchDown

Practical Attacks against Mobile Device Management (MDM) Michael Shaulov, CEO Daniel Brodie, Security Researcher Lacoon Mobile Security

SCOPE OF SERVICE Hosted Cloud Storage Service: Scope of Service

Ensuring the security of your mobile business intelligence

Quick Start Guide Using OneDisk with the Tappin Service

Parla, Secure Cloud

GO!Enterprise MDM Device Application User Guide Installation and Configuration for ios with TouchDown

Norton Mobile Privacy Notice

Sticky Password 7. Sticky Password 7 is the latest, most advanced, portable, cross platform version of the powerful yet

Sync Security and Privacy Brief

Quick Start Guide: Iridium GO! Advanced Portal

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

Exchange ActiveSync (EAS)

Lutron Home Control Remote Access FAQ

Advanced Configuration Steps

EMR Link Server Interface Installation

Qsync Install Qsync utility Login the NAS The address is :8080 bfsteelinc.info:8080

Enterprise Mobile Threat Report

SmartWatch Eco/Eco Compact

RSA SecurID Software Token 1.3 for iphone and ipad Administrator s Guide

Client applications are available for PC and Mac computers and ios and Android mobile devices. Internet

Troubleshooting BlackBerry Enterprise Service 10 version Instructor Manual

z/os Security - FTP Logon Failures

Incident Response. Six Best Practices for Managing Cyber Breaches.

SA-Announce Cloud Services Mobile Notifier User Manual: ios and Android Version 1.0.0

SECURE YOUR DATA EXCHANGE WITH SAFE-T BOX

BlackBerry Device Software. Protecting BlackBerry Smartphones Against Malware. Security Note

HACKER INTELLIGENCE INITIATIVE. The Secret Behind CryptoWall s Success

Kaspersky Security for Mobile Administrator's Guide

SYNCSHIELD FEATURES. Preset a certain task to be executed. specific time.

You will need your District Google Mail username (e.g. and password to complete the activation process.

Welcome to ncrypted Cloud!... 4 Getting Started Register for ncrypted Cloud Getting Started Download ncrypted Cloud...

Phone.com. Communicate Better

LogMeIn Rescue+Mobile for Android

Samsung KNOX User Guide KNOX for Consumers Edition

APT Advanced Persistent Threat Time to rethink?

Setting Up . on Your Sprint Power Vision SM Mogul by HTC

GO!Enterprise MDM Device Application User Guide Installation and Configuration for Android

USER GUIDE CLOUDME FOR WD SENTINEL

CHAPTER 1 Exploring Mobile Devices with IMail 1

Penetration Testing for iphone Applications Part 1

Mobile Print/Scan Guide for Brother iprint&scan

Penetration Testing Report. Client: xxxxxx Date: 19 th April 2014

Workday Mobile Security FAQ

This session was presented by Jim Stickley of TraceSecurity on Wednesday, October 23 rd at the Cyber Security Summit.

USER GUIDE CLOUDME FOR WD SENTINEL

Protecting against Mobile Attacks

Advanced Persistent Threats

iphone in Business How-To Setup Guide for Users

Kaspersky Security 10 for Mobile Implementation Guide

GadgetTrak Mobile Security Android & BlackBerry Installation & Operation Manual

Reverse Shells Enable Attackers To Operate From Your Network. Richard Hammer August 2006

Spontania User Setup Guide

Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0

How to configure your mobile devices post migrating to Microsoft Office 365

MaaS360 Mobile Enterprise Gateway

Remote PC Guide for Standalone PC Implementation

Mobile Admin Security

How Do I Remove My Office 365 Account From An iphone, ipad or ipod Touch?... 1

Detailed Description about course module wise:

Workflow Templates Library

Enhancing Your Network Security

QualysGuard WAS. Getting Started Guide Version 3.3. March 21, 2014

Dell OpenManage Mobile Version 1.4 User s Guide (Android)

Old National offers both Mobile Web and a Mobile App, so you can choose the best fit for your device type. Either solution enables you to:

Secure Your Mobile Workplace

DVS-100 Installation Guide

The SCADA That Didn t Cry Wolf: Who s Really Attacking Your SCADA Devices

FIREEYE THREAT INTELLIGENCE HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group JULY 2015 SECURITY REIMAGINED

Android App User Guide

Analysis of advanced issues in mobile security in android operating system

Smartphone Pentest Framework v0.1. User Guide

Fighting Off an Advanced Persistent Threat & Defending Infrastructure and Data. Dave Shackleford February, 2012

For example some Bookkeepers are using Dropbox to share the accounting files between them and their client.

Contents First Time Setup... 2 Setting up the Legal Vault Client (KiteDrive)... 3 Setting up the KiteDrive Outlook Plugin Using the Legal Vault

Getting Started. Confirm that the Wi-Fi settings on your mobile terminal are enabled. Download Canon Mobile Printing and install it.

Unified Security, ATP and more

F-Secure Mobile Security. Android

Transcription:

SESSION ID: BR-T10 Inception: APT Campaign Spanning PCs, Mobile, the Cloud, and Home Routers Snorre Fagerland Sr. Principal Security Researcher Blue Coat Systems @SnorreFagerland Waylon Grange Sr. Threat Researcher Blue Coat Systems @professor plum

What is Inception? 2

Who was targeted? Government Embassies Politics Finance Military Engineering United Nations Members World Petroleum Council 3

Phishing emails 4

Attack vector Installer vbs Polymorphed dll Decrypter dll Phishing email Exploit doc Encrypted blob Implant dll Additional capabilities Decoy doc 5

Base implant { 'UserName': u'q', 'ServicePack': 'Service Pack 3', 'ComputerName': u'2-696316ab411a4, 'ModuleName': u'c:\\windows\\system32\\regsvr32.exe', 'SystemLCID': '0x419', 'SystemDrive': u C:\\', 'isadmin': True, 'UserLCID': '0x419', 'Time': '2014-8-5 17:47:0', 'OSVersion': '5.1.2600.2', 'VolumeSerial': 0xb48f8edc } Pulls basic survey information from target and uploads this information every ±15 minutes Can retrieve additional functionality from command and control servers. We ve observed the following additional capabilities downloaded Dir/File walk Survey domain information System hardware survey Enumerate all installed software Upload files of interest to c&c doc/x, xls/x, ppt/x, pdf 6

Command and control via the cloud Utilized cloud hosting provider Cloudme.com All data over WEBDAV Via WNetAddConnection call 7

Communication channel Interchangeable cloud service All comms with C&C server are encrypted with 256bit AES Unique encryption key for each sample Attacks against same target share same account Data is exchange via files dropped in configured folders Data from victim is given a selected extension to blend in on cloud server 8

Chinese APT tie In some instances we noticed this executable being dropped Known to be associated with a Chinese APT group Is a simple C&C backdoor whose functionality overlaps with already in place backdoor C&C domain for this sample expired shortly after being observed Coding skill behind this sample far inferior Victims Researchers 'ModuleName': u'c:\\windows\\system32\\regsvr32.exe 'ModuleName': u'c:\\windows\\syswow64\\regsvr32.exe 'ModuleName': u'c:\\analysis\\ollyclean\\loaddll.exe' 'ModuleName': u'c:\\windows\\system32\\rundll32.exe 9

A dream within a dream 10

Cloudme logs Cloudme provided access logs for an account Attackers accessed account from over 100 different IPs Attackers IP seemed to change on regular intervals Large majority of IPs came from South Korea IPs didn t match TOR exit nodes or any other known proxies browner8674935 parker2339915 young0498814 samantha2064 hurris4124867 sanmorinostar adams2350 adison8845 franko7046 james9611 billder1405 carter0648 bimm4276 chloe7400 depp3353 lisa.walker frogs6352 farrel0829 chak2488 droll5587 garristone corn6814 allan1252 daw0996 tem5842 visteproi

Proxy network built from embedded devices 12

How do I copy? Router runs stream-line Linux Uses busybox for basic command line utilities tail- looks fishy Now, how to download it USB SCP FTP TFTP netcat echo e wget busybox w/ netcat 13

Router proxy malware 14

Attacker s infrastructure Hacked IoT Rented Servers Victims Unknown Attackers CloudMe 15

Turning the tables Hacked IoT Rented Servers Victims Unknown Attackers CloudMe Analyst 16

More infrastructure revealed Email Servers Hacked IoT Rented Servers Victims Unknown Attackers CloudMe Analyst 17

Email servers Observed attacks uses SOCKS proxy to email servers they controlled Used routers to hide their identify from service providers Domains and servers appear to be paid for with bitcoin Domains look legit to victims haarmannsi.cz vs haarmannsi.com sanygroup.co.uk vs sanygroup.com ecolines.es vs ecolines.net 18

Mobile as a target 19

Phishing link http://82.221.100.xxx/page/index?id=target_identifier&type2=action_code 743: Serve malware disguised as WhatsApp updates 1024: Serve malware disguised as Viber updates other: Serve MMS phishing content. 20

MMS phishing We don t have a sample of the actual MMS message Presumed message contained a link and a password Link from message takes victim to a simple password page The Logo is one of many mobile phone carriers We were only able to collect some of the carrier logos from the server before it was shutdown 21

Bitly statistics 22

Bitly statistics 23

Android malware Masked as WhatsApp Update Upon execution installs as service and removed app icon Is capable of gathering the following information Account data Location Contacts External and Internal Storage (files written) Audio (microphone) Outgoing calls Incoming calls Call log Calendar Browser bookmarks Incoming SMS 24

Android Comms Malware Connects to specific user account on common blog site Looks for encrypted message between special HTML tags Decodes message which points to second-tier blog site Second-tier blog sites all appear to be compromised sites This way attackers can easily switch out what compromised sites are used for C&C 25

ios malware Masked as Skype Update Requires iphone to be rooted with Cydia installed Once executed deletes app and sets executable to run at reboot Communicates with C&C via public hosting service s FTP Is capable of gathering the following information Device platform, name, model, system name, system version itunes Account Information Contacts Hardware information SMS messages Call log Calendar 26

ios deb installer 27

Blackberry malware Masked as settings app Is capable of gathering the following information Complete device hardware information (including temperature) Account information Hardware information Address book Mobile carrier information and area code Installed applications 28

Mobile red herrings 29

C&C clues Tracked when new command files were uploaded to Cloudme Command files took the form of [x].bin where x is incremented each time From this we gained a good idea how successful their campaign was Over 24 hours this number increased by about 100, thus 100 active targets the attackers were using Based on the times the files were uploaded attackers were most active from 8:00AM to 5:00PM in the Eastern European Timezone 30

RedOctober Many similarities to RedOctober attack from 2012/2013 Some phishing documents look almost identical Similar exploit markers Kaspersky notes large target overlap between campaigns 31

Summary 32

Summary One of the most sophisticated malware attacks Blue Coat Labs has ever discovered Whole setup shows signs of automation and seasoned programming The amount of layers used in this scheme to protect the payload of their attack seems excessively paranoid The attackers utilize compromised embedded devices as well as multiple dedicated hosting providers and VPN services to mask their identity The framework is generic, and could work as an attack platform for a multitude of purposes with very little modification Includes malware targeting mobile devices: Android, Blackberry and ios Difficult to assign attribution due to false clues

Apply/Prevention Block outbound WEBDAV Don t unlock phones Don t install apps from unofficial sources Keep software up-to-date User education (phishing attacks) 34

Questions

References http://dc.bluecoat.com/inception_framework 36

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information