Territorial Dispute – NSA’s perspective on APT landscape

Slides:



Advertisements
Similar presentations
Célzott informatikai támadások napjainkban Boldizsár Bencsáth PhD Laboratory of Cryptography and System Security (CrySyS) Budapest University of Technology.
Advertisements

Malware Hunting with the Sysinternals Tools
Lesson 6D – Loops and String Arrays – split process By John B. Owen All rights reserved ©2011.
Targeted attacks of recent days Boldizsár Bencsáth PhD Laboratory of Cryptography and System Security (CrySyS) Budapest University of Technology and Economics.
Stuxnet, Duqu és társai – kifinomult internetes kártevők kifejlesztése, átalakítása, továbbfejlesztése Stuxnet, Duqu and others – development and operation.
EUROSEC 2011 Gábor Pék, Boldizsár Bencsáth and Levente Buttyán Laboratory of Cryptography and Systems Security Budapest University of Technology and Economics.
CLEARER: Security and Privacy Research Roadmap for the CrySyS Lab Levente Buttyán, Márk Félegyházi, Boldizsár Bencsáth Laboratory of Cryptography and System.
Decision Table Based Testing
Malware Identification and Classification
Mike Goffin and Wesley Shields Approved for Public Release; Distribution Unlimited. Case Number
Warrior Cats: Into the wild By: Erin Hunter. SUMMARY: This book is about a young cat named Rusty, who joins wild cats in the forest to defend territory,
Abusing Duqu, Flame, MiniFlame Boldizsár Bencsáth PhD Budapest University of Technology and Economics Department of Telecommunications Laboratory of Cryptography.
Implementation of a scenario - an example Organic.Edunet Open days 2010.
Information Networking Security and Assurance Lab National Chung Cheng University F.I.R.E. Forensics & Incident Response Environment.
Mike Goffin Who am I? Mike Goffin Lead DeveloperProject Manager Senior Cyber Security Research Engineer The MITRE Corporation.
2004, Jei F.I.R.E. Forensics & Incident Response Environment Information Networking Security and Assurance Lab National Chung Cheng University.
Empirical Analysis of Denial of Service Attack Against SMTP Servers Boldizsár BENCSÁTH, Laboratory of Cryptography and System Security (CrySyS) Budapest.
Improving Your Security Posture June 24, Managing Your Managed Security Service Provider Stephen Seljan, General Dynamics Fidelis.
INFO ElementsINTERACTIONSSTORY o DATE o LOCATION (and maybe in a Google Earth fashion) o IMAGE/AUDIO of LEONARDO as he mutters to himself about the concept.
Kids Can Save the PLANET Year 6. Lets watch a short video!!!
CISC Machine Learning for Solving Systems Problems Presented by: Akanksha Kaul Dept of Computer & Information Sciences University of Delaware SBMDS:
4/13/2010.  CSS Meeting  Stephen Crane on Programming Contests  1pm  Building 8 room /11/10.
XNAT and Basic Knowledge Vanderbilt University Benjamin Yvernault, Bennett Landman, Brian Boyd 1.
Basics of Statistical Analysis. Basics of Analysis The process of data analysis Example 1: –Gift Catalog Marketer –Mails 4 times a year to its customers.
Relationships between Variables. Two variables are related if they move together in some way Relationship between two variables can be strong, weak or.
Bots Used to Facilitate Spam Matt Ziemniak. Discuss Snort lab improvements Spam as a vehicle behind cyber threats Bots and botnets What can be done.
Introducing the CrySyS Lab Félegyházi Márk Laboratory of Cryptography and System Security (CrySyS Lab) Budapest University of Technology and Economics.
CHAPTER 14 Viruses, Trojan Horses and Worms. INTRODUCTION Viruses, Trojan Horses and worm are malicious programs that can cause damage to information.
Technical analysis and information sharing in the handling of high-profile targeted attacks Boldizsár Bencsáth Laboratory of Cryptography and System Security.
Chapter 8 Collecting Data with Forms. Chapter 8 Lessons Introduction 1.Plan and create a form 2.Edit and format a form 3.Work with form objects 4.Test.
Aim: How can we respond to professors when they respond to us? What if they do not respond?
The Complete Photographer! 1 The Complete Photographer Meeting Agenda Opening Comments / Announcements Opening Comments / Announcements Review of Last.
Basics of Statistical Analysis. Basics of Analysis The process of data analysis Example 1: –Gift Catalog Marketer –Mails 4 times a year to its customers.
Copyright © Software Carpentry 2011 This work is licensed under the Creative Commons Attribution License See
Architecture Tutorial 1 Overview of Today’s Talks Provenance Data Structures Recording and Querying Provenance –Break (30 minutes) Distribution and Scalability.
Andrew C. Samuels, Information Technology Specialist Trainer c/o Ministry of Education Mona High School, Kingston, Jamaica 1 Unit 1 Module 3 Specific Objective:
2014 Unsupervised Malware Classification: How Bad Software Can Find its own Kind Shannon Steinfadt, Ph.D., Juston Moore, Micah Yates Los Alamos National.
introductionwhyexamples What is a Web site? A web site is: a presentation tool; a way to communicate; a learning tool; a teaching tool; a marketing important.
Flipping Out In AP Calculus My Journey and a Summary of My Experience.
HCA 497 Week 3 DQ 1 The Rising Cost of Health Care Check this A+ tutorial guideline at ASH/HCA-497-Week-3-DQ-1-The-Rising-Cost-of-
2.0 Assurance Practice.
WannaCrypt Ransomeware Customer Guidance
The Emergent Structure of Development Tasks
Homeland Security: Computer Protection
“Basic Linux/UNIX Command Line”
An Introduction to Flash
Writing Shell Scripts ─ part 3
2. Assurance Practice.
Claims Evidence Reasoning
Technical Guidlince to Make Your Mac Virus Free
SPRING DRAGON APT - A CASE STUDY OF TARGETED ATTACKS IN APAC COUNTRIES
USA Learns Citizenship
Analyzing and Building Simple Queries in SQL
Cyber Security Incident Response Playbooks
Version Control Version Control: The process of managing changes to your files over time (aka, revision control.
Attributes of Information
Automating Security Operations using Phantom
Labcheck Next Generation Quick Start Guide
Encryption and Hacking
File..
Active Listening Athens, 11th-15th OCTOBER 2016.
Binary Search Counting
Cat.
C.2.10 Sample Questions.
C.2.8 Sample Questions.
Thing / Person:____________________ Dates:_________________
C.2.8 Sample Questions.
Scanning/Laserfische
X-ray high resolution spectra in the VO: the case of XMM-Newton RGS
Julius Inigo MIS 304 November 10, 2011
Presentation transcript:

Territorial Dispute – NSA’s perspective on APT landscape Boldizsár Bencsath PhD BME CrySyS Lab / www.crysys.hu - Budapest University of Technology and Economics Short: Boldi / CrySyS Lab

Territorial Dispute What is it? Scanners SIG1..SIG45 windows\Resources\TeDi\PyScripts\ - sigs.py tedilog = getLogger('TERRITORIALDISPUTE') windows\Resources\Ep\Scripts\malfind windows/Resources/Ep/Scripts/ifthen/gwdef_other_peeps.txt windows\Resources\Ops\Databases\DriverList.db windows\Resources\Ops\Data\drv_list.txt windows\Resources\Ep\drv_list.txt

Security Analyst Summit 2017

Seems familiar? Yes, SIG8 is Stuxnet!

“GET” script for SIG8/Stuxnet

Interactivity…

SIG25

SIG25 – Dark Hotel

An example – exforel SIG30 A short list of IoCs Three file names and one driver IoC type, method remarks SYSPATH\msdxofg.dll file   SYSPATH\ocmsiecon.hlp SYSPATH\atllib.dll ndisxapi.sys driver

Exforel 2 http://sha1.virscan.org/492dc600e22de6da96898e097566bc01309b5996.html http://artemonsecurity.blogspot.hu/2012/12/analysis-of-virtoolwinntexforela-rootkit.html https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia- description?Name=VirTool:WinNT/Exforel.A

Security Analyst Summit 2018

Strange thins in 5e49440b907b271eb952101b5d337625b890d88a76a232ce04a2276542dfb4b0 Security Analyst Summit 2018

668ce24473d788791d2bfee0caec2d10dca52b5bc8c021bf06f9eb3527688ade might also relate exforel Security Analyst Summit 2018

The latter sharses zhanyan_team id Is it Exforel? Maybe More research is needed!

Sig35 – Duqu – “9N” Very strange rule. Looking for “NNNNNNNNN” ? Security Analyst Summit 2018

Would you check for exact size? Sig35/Duqu Security Analyst Summit 2018

Findings summary SIG no. Possible APT other name First public report remarks SIG1 Agent.BTZ (Turla) 2008.06.X ? 2008.11.19.   SIG2 Turla 2008.11.X. 2014.02.15. ? SIG3 ShipUp? 2008.10.29. SIG4 Snake/Uroburos 2014.02.28. dated 3+ years old SIG5 Trojan dropper Agent.ikcb Turla tool? 2013.10.15. SIG6 ? SIG7 GhoTex 2007.03.04. Octa-B? SIG8 Stuxnet 2 drivers unknown s7otbxdxa.sys s7obxsx.sys 2010.06.15. Dated dev.: 2005~ SIG9 Flame 2012.05.28. Dated dev.: 2010~ SIG10 miniFlame 2012.10.15. SIG11 SIG12 Spuler? 2012.11.26? SIG13 Agent.BTZ? see 1 SIG14 SIG15 Turla/Snake/Uroburos PDF:2015

SIG16 Flame 2012.05.28.   SIG17 SunFlower / Chesire Cat / Flowershop ~2015 samples point back to 2002 SIG18 Moonflower / Chesire Cat / Flowershop (sunflower moonflower) ? SIG19 SIG20 Animal Farm 2015.03.06. in use since 2013? SIG21 SIG22 Aurora/Hydraq 2010.01.12. Op: 2009.06-12 SIG23 Turla (Epic Turla) 2014.08.07. Under analysis for 10 months SIG24 SIG25 Dark Hotel 2014.11.10. SIG26 SIG27 SIG28 Rotinom 2011.01.11. SIG29 SIG30 Exforel 2012.11.28.

SIG31 ?   SIG32 2008.06.13. SIG33 SIG34 2014.05.14. SIG35 Duqu 2011.09.01. SIG36 Stuxnet/Duqu? see 8 / 35 SIG37 IronTiger_ASPXSpy SIG38 SIG39 Teamspy 2013.03.10. SIG40 Sednit/Sofacy 2015.02.09. SIG41 2011.03.29. SIG42 SIG43 Turla see 2, 2014.01.X SIG44 SIG45 Security Analyst Summit 2017

Samples from the malware repo Used the IoC strings as search strings with yara In our ~150 TB size of malware samples Amazingly high FP rate (e.g. adobe.dll string) We found some ~5000 samples with possible relationship Most likely 90% is FP, Your help is needed to find out clues! sig2 14 sig3 6 sig4 300 sig5 1 sig6 370 sig7 139 sig8 186 sig9 794 sig10 sig12 sig13 21 sig15 60 sig16 4 sig17 770 sig19 1 sig20 15 sig22 25 sig25 695 sig28 7 sig30 sig31 112 sig35 sig38 41 sig40 2 sig44 6 sig45 1557

LET'S TALK! Boldizsár Boldi Bencsáth – BME CrySyS Lab www.crysys.hu

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.