Cybercrime Insights

Notes from the networks beyond

13.05.2014 Cybercrime Insights 1

Introduction - Curesec GmbH

● Technical IT security

● Security Audits

● Tiger Team Audits

● Mobile Phone Audits (Android/iOS)

● Trainings

13.05.2014 Cybercrime Insights 2

Curesec GmbH

● Tools:

● For Security Audits ● hbad – Heartbleed Client check ● Vulnerabilities published for instance:

● WhatsApp ● Android ● Guidelines for instance:

● Banking Security

13.05.2014 Cybercrime Insights 3

Curesec GmbH

● Office in Berlin

● 7 specialists in different fields

● International projects

13.05.2014 Cybercrime Insights 4

Agenda

● Introduction

● Noteworthy security bugs and scenarios

● APT and Cyberespionage

● Conclusion

13.05.2014 Cybercrime Insights 5

Heartbleed

● Who has not heard of Heartbleed?

● 7th of April

● Major security flaw in the spine of the internet

● Affected versions 1.0.1[abcdef]

● Patched version 1.0.1g or old 0.9.8

● Sleepless nights for admins, security officers and hackers

13.05.2014 Cybercrime Insights 6

What happened?

● Heartbeat -> Extension

● Keeping a session alive

● Process memory data can be dumped from client or server

● Top Ten Internet Sites also affected

● Google, Facebook, Yahoo ...

13.05.2014 Cybercrime Insights 7

Who is affected?

Everyone using the vulnerable software version plus the extension is enabled.

13.05.2014 Cybercrime Insights 8

What is affected?

● Serverside

● Webserver ● Databaseserver ● Emailserver ● VoIP-Systems ● VPN ● Custom software

13.05.2014 Cybercrime Insights 9

Webserver Example

13.05.2014 Cybercrime Insights 10

What is affected?

● Clientside software:

● Browser ● Email clients ● VoIP clients ● VPN clients ● Chat clients ● Custom software linked with openssl vuln version

13.05.2014 Cybercrime Insights 11

w3m Example

13.05.2014 Cybercrime Insights 12

Interesting Data?

● Private keys (Certificates)

● Usernames and passwords

● Sessionkeys and SessionIDs (e.g. Cookies)

● Video- und Voice communication

● VPN keys

● Emails

● Forms of the sites, e.g. banking forms, creditcard forms

13.05.2014 Cybercrime Insights 13

Heartbleed Story 0x01

● Vulnerability is known, admin patches relevant systems.

● During a security check some days later it is found that core systems to the internet are still vulnerable.

● What happened?

13.05.2014 Cybercrime Insights 14

Heartbleed Story 0x01 (Admin)

● The systems were brought to a recent patchlevel. But the patch for the appliance was from April 4th while the vulnerability was from the 7th and there wasn't a newer version until April 11th.

● As a result the vulnerability was brought into the systems as the older/unpatched version were still running with 0.9.8.

13.05.2014 Cybercrime Insights 15

Heartbleed Story 0x01 (Admin)

● 4 Days open attack surface until recognized

● Affected: VPN gateway

13.05.2014 Cybercrime Insights 16

Heartbleed Story 0x02 (Scam)

● Some criminals offering an exploit for HB in version 1.0.1g

● From the style and setup it could be the same guys offering a fake openssh memory leak

●

● Interesting: Scammer is really sending a hb dump back, however, its gained from a different site.

13.05.2014 Cybercrime Insights 17

Heartbleed Story 0x03 (invisible)

● Shortly after the vuln was published, it was rumoured and partly spreaded even through the news that this bug is also that powerful because its invisible.

● Of course this is not true.

● Most probably those statements were made as the bug was not understood completely.

13.05.2014 Cybercrime Insights 18

Heartbleed Story 0x03 (invisble)

● As a result from this wrong assumption and probably some others a 19-year-old canadian student was arrested.

● He successfully hacked the tax office and stole / manipulated 900 entries.

13.05.2014 Cybercrime Insights 19

Industrial Devices aka SCADA

● What happens if our light, water and power supply is disabled?

● We have reached a level of networking devices at which the question rises whether we should go on with networking them.

● This is not anti-technology, this is pro-surviving.

13.05.2014 Cybercrime Insights 20

Industrial Devices aka SCADA

● What is the attack surface?

● Energysector (nuclear, coal, wind, water, sun …) ● Water and sanitation ● Industrial lines and factories

13.05.2014 Cybercrime Insights 21

Medical Devices

● While working in the industry...

● Medical devices are stillstill dangerous to attach to the network.

● If you run a hospital or something similar:

● Seperate networks ● Dont let patients enter the net ● Dont use weak wireless crypto

13.05.2014 Cybercrime Insights 22

Agenda

● Introduction

● Noteworthy security bugs and scenarios

● APT and Cyberespionage

● Finish

13.05.2014 Cybercrime Insights 23

APT and Cyberespionage

● Who does remember Stuxnet?

● Ok.

● But do you know:

● Flame (US) ● Uroburos (RU) ● Careto - The Mask (ES)

13.05.2014 Cybercrime Insights 24

Story behind Stuxnet

● Remember my note about scada security? Well...

● Stuxnet vs. Iranian Nuclear Energy/bomb program

● Fine grained bug which quietly destroyed devices for uranium enrichment

● It not only changed the speed of the devices it also showed the control terminal that everything is normal – sabotage was the goal.

13.05.2014 Cybercrime Insights 25

What is an APT?

● Targeted attack

● Goals:

● Retrieving information (e.g. economic, military) ● Espionage ● Sabotage ● Information isis used for further action

13.05.2014 Cybercrime Insights 26

What is it not?

● It is not internet noise.

● Like SSH brute force ● It is not random hacking

● It is not conducted by cybercriminals – backed by .gov

13.05.2014 Cybercrime Insights 27

APT

● So – an APT (Advanced Persistent Threat) is:

● Executed by someone with an agenda ● Usually (well) funded ● Not compareable with an anonymous or active hacker group ● Attackers:

● Goverments ● Freelancers working for goverments

13.05.2014 Cybercrime Insights 28

How do you know it happened?!

● From time to time it is uncovered.

● Flame for instance ranges back to 2004

● More recent APTs:

● „Uroburos“ - 2011 ● „Careto“ - 2007

13.05.2014 Cybercrime Insights 29

How do you know it was country xyz?

● Of course no country confirms official involvement

● Samples/information in the code

● Artifacts in the code

● Traces on infected systems

● Analysis of the attack's origin

13.05.2014 Cybercrime Insights 30

How do you know it was country xyz?

● What countries are infected most?

● Actions conducted by the software:

● Analysing what it is doing, you find common points in the agenda of countries. ● For instance the Iranian nuclear program's most opposing global players are Israel and the US

13.05.2014 Cybercrime Insights 31

How do you know it was country xyz?

● RedFlag operations

● Yeah...no. There is no gain in not being able to blame someone. ● So traces to goverments exist but it cannot be proven easily.

13.05.2014 Cybercrime Insights 32

Uroburos

● Coming from Russia

● Suspected to be related to Agent.BTZ used to attack US Goverment

● Agent.BTZ was used to infect the Department of Defense (DoD) back in 2008

● US said they strongly believe it was conducted by Russia

● We are sure it is a government driven software

13.05.2014 Cybercrime Insights 33

Uroburos

● System infection vector is still unknown

● But, like Agent.BTZ we have several possible ways

● Leave an interesting device(USB Stick, Tablet …) ● Social Engineer someone – Put one of your hot female agents on the target. ● Well it is a spy game, pay someone internally to do it ● Classic hack conducted through 0day vulnerabilities

13.05.2014 Cybercrime Insights 34

Uroburos

● List of supported files:

● Powerpoint ● Excel ● Word ● Pictures ● */*

13.05.2014 Cybercrime Insights 35

Features

● Encrypted Filesystem (vfat / ntfs)

● Hiding activities

● Post-Exploitation Tools

● Tools for network surveilance

● Exfiltrating data via

● HTTP (Browser emulation, with proxy support) ● ICMP (Ping payload) ● SMTP (Email emulation) ● Peer to Peer Communication – wait what?! 13.05.2014 Cybercrime Insights 36

Peer to Peer

● Peer to Peer Communication

● Between clients in the internal network ● Named Pipes are used (RPC) ● Gain access to the outerworld

13.05.2014 Cybercrime Insights 37

Uroburos

Exfiltrate data from not internet connected devices

13.05.2014 Cybercrime Insights 38

Careto

● Coming from probably Spain

● Spanish slang for „Ugly Face“ or „Mask“

● Yay, another player joined the field.

13.05.2014 Cybercrime Insights 39

Careto Targets

● Government institutions

● Diplomatics / embassies

● Energy, oil and gas

● Private companies

● Research institutions

● Private equity firms

● Activists

13.05.2014 Cybercrime Insights 40

Careto

● 380 victims

● 31 countries

13.05.2014 Cybercrime Insights 41

Careto

● Spear fishing is the basic infection vector

● Several domains involved

● Trying to look legit

● Infect user by a vulnerable browser

● Public known vuln or zero-day

13.05.2014 Cybercrime Insights 42

Careto

Spear fishing attack

13.05.2014 Cybercrime Insights 43

Protection?

Protection is hard to accomplish

13.05.2014 Cybercrime Insights 44

Agenda

● Introduction

● Noteworthy security bugs and scenarios

● APT and Cyberespionage

● Finish

13.05.2014 Cybercrime Insights 45

The End

„Hope you liked our little journey through the dark side of the networked world.“

13.05.2014 Cybercrime Insights 46

Contact

13.05.2014 Cybercrime Insights 47