Cybercrime Insights
Notes from the networks beyond
13.05.2014 Cybercrime Insights 1
Introduction - Curesec GmbH
● Technical IT security
● Security Audits
● Tiger Team Audits
● Mobile Phone Audits (Android/iOS)
● Trainings
13.05.2014 Cybercrime Insights 2
Curesec GmbH
● Tools:
● For Security Audits ● hbad – Heartbleed Client check ● Vulnerabilities published for instance:
● WhatsApp ● Android ● Guidelines for instance:
● Banking Security
13.05.2014 Cybercrime Insights 3
Curesec GmbH
● Office in Berlin
● 7 specialists in different fields
● International projects
13.05.2014 Cybercrime Insights 4
Agenda
● Introduction
● Noteworthy security bugs and scenarios
● APT and Cyberespionage
● Conclusion
13.05.2014 Cybercrime Insights 5
Heartbleed
● Who has not heard of Heartbleed?
● 7th of April
● Major security flaw in the spine of the internet
● Affected versions 1.0.1[abcdef]
● Patched version 1.0.1g or old 0.9.8
● Sleepless nights for admins, security officers and hackers
13.05.2014 Cybercrime Insights 6
What happened?
● Heartbeat -> Extension
● Keeping a session alive
● Process memory data can be dumped from client or server
● Top Ten Internet Sites also affected
● Google, Facebook, Yahoo ...
13.05.2014 Cybercrime Insights 7
Who is affected?
Everyone using the vulnerable software version plus the extension is enabled.
13.05.2014 Cybercrime Insights 8
What is affected?
● Serverside
● Webserver ● Databaseserver ● Emailserver ● VoIP-Systems ● VPN ● Custom software
13.05.2014 Cybercrime Insights 9
Webserver Example
13.05.2014 Cybercrime Insights 10
What is affected?
● Clientside software:
● Browser ● Email clients ● VoIP clients ● VPN clients ● Chat clients ● Custom software linked with openssl vuln version
13.05.2014 Cybercrime Insights 11
w3m Example
13.05.2014 Cybercrime Insights 12
Interesting Data?
● Private keys (Certificates)
● Usernames and passwords
● Sessionkeys and SessionIDs (e.g. Cookies)
● Video- und Voice communication
● VPN keys
● Emails
● Forms of the sites, e.g. banking forms, creditcard forms
13.05.2014 Cybercrime Insights 13
Heartbleed Story 0x01
● Vulnerability is known, admin patches relevant systems.
● During a security check some days later it is found that core systems to the internet are still vulnerable.
● What happened?
13.05.2014 Cybercrime Insights 14
Heartbleed Story 0x01 (Admin)
● The systems were brought to a recent patchlevel. But the patch for the appliance was from April 4th while the vulnerability was from the 7th and there wasn't a newer version until April 11th.
● As a result the vulnerability was brought into the systems as the older/unpatched version were still running with 0.9.8.
13.05.2014 Cybercrime Insights 15
Heartbleed Story 0x01 (Admin)
● 4 Days open attack surface until recognized
● Affected: VPN gateway
13.05.2014 Cybercrime Insights 16
Heartbleed Story 0x02 (Scam)
● Some criminals offering an exploit for HB in version 1.0.1g
● From the style and setup it could be the same guys offering a fake openssh memory leak
●
● Interesting: Scammer is really sending a hb dump back, however, its gained from a different site.
13.05.2014 Cybercrime Insights 17
Heartbleed Story 0x03 (invisible)
● Shortly after the vuln was published, it was rumoured and partly spreaded even through the news that this bug is also that powerful because its invisible.
● Of course this is not true.
● Most probably those statements were made as the bug was not understood completely.
13.05.2014 Cybercrime Insights 18
Heartbleed Story 0x03 (invisble)
● As a result from this wrong assumption and probably some others a 19-year-old canadian student was arrested.
● He successfully hacked the tax office and stole / manipulated 900 entries.
13.05.2014 Cybercrime Insights 19
Industrial Devices aka SCADA
● What happens if our light, water and power supply is disabled?
● We have reached a level of networking devices at which the question rises whether we should go on with networking them.
● This is not anti-technology, this is pro-surviving.
13.05.2014 Cybercrime Insights 20
Industrial Devices aka SCADA
● What is the attack surface?
● Energysector (nuclear, coal, wind, water, sun …) ● Water and sanitation ● Industrial lines and factories
13.05.2014 Cybercrime Insights 21
Medical Devices
● While working in the industry...
● Medical devices are stillstill dangerous to attach to the network.
● If you run a hospital or something similar:
● Seperate networks ● Dont let patients enter the net ● Dont use weak wireless crypto
13.05.2014 Cybercrime Insights 22
Agenda
● Introduction
● Noteworthy security bugs and scenarios
● APT and Cyberespionage
● Finish
13.05.2014 Cybercrime Insights 23
APT and Cyberespionage
● Who does remember Stuxnet?
● Ok.
● But do you know:
● Flame (US) ● Uroburos (RU) ● Careto - The Mask (ES)
13.05.2014 Cybercrime Insights 24
Story behind Stuxnet
● Remember my note about scada security? Well...
● Stuxnet vs. Iranian Nuclear Energy/bomb program
● Fine grained bug which quietly destroyed devices for uranium enrichment
● It not only changed the speed of the devices it also showed the control terminal that everything is normal – sabotage was the goal.
13.05.2014 Cybercrime Insights 25
What is an APT?
● Targeted attack
● Goals:
● Retrieving information (e.g. economic, military) ● Espionage ● Sabotage ● Information isis used for further action
13.05.2014 Cybercrime Insights 26
What is it not?
● It is not internet noise.
● Like SSH brute force ● It is not random hacking
● It is not conducted by cybercriminals – backed by .gov
13.05.2014 Cybercrime Insights 27
APT
● So – an APT (Advanced Persistent Threat) is:
● Executed by someone with an agenda ● Usually (well) funded ● Not compareable with an anonymous or active hacker group ● Attackers:
● Goverments ● Freelancers working for goverments
13.05.2014 Cybercrime Insights 28
How do you know it happened?!
● From time to time it is uncovered.
● Flame for instance ranges back to 2004
● More recent APTs:
● „Uroburos“ - 2011 ● „Careto“ - 2007
13.05.2014 Cybercrime Insights 29
How do you know it was country xyz?
● Of course no country confirms official involvement
● Samples/information in the code
● Artifacts in the code
● Traces on infected systems
● Analysis of the attack's origin
13.05.2014 Cybercrime Insights 30
How do you know it was country xyz?
● What countries are infected most?
● Actions conducted by the software:
● Analysing what it is doing, you find common points in the agenda of countries. ● For instance the Iranian nuclear program's most opposing global players are Israel and the US
13.05.2014 Cybercrime Insights 31
How do you know it was country xyz?
● RedFlag operations
● Yeah...no. There is no gain in not being able to blame someone. ● So traces to goverments exist but it cannot be proven easily.
13.05.2014 Cybercrime Insights 32
Uroburos
● Coming from Russia
● Suspected to be related to Agent.BTZ used to attack US Goverment
● Agent.BTZ was used to infect the Department of Defense (DoD) back in 2008
● US said they strongly believe it was conducted by Russia
● We are sure it is a government driven software
13.05.2014 Cybercrime Insights 33
Uroburos
● System infection vector is still unknown
● But, like Agent.BTZ we have several possible ways
● Leave an interesting device(USB Stick, Tablet …) ● Social Engineer someone – Put one of your hot female agents on the target. ● Well it is a spy game, pay someone internally to do it ● Classic hack conducted through 0day vulnerabilities
13.05.2014 Cybercrime Insights 34
Uroburos
● List of supported files:
● Powerpoint ● Excel ● Word ● Pictures ● */*
13.05.2014 Cybercrime Insights 35
Features
● Encrypted Filesystem (vfat / ntfs)
● Hiding activities
● Post-Exploitation Tools
● Tools for network surveilance
● Exfiltrating data via
● HTTP (Browser emulation, with proxy support) ● ICMP (Ping payload) ● SMTP (Email emulation) ● Peer to Peer Communication – wait what?! 13.05.2014 Cybercrime Insights 36
Peer to Peer
● Peer to Peer Communication
● Between clients in the internal network ● Named Pipes are used (RPC) ● Gain access to the outerworld
13.05.2014 Cybercrime Insights 37
Uroburos
Exfiltrate data from not internet connected devices
13.05.2014 Cybercrime Insights 38
Careto
● Coming from probably Spain
● Spanish slang for „Ugly Face“ or „Mask“
● Yay, another player joined the field.
13.05.2014 Cybercrime Insights 39
Careto Targets
● Government institutions
● Diplomatics / embassies
● Energy, oil and gas
● Private companies
● Research institutions
● Private equity firms
● Activists
13.05.2014 Cybercrime Insights 40
Careto
● 380 victims
● 31 countries
13.05.2014 Cybercrime Insights 41
Careto
● Spear fishing is the basic infection vector
● Several domains involved
● Trying to look legit
● Infect user by a vulnerable browser
● Public known vuln or zero-day
13.05.2014 Cybercrime Insights 42
Careto
Spear fishing attack
13.05.2014 Cybercrime Insights 43
Protection?
Protection is hard to accomplish
13.05.2014 Cybercrime Insights 44
Agenda
● Introduction
● Noteworthy security bugs and scenarios
● APT and Cyberespionage
● Finish
13.05.2014 Cybercrime Insights 45
The End
„Hope you liked our little journey through the dark side of the networked world.“
13.05.2014 Cybercrime Insights 46
Contact
13.05.2014 Cybercrime Insights 47