40,001 Attacks: How We Got Through the Trump-Kim Summit and What’S Next

#RSAC

SESSION ID: TTA1-F02 40,001 ATTACKS: HOW WE GOT THROUGH THE TRUMP-KIM SUMMIT AND WHAT’S NEXT

Ravikant Tiwari Security Researcher Acronis @ravitiwari1989 Revisiting the historic summit #RSAC

Denuclearization and World Peace Captured U.S. soldiers return home Safety guarantees to North Korea 40000 cyberattacks on Singapore Attacks Timeline #RSAC

Attacks launched between 15:00 UTC on June 11th and 12:00 UTC June 12th 92% reconnaissance scans, looking for vulnerable devices 8% exploit attacks

Source: F5 Networks Something New? #RSAC

International events are becoming primary cyber attack targets

The Trump-Kim Summit thwarted The PyeongChang Winter Olympic hacked The U.S. Elections hacked The Rio 2016 Olympics hacked French Presidential elections thwarted Who is responsible ? #RSAC

State-sponsored Seasoned attackers Cyber criminals Hacktivists One among us now Cyber Rockstar #RSAC “Bureau 121” and “91 Office” #RSAC

Part of the Reconnaissance General Bureau of North Korea's military. ~2000 specialists employed

Operations: South Korea cyberattack, 2013 Sony Pictures hack, 2014 SWIFT banking hack, 2015-2016 Bangladesh Bank Heist, 2016 WannaCry ransomware attack, 2017

Hand-picked graduates of the University of Automation, Pyongyang spend 5 years in training Overloaded with Orders #RSAC

Recent alerts issued by FBI and DHS June 14, 2018: TYPEFRAME May 29, 2018: Joanap Trojan and Brambul Worm May 29, 2018: HIDDEN COBRA RAT/Worm March 28, 2018: SHARPKNOT February 13, 2018: HARDRAIN February 13, 2018: BADCALL The Bears #RSAC Among the Attributed Hacks #RSAC

PyeongChang Olympic Winter Games, 2018 German and French elections, 2016 to 2017 U.S. Elections (DNC Email leaks), 2016 Attack on the Ukrainian power grid, 2016 White House and NATO attack, 2015 U.S. military wives' death threats, 2015 When It All Began: Look Back In 2010 #RSAC Leakage of Weaponry = e.g. WannaCry #RSAC

NSA Public Cyber Weapons and Industrial Hacks Timeline #RSAC Hacktivists: The Anonymous Group #RSAC

ISIS Website Attack, 2015 WTO Hack, 2015 Donald Trump’s Website Hack, 2015 Federal Attack, 2012 Cybergate, 2011 BART Attack, 2011 Dark Discovery, 2011 Glance at the recent Olympic Destroyer #RSAC Aim to Disrupt the Winter Olympic Games #RSAC Officials Responded To An Attack Fast Enough #RSAC

The disruption had affected several areas within the Games but the committee was confident systems would be fully operational as soon as possible The official website was only back on track at 8 am on Saturday – 12 hours later! “We know what happened and this is a usual thing during the Olympic Games” Entry point #RSAC Targets #RSAC

Ski Resort

Accommodation IT Service

Web Server Affected Parties #RSAC

Software vendor responsible for automation at ski resorts

2 ski resort hotels in South Korea

IT service provider (Atos.net) headquartered in France Reconnaissance: Spear Phishing Emails #RSAC Weaponized Document in Email #RSAC

Macro-Enabled Document PowerShell Backdoor #RSAC

> PS Backdoor Components #RSAC

Copy

Main Dropper Copy of Add Dropper Use Credentials

Windows Credential Browser Credential Credentials PsExec Tool Wiper Stealer Stealer Module Fooled by The Destroyer #RSAC

Did not delete its components Not Petya Did not harm OS files (Calculated destruction) Possibly had intentions to be discovered The Lazarus Intentional use of TTPs from various old hacks

APT 3 Critical Infrastructure Is A Favorite Choice #RSAC Blackout: BlackEnergy #RSAC

Spear-phishing emails with BlackEnergy malware Seizing SCADA under control, remotely switching substations off Disabling/destroying IT infrastructure components Uninterruptible power supplies Modems RTUs Commutators Destruction of files stored on servers and workstations with the KillDisk malware Denial-of-service attack on call-center to deny consumers up-to-date information on the blackout Doctors are Awesome! #RSAC

Hackers Almost Killed a Child in a Tyumen Hospital Medical equipment disabled right in the middle of the operation “He was doing a very complicated operation on the brain of a thirteen-year-old girl, and in the middle of this operation the clinical center was subjected to a cyber attack, and all the computer systems, all the devices that accompanied this operation, were turned off” Bangladesh Bank robbery #RSAC

Issued instructions to withdraw US$ 1 billion US$ 144 million stolen Perpetrators were suspected to have been aided by insiders

“If that linkage from the Sony actors to the Bangladeshi bank actors is accurate—that means that a nation state is robbing banks” Richard Ledgett, former Deputy Director of the NSA More devices – more attacks #RSAC

MIRAI - 1.2Tbps of traffic 40,000 infected IoT devices online and about 2.5 million IoT devices offline Botnet-as-a-Service : Offered Mirai botnet services from US$50 to $7,500 Cybersecurity trends in 2018 #RSAC

Possibility of AI-powered attacks Ransomware and attacks on IoT devices continue to grow A rise of state-sponsored attacks Attacks against cryptocurrencies and blockchain systems Many companies will fail to comply with the GDPR Lesson Learned #RSAC

Not a Boogie Man: cyber warfare is real

Attackers are no longer just individuals and script kiddies

Small enterprises are a way to reach bigger targets What can be done? #RSAC

Harden network, endpoints and services Invest in security assessment and audits of your company Identify your most important assets and secure them first Enforce proper security compliance and guidelines on your partners #RSAC

THANK YOU !