Cybercrime Insights Notes from the networks beyond 13.05.2014 Cybercrime Insights 1 Introduction - Curesec GmbH ● Technical IT security ● Security Audits ● Tiger Team Audits ● Mobile Phone Audits (Android/iOS) ● Trainings 13.05.2014 Cybercrime Insights 2 Curesec GmbH ● Tools: ● For Security Audits ● hbad – Heartbleed Client check ● Vulnerabilities published for instance: ● WhatsApp ● Android ● Guidelines for instance: ● Banking Security 13.05.2014 Cybercrime Insights 3 Curesec GmbH ● Office in Berlin ● 7 specialists in different fields ● International projects 13.05.2014 Cybercrime Insights 4 Agenda ● Introduction ● Noteworthy security bugs and scenarios ● APT and Cyberespionage ● Conclusion 13.05.2014 Cybercrime Insights 5 Heartbleed ● Who has not heard of Heartbleed? ● 7th of April ● Major security flaw in the spine of the internet ● Affected versions 1.0.1[abcdef] ● Patched version 1.0.1g or old 0.9.8 ● Sleepless nights for admins, security officers and hackers 13.05.2014 Cybercrime Insights 6 What happened? ● Heartbeat -> Extension ● Keeping a session alive ● Process memory data can be dumped from client or server ● Top Ten Internet Sites also affected ● Google, Facebook, Yahoo ... 13.05.2014 Cybercrime Insights 7 Who is affected? Everyone using the vulnerable software version plus the extension is enabled. 13.05.2014 Cybercrime Insights 8 What is affected? ● Serverside ● Webserver ● Databaseserver ● Emailserver ● VoIP-Systems ● VPN ● Custom software 13.05.2014 Cybercrime Insights 9 Webserver Example 13.05.2014 Cybercrime Insights 10 What is affected? ● Clientside software: ● Browser ● Email clients ● VoIP clients ● VPN clients ● Chat clients ● Custom software linked with openssl vuln version 13.05.2014 Cybercrime Insights 11 w3m Example 13.05.2014 Cybercrime Insights 12 Interesting Data? ● Private keys (Certificates) ● Usernames and passwords ● Sessionkeys and SessionIDs (e.g. Cookies) ● Video- und Voice communication ● VPN keys ● Emails ● Forms of the sites, e.g. banking forms, creditcard forms 13.05.2014 Cybercrime Insights 13 Heartbleed Story 0x01 ● Vulnerability is known, admin patches relevant systems. ● During a security check some days later it is found that core systems to the internet are still vulnerable. ● What happened? 13.05.2014 Cybercrime Insights 14 Heartbleed Story 0x01 (Admin) ● The systems were brought to a recent patchlevel. But the patch for the appliance was from April 4th while the vulnerability was from the 7th and there wasn't a newer version until April 11th. ● As a result the vulnerability was brought into the systems as the older/unpatched version were still running with 0.9.8. 13.05.2014 Cybercrime Insights 15 Heartbleed Story 0x01 (Admin) ● 4 Days open attack surface until recognized ● Affected: VPN gateway 13.05.2014 Cybercrime Insights 16 Heartbleed Story 0x02 (Scam) ● Some criminals offering an exploit for HB in version 1.0.1g ● From the style and setup it could be the same guys offering a fake openssh memory leak ● <pastebin> ● Interesting: Scammer is really sending a hb dump back, however, its gained from a different site. 13.05.2014 Cybercrime Insights 17 Heartbleed Story 0x03 (invisible) ● Shortly after the vuln was published, it was rumoured and partly spreaded even through the news that this bug is also that powerful because its invisible. ● Of course this is not true. ● Most probably those statements were made as the bug was not understood completely. 13.05.2014 Cybercrime Insights 18 Heartbleed Story 0x03 (invisble) ● As a result from this wrong assumption and probably some others a 19-year-old canadian student was arrested. ● He successfully hacked the tax office and stole / manipulated 900 entries. 13.05.2014 Cybercrime Insights 19 Industrial Devices aka SCADA ● What happens if our light, water and power supply is disabled? ● We have reached a level of networking devices at which the question rises whether we should go on with networking them. ● This is not anti-technology, this is pro-surviving. 13.05.2014 Cybercrime Insights 20 Industrial Devices aka SCADA ● What is the attack surface? ● Energysector (nuclear, coal, wind, water, sun …) ● Water and sanitation ● Industrial lines and factories 13.05.2014 Cybercrime Insights 21 Medical Devices ● While working in the industry... ● Medical devices are stillstill dangerous to attach to the network. ● If you run a hospital or something similar: ● Seperate networks ● Dont let patients enter the net ● Dont use weak wireless crypto 13.05.2014 Cybercrime Insights 22 Agenda ● Introduction ● Noteworthy security bugs and scenarios ● APT and Cyberespionage ● Finish 13.05.2014 Cybercrime Insights 23 APT and Cyberespionage ● Who does remember Stuxnet? ● Ok. ● But do you know: ● Flame (US) ● Uroburos (RU) ● Careto - The Mask (ES) 13.05.2014 Cybercrime Insights 24 Story behind Stuxnet ● Remember my note about scada security? Well... ● Stuxnet vs. Iranian Nuclear Energy/bomb program ● Fine grained bug which quietly destroyed devices for uranium enrichment ● It not only changed the speed of the devices it also showed the control terminal that everything is normal – sabotage was the goal. 13.05.2014 Cybercrime Insights 25 What is an APT? ● Targeted attack ● Goals: ● Retrieving information (e.g. economic, military) ● Espionage ● Sabotage ● Information isis used for further action 13.05.2014 Cybercrime Insights 26 What is it not? ● It is not internet noise. ● Like SSH brute force ● It is not random hacking ● It is not conducted by cybercriminals – backed by .gov 13.05.2014 Cybercrime Insights 27 APT ● So – an APT (Advanced Persistent Threat) is: ● Executed by someone with an agenda ● Usually (well) funded ● Not compareable with an anonymous or active hacker group ● Attackers: ● Goverments ● Freelancers working for goverments 13.05.2014 Cybercrime Insights 28 How do you know it happened?! ● From time to time it is uncovered. ● Flame for instance ranges back to 2004 ● More recent APTs: ● „Uroburos“ - 2011 ● „Careto“ - 2007 13.05.2014 Cybercrime Insights 29 How do you know it was country xyz? ● Of course no country confirms official involvement ● Samples/information in the code ● Artifacts in the code ● Traces on infected systems ● Analysis of the attack's origin 13.05.2014 Cybercrime Insights 30 How do you know it was country xyz? ● What countries are infected most? ● Actions conducted by the software: ● Analysing what it is doing, you find common points in the agenda of countries. ● For instance the Iranian nuclear program's most opposing global players are Israel and the US 13.05.2014 Cybercrime Insights 31 How do you know it was country xyz? ● RedFlag operations ● Yeah...no. There is no gain in not being able to blame someone. ● So traces to goverments exist but it cannot be proven easily. 13.05.2014 Cybercrime Insights 32 Uroburos ● Coming from Russia ● Suspected to be related to Agent.BTZ used to attack US Goverment ● Agent.BTZ was used to infect the Department of Defense (DoD) back in 2008 ● US said they strongly believe it was conducted by Russia ● We are sure it is a government driven software 13.05.2014 Cybercrime Insights 33 Uroburos ● System infection vector is still unknown ● But, like Agent.BTZ we have several possible ways ● Leave an interesting device(USB Stick, Tablet …) ● Social Engineer someone – Put one of your hot female agents on the target. ● Well it is a spy game, pay someone internally to do it ● Classic hack conducted through 0day vulnerabilities 13.05.2014 Cybercrime Insights 34 Uroburos ● List of supported files: ● Powerpoint ● Excel ● Word ● Pictures ● */* 13.05.2014 Cybercrime Insights 35 Features ● Encrypted Filesystem (vfat / ntfs) ● Hiding activities ● Post-Exploitation Tools ● Tools for network surveilance ● Exfiltrating data via ● HTTP (Browser emulation, with proxy support) ● ICMP (Ping payload) ● SMTP (Email emulation) ● Peer to Peer Communication – wait what?! 13.05.2014 Cybercrime Insights 36 Peer to Peer ● Peer to Peer Communication ● Between clients in the internal network ● Named Pipes are used (RPC) ● Gain access to the outerworld 13.05.2014 Cybercrime Insights 37 Uroburos Exfiltrate data from not internet connected devices 13.05.2014 Cybercrime Insights 38 Careto ● Coming from probably Spain ● Spanish slang for „Ugly Face“ or „Mask“ ● Yay, another player joined the field. 13.05.2014 Cybercrime Insights 39 Careto Targets ● Government institutions ● Diplomatics / embassies ● Energy, oil and gas ● Private companies ● Research institutions ● Private equity firms ● Activists 13.05.2014 Cybercrime Insights 40 Careto ● 380 victims ● 31 countries 13.05.2014 Cybercrime Insights 41 Careto ● Spear fishing is the basic infection vector ● Several domains involved ● Trying to look legit ● Infect user by a vulnerable browser ● Public known vuln or zero-day 13.05.2014 Cybercrime Insights 42 Careto Spear fishing attack 13.05.2014 Cybercrime Insights 43 Protection? Protection is hard to accomplish 13.05.2014 Cybercrime Insights 44 Agenda ● Introduction ● Noteworthy security bugs and scenarios ● APT and Cyberespionage ● Finish 13.05.2014 Cybercrime Insights 45 The End „Hope you liked our little journey through the dark side of the networked world.“ 13.05.2014 Cybercrime Insights 46 Contact 13.05.2014 Cybercrime Insights 47.