#RSAC SESSION ID: SESSION ID: Sean Duca APT Attacks in the Asia Pacific TTA-R01 Chief Security Officer – APAC Palo Alto Networks @seanduca Vicky Ray UNIT 42 – Threat Intelligence Analyst Palo Alto Networks @0xVK
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
#RSAC
SESSION ID:SESSION ID:
Sean Duca
APT Attacks in the Asia Pacific
TTA-R01
Chief Security Officer – APACPalo Alto Networks@seanduca
Vicky RayUNIT 42 – Threat Intelligence AnalystPalo Alto Networks@0xVK
#RSAC
AGENDA
2
Unit 42 Mission
Why Asia Pacific is a constant target of APT threat actors
0-days or known exploits
Targeted Attack Case studies
What do we learn from the APT attacks
Way forward
#RSAC
Unit 42 Mission
3
Analyze the data available to Palo Alto Networks to identify adversaries, their motivations, resources, and tactics to better understand the threats our customers face.
#RSAC
Connecting the dots together
4
#RSAC
Why is Asia Pacific a target of APT ?
5
Economic Growth
#RSAC
Why is Asia Pacific a target of APT ?
6Territorial disputes
https://en.wikipedia.org/wiki/Territorial_disputes_in_the_South_China_Sea
#RSAC
Most Targeted Application ?
7
#RSAC
Zero-days or Known exploits used
8
CVE-2010-3333 – Microsoft Office Remote Code Execution Vulnerability
CVE-2012-0158 – Microsoft Office Remote Code Execution Vulnerability
CVE-2017-0199 – Microsoft Office/WordPad Remote Code Execution Vulnerability.
#RSAC
BACKDOOR TROJAN
EXPLOIT ATTACHMENT
BACKDOOR ACCESS
SPEAR PHISHING EMAIL
DECOY FILE
TARGET
SPEAR PHISHING + DECOY
ACTOR
#RSAC
Tropic Trooper
10
TROPIC TROOPER targets the Taiwan Government
Who is Tropic Trooper?
#RSAC
TROPIC TROOPER TARGETS THE TAIWAN GOVERNMENT
11
TARGETED SPEAR-PHISHING EMAIL WAS SENT TO THE SECRETARY GENERAL OF EXECUTIVE YUAN, TAIWAN GOVERNMENT
#RSAC
DECOY USED BY TROPIC TROOPER
12
DECOY USED IN THE ATTACK AGAINST THE SECRETARY GENERAL OF EXECUTIVE YUAN, TAIWAN GOVERNMENT
#RSACTROPIC TROOPER PAYLOAD EXTRACTED AFTER DECRYPTION
13
HIDDEN PAYLOAD EXTRACTED AFTER DECRYPTION
#RSAC
EXPLOIT & MALWARE USED
14
Exploit - CVE-2012-0158 (no surprises)
Malware – Trojan : Poison Ivy
Investigations on related infrastructure provided details of other tools being used by Tropic Trooper
Yahoyah PCshare
#RSAC
15
INFRASTRUCTURE AND ASSOCIATED MALWARE
#RSAC
16
NEW DECOYS USED IN RECENT SAMPLES SUGGEST TARGETS IN VIETNAM
Recent samples show that the targets are in Vietnam too
Payload dropped : PivyShares same mutex
#RSAC
17
Malware ROVER used to Target the Indian AmbassadorTo Afghanistan
#RSAC
SPEAR-PHISHING EMAIL
18
TARGETED SPEAR-PHISHING EMAIL WAS SENT TO THE AMBASSADOR OF INDIA TO AFGHANISTAN
#RSAC
INFECTION FLOW
19
#RSAC
20
BACKDOOR COMMANDS
#RSAC
21
POC on OpenCV library to capture video from webcam
#RSAC
NetTraveler TARGETS DIPLOMAT OF UZBEKISTAN
22
TARGETED SPEAR-PHISHING EMAIL WAS SENT TO A DIPLOMAT OF UZBEKISTAN
#RSAC
NetTraveler Targets diplomat of Uzbekistan
23
#RSAC
Infection Flow
24
DLL SIDE-LOADING TECHNIQUE USED TO DROP THE MAIN NETTRAVELER PAYLOAD
#RSAC
NetTraveler configuration
25
NetTraveler obtaining its configuration from rastls.dll
#RSAC
NetTraveler DLL embedded in sycmentec.config
26
#RSAC
C2 Infrastructure
27
C2 resolves to‘98.126.38[.]107’ whichis hosted by KryptTechnologies.
#RSAC
DLL side loading techniques continues to be used
28
JP CERT report on attacks targeting Japan South Korean media reports on recent attacks
#RSAC
What do we learn from the attacks?
29
Threat actors continue to use old proven exploits – and it works.
Threat actors employ new techniques to by-pass traditional security systems. We need to understand the TTPs to better defend against the threats.
Asia Pacific continues to experience large number of growing targeted cyber attacks.
Many threat actors continue to use same hosting providers for their C2 infrastructure
#RSAC
WAY FORWARD
30
The risk from these attacks can be reduced significantly if systems are patched on a timely basis. PATCH PATCH PATCH!!!
We need to understand the TTPs to better defend against the threats.
Focus on “Preventing” a successful cyber attack.
Education on the modus operandi of the threat actors.
Unit 42 research includes TTPs and IOCs which is accessible to the public. Tools and resources also published in Github.
#RSAC
Questions ?
31
THANK YOU
Related Documents
![Asia Pacific Youth to Business (Y2B) Forum Proposal [for Asia Pacific]](https://static.cupdf.com/doc/110x72/568c4db71a28ab4916a50cbd/asia-pacific-youth-to-business-y2b-forum-proposal-for-asia-pacific.jpg)
