Slide 0

Slide 0

Legal Informatics, Privacy and Cyber Crime Part Three: Advanced Attacks on IT Sandro Etalle 2018/2019 BOLOGNA BUSINESS SCHOOL Alma Mater Studiorum Universit di Bologna Material Underlying material: [OBLIGATORY READ!] - On Ransomware:

petya-malware-what-you-need-to-know-now.html - On Equifax Bruce Schneier on the Equifax Hack - (The Hacking Team Hack) - On DDOS Stress Testing the Booters: Understanding and Undermining the Business of DDoS Services, by Mohammad Karami, Youngsam Park, Damon McCoy, 2015 Material (part 2) Underlying material: [OBLIGATORY READ!]

- [literature: the last Internet Security Threat Reports by Symantec] - Branch, Federal Network Resilience Cybersecurity Assurance. Unintentional Insider Threats: Social Engineering. (2014). Only the sections: 3, 5, 6.1, 6.2, 6.3 Available at .pdf / name of department 03/03/2020 PAGE 3 Latest news oded-Credentials-Information-Disclosure.html The myPrint windows client version and myPrint android client version 2.2.7 are both affected. / name of department 03/03/2020 PAGE 4 RANSOMWARE / name of department

03/03/2020 PAGE 5 Ransomware attacks and evolution Sources [1] ggest-ransomware-attacks-of-the-last-5-years.html [2] -ransomware-and-notpetya-malware-what-you-need-to-know-now. html Cryptolocker (2013)

Cryptolocker is to ransomware what Stuxnet is to attacks on critical infrastructure There are earlier examples of ransomware, but this is the first showing a serious and replicable business case. CryptoLocker had "opened the floodgates" to many other varieties of file-encryption ransomware, some of which were derived from Crypto Lockers code and some of which was given the CryptoLocker name or a close variant but was written from scratch. The variants overall harvested about $3 million dollars in ransom fees; one such them was CryptoWall, which by 2015 accounted for more than half of all ransomware infections. / name of department

03/03/2020 PAGE 7 Cryptlocker: some details Vector: spam emails (you had to click on the attachment) - The most common method of infection is via emails with unknown attachments. Although the attachments often appear to be familiar file types such as *.doc or *.pdf, they in fact contain a double extension a hidden executable (*.exe). Once opened, the attachment creates a window and activates a downloader, which infects your computer. Because the program is a Trojan, it cannot self-replicate, meaning it must be downloaded to infect your computer - From

- Spreading via the gameover Zeus botnet Zeus = the malware Gameover Zeus = the p2p botnet that managed it. Encryption method: RSA / name of department 03/03/2020 PAGE 8 End of CryptoLocker: Operation Tovar (from Wikipedia). Operation Tovar (2014) is an international

collaborative operation carried out by law enforcement agencies from multiple countries against the Gameover ZeuS botnet, which is believed by the investigators to have been used in bank fraud and the distribution of the CryptoLocker ransomware.[1] Participants include the the U.S. Department of Justice, Europol, the FBI and the U.K. National Crime Agency, South African Police Service, together with a number of security companies and academic researchers, [2][3] including Dell SecureWorks, Deloitte Cyber Risk Services, Microsoft Corporation,, Afilias, F-Secure, Level 3 Communications, McAfee, Neustar, Shadowserver, Anubisnetworks, Symantec, Heimdal Security, Sophos and Trend Micro, and academic researchers from Carnegie Mellon University, the Georgia Institute of Technology,[4] VU University Amsterdam and Saarland University.[2] Other law enforcement organizations involved include the Australian Federal Police; the National Police of the Netherlands' National High Tech Crime Unit; the European Cybercrime Centre (EC3); Germanys Bundeskriminalamt; Frances Police Judiciaire; Italys Polizia Postale e delle Comunicazioni; Japans National Police Agency; Luxembourgs Police Grand Ducale; New Zealand Police; the Royal Canadian Mounted Police; and Ukraines Ministry of Internal Affairs' Division for Combating Cyber Crime. The Defense Criminal Investigative Service of the U.S. Department of Defense also participated in the investigation.[4]

Discuss the asymmetry. / name of department 03/03/2020 PAGE 9 Ransomware Early Examples Early Examples - Platform: WIN, spreading through mail attachment (you had to click on them) - 2013 Cryptolocker, Using RSA - 2015 TeslaCrypt; smarter encryption of specific files. Authors stopped in 2016

with criminal activities in 2016 and released the master key Mobile version - Symplelocker Platform: Android 2016: Petya Spreading mechanism: attachments (still) the next step in ransomware evolution, not a real encryption, but overwrites the master boot record (it installs its own boot loader); files are there but you cant find them. Later bundled with a file-encrypting program: Mischa 2017: WannaCry Ransomware WannaCry Ransomware

"was easily the worst ransomware attack in history," says Avast's Penn. "On May 12th, the ransomware started taking hold in Europe. Just four days later, Avast had detected more than 250,000 detections in 116 countries. Spreads like a worm, no human intervention "the first wave of attacks that maliciously utilized leaked hacking tools from the NSA" in this case EternalBlue, an SMB exploit

2017: NotPetya (Virus!) Spreads without human intervention, using various mechanisms - EternalBlue (SMB exploit, like WannaCry NotPetya was actually updated with this exploit a few weeks after the WannaCry ourbreak), and EternalRomance another NSA-created exploit - he original infection vector appears to be via a backdoor planted in M.E.Doc, an accounting software package that's used by almost every company Ukraine. NotPetya encrypts everything and demands a ransom, but it is not ransomware. The victim can pay, but the encryption key is random Quick improvement over Petya => creator with a lot of resources (state based?) Ukraine accused Russia (which replied that many Russian computers had been hit as well), -and-notpetya-malware-what-you-need-to-know-now.html) NSA, EternalBlue and the Shadow Brokers The EternalBlue exploitation tool was leaked by The Shadow Brokers group on April 14, 2017, The Shadow Brokers claim to have stolen hacking tools from the NSA then offering them for sale in their fifth leak, Lost in Translation. The leak included many exploitation tools like EternalBlue The NSA created a framework (like Metasploit) named FuzzBunch, which was part of the leak.

Exit of ShadowBrokers in early 2017 ddlers-the-shadow-brokers-call-it-quits My take: when the NSA is after you, even the best hackers are in trouble They had arrested one guy, who apparently is not part of the team DATA LEAKAGE Equifax Hack anatomy (simple) Direct attack on the webserver Apache - On March 6, 2017, The Apache Software Foundation published a security advisory about a new vulnerability affecting the Apache Struts 2 framework. By manipulating certain HTTP headers, an attacker could easily execute system

commands on affected systems. - This kind of vulnerability you need to act swiftly upon - QUESTION: WHY? (answers on the next page) - A software update to patch the flaw was issued in March, one day after it was first discovered. But hackers were able to collect data from mid-May to July, when the credit bureau says it finally stopped the intrusion. The Equifax data compromise was due to their failure to install the security updates provided in a timely manner. exposed the personal data of more than 143 million consumers Remarks/Answers When a vulnerability is made public, the whole hacking world will know of it. Many will try it.

A vulnerability that allows for a direct attack, allows the attacker to be opportunistic (attackers look around for unpatched systems and then they decide whom to hack). Because of the prolific black market now it is easy for any attacker to monetize whatever they find inside a company: credentials, creditcards, etc. / name of department 03/03/2020 PAGE 18 Equifax Hack - consequences

From The hackers made off with the most crucial tools that identity thieves need to impersonate you. The worst-case scenario is a very real threat to millions of Americans. If the stolen information from Equifax gets into the wrong hands, experts say data thieves can open bank accounts, lines of credit, new credit cards and even drivers' licenses in your name. They can saddle you with speeding tickets, steal your tax refund, swipe your Social Security check and prevent you from getting prescription drugs. Bruce Schneier on the Equifax hack 1. The Equifax breach was a serious security breach that puts

millions of Americans at risk. - The attackers got access to full names, Social Security numbers, birth dates, addresses, and driver's license numbers. - This is exactly the sort of information criminals can use to impersonate victims to banks, credit card companies, insurance companies, cell phone companies and other businesses vulnerable to fraud. 2. Equifax was solely at fault. - There was a patch for the critical vulnerability, Equifax failed to install it for two months. + other security failures. Bruce Schneier on the Equifax hack 2: data brokers and market failures 3 &4 There are thousands of data brokers with similarly intimate

information, similarly at risk. They hide their actions, and make it difficult for consumers to learn about or control their data - Equifax is more than a credit reporting agency. It's a data broker. It collects information about all of us, analyzes it all, and then sells those insights. It might be one of the biggest, but there are 2,500 to 4,000 other data brokers that are collecting, storing, and selling information about us -- almost all of them companies you've never heard of and have no business relationship with. 5 & 6. The existing regulatory structure is inadequate. The market cannot fix this because we are not the customers of data brokers. - we are the product that these companies sell to their customers: those who want to use our personal information to understand us, categorize us, make decisions about us, and persuade us. - Worse, the financial markets reward bad security. Given the choice between

increasing their cybersecurity budget by 5%, or saving that money and taking the chance, a rational CEO chooses to save the money. HACKING TEAM HACK / name of department 03/03/2020 PAGE 22 Good attacks are unstoppable Hacking Team had very little exposed to the internet. . So, I had three

options: look for a 0day in Joomla, look for a 0day in postfix, or look for a 0day in one of the embedded devices. A 0day in an embedded device seemed like the easiest option, and after two weeks of work reverse engineering, I got a remote root exploit. / name of department 03/03/2020 PAGE 23 And embedded systems are among the weak links Interesting account of the Hacking Team Hack -

Read it! The attacker - got in by reverse engineering a router and finding a vulnerability Hacking Team had very little exposed to the internet. . So, I had three options: look for a 0day in Joomla, look for a 0day in postfix, or look for a 0day in one of the embedded devices. A 0day in an embedded device seemed like the easiest option, and after two weeks of work reverse engineering, I got a remote root exploit. - always had several of alternatives / name of department 03/03/2020

PAGE 24 APT 28 and 29 2018 Source: g-faq Disclaimer: as usual, - We are not interested in the political standing of the parties involved, - In this course, we do not choose a side - We do not endorse the reports we cite; in particular, we do not endorse the political standing (if any) of the reports we cite - We are interested in the mechanisms and the consequences of an attack,

/ name of department 03/03/2020 PAGE 25 APT 28 AKA Sofacy, Fancy Bear, Swallowtail, Tsar Team, Sednit Active since at least January 2007

Believed to be from Russia. is The group was initially known for traditional, information-stealing espionage campaigns, targeting governments in the U.S. and Europe. It became involved in more covert, disruptive operations in the runup to the 2016 U.S. presidential election. (goal: information exfiltration) It was also responsible for the 2016 attack on the World Anti Doping Agency (WADA) and subsequent leak of drug testing information. / name of department 03/03/2020 PAGE 26

APT 29 AKA: Dukes, Group 100, Cozy Duke, CozyDuke, EuroAPT, CozyBear, CozyCar, Cozer, Office Monkeys, OfficeMonkeys, APT29, Cozy Bear, The Dukes, Minidionis, SeaDuke, Hammer Toss Beleved to be from Russia but a different group than APT28 / name of department 03/03/2020 PAGE 27 Attribution of APT 29 cial-intel-about-russia-s-interference-in-us-elections~b4f8111b/ / name of department 03/03/2020 PAGE 28 Attribution of APT 29 (2) Summer of 2014. A hacker from the Dutch intelligence agency AIVD has penetrated the computer network of a university building next to the Red Square in Moscow, oblivious to the implications. One year later, from the AIVD headquarters in Zoetermeer, he and

his colleagues witness Russian hackers launching an attack on the Democratic Party in the United States. The AIVD hackers had not infiltrated just any building; they were in the computer network of the infamous Russian hacker group Cozy Bear. And unbeknownst to the Russians, they could see everything. / name of department 03/03/2020 PAGE 29 APT 28 vs 29

We saw them for the first time in 2016 / name of department 03/03/2020 PAGE 30 APT 29 strikes back (2018) y-an-uncomfortable-examination-of-a-suspected-apt29-phishing-ca mpaign.html / name of department

03/03/2020 PAGE 31 APT 29 2018 Campaign (according to FireEye) Targets: multiple industries, including think tank, law enforcement, media, U.S. military, imagery, transportation, pharmaceutical, national government, and defense contracting. The attempts involved a phishing email appearing to be from the U.S. Department of State with links to zip files containing malicious Windows shortcuts that delivered Cobalt Strike Beacon. Shared technical artifacts; tactics, techniques, and procedures (TTPs); and targeting connect this activity to previously observed

activity suspected to be APT29. APT29 is known to transition away from phishing implants within hours of initial compromise. / name of department 03/03/2020 PAGE 32 APT 29: the infrastructure The attacker appears to have compromised the email server of a hospital and the corporate website of a consulting company in order to use their infrastructure to send phishing emails.

The phishing emails were made to look from a Public Affairs official at the U.S. Department of State, hosted on a page made to look like another Department of State Public Affairs official's personal drive, and used a legitimate Department of State form as a decoy. The attacker used unique links in each phishing email and the links that FireEye observed were used to download a ZIP archive that contained a weaponized Windows shortcut file, launching both a benign decoy document and a Cobalt Strike Beacon backdoor, customized by the attacker to blend in with legitimate network traffic. / name of department 03/03/2020

PAGE 33 / name of department 03/03/2020 PAGE 34 APT 29 Attribution There are several similarities and technical overlaps between the 14 November 2018, phishing campaign and the suspected APT29 phishing campaign on 9 November 2016 Both right after the US elections Similarities include using the same system to weaponize a Windows

shortcut (LNK) file / name of department 03/03/2020 PAGE 35 Some technical details During the phishing campaign, there were indications that the site hosting the malware was selectively serving payloads. For example, requests using incorrect HTTP headers reportedly served ZIP archives containing only the benign publicly available Department of State form.

The threat actor crafted the phishing emails to masquerade as a U.S. Department of State Public Affairs official sharing an official document. The links led to a ZIP archive that contained a weaponized Windows shortcut file hosted on a likely compromised legitimate domain, jmj[.].com. Upon execution, the shortcut file dropped a benign, publicly available, U.S. Department of State form and Cobalt Strike Beacon. Cobalt Strike is a commercially available post-exploitation framework. / name of department 03/03/2020 PAGE 36

Material Underlying material: [OBLIGATORY READ!] - [literature: the last two Internet Security Threat Reports by Symantec] - Branch, Federal Network Resilience Cybersecurity Assurance. Unintentional Insider Threats: Social Engineering. (2014). Only the sections: 3, 5, 6.1, 6.2, 6.3 Available at .pdf Stress Testing the Booters: Understanding and Undermining the Business of DDoS Services, by Mohammad Karami, Youngsam Park, Damon McCoy, 2015

DDOS / name of department 03/03/2020 PAGE 38 2 types of DDOS Sophisticated - MS and Sony 2014 - Dyn 2016 (1000 gigabit per second ?) - Some of them were allegedly done by professionals for marketing reasons

Unsophisticated, Booters - Low-cost-DDoS for hire - The subject of the paper Methodology used in the paper: leaked and scraped data from three booters Asylum Stresser, Lizard Stresser and VDO - Actively used 23 booter services - 6000 subscribers - 600.000 attacks Some Facts The majority of booter customers pays via PayPal As part of this subscription model, customers or subscribers can

launch an unlimited number of attacks that have a duration typically ranging from 30 seconds to 1-3 hours and are limited to 1-4 concurrent attacks depending on the tier of subscription purchased. Price range: $10-$300 USD per month These services can be found by visiting underground forums where they advertise and by web searches for terms, such as stresser and booter. The services are all in English; researchers did not find any evidence of similar services focused on other markets, such as Asia or Russia. Procedure The customer first locates a booter site and visits their frontend webserver The customer must next purchase a subscription using a payment

method, such as Bitcoin or PayPal. The customer then uses the frontend interface to request a DDoS attack against a victim. This request is forwarded from the frontend server to one of the backend attack servers. The backend server then sends spoofed request packets to a set of previously identified misconfigured amplification servers. Finally, DDoS traffic in the form of replies is sent to the victim from the amplification servers. INSIDER DANGER UNINTENTIONAL INSIDER THREATS: SOCIAL ENGINEERING

Only the sections: 3, 5, 6.1, 6.2, 6.3 43 Definition of unintentional insider threat is (1) a current or former employee, contractor, or business partner (2) who has or had authorized access to an organizations network, system, or data and who, (3) through action or inaction without malicious intent, (4) unwittingly causes harm or substantially increases the probability of future serious harm to the confidentiality, integrity, or availability of the

organizations resources or assets, including information, information systems, or financial systems. 44 Taxonomy of Social Engineering 45 Procedures one or two stages 46 Case 1 of 3 (from the book Targeted Attacks)

INDUSTRY: Information and telecommunication STAGING: Single INCIDENT: Attackers sent an innocent-looking email to news service staffers urging them to click on a link to an important article on another news organizations blog that, unknown to the victims, would infect their computers

with malware. The malware allowed the hackers to capture passwords to the news services Twitter account. BREACH: Access to the news services Twitter account allowed the attacker to send an erroneous Tweet warning of two explosions in a government building. OUTCOME: Within minutes, the bogus story had a brief but very real effect on the stock market, causing it to drop significantly. This stock market loss was made up after the story was confirmed to be false. This was the second widespread social engineering attack on the news service, which had implemented extensive training after the first. 47 Case 2 of 3

INDUSTRY: Computer manufacturer STAGING: Single INCIDENT: Malware to attack computer manufacturers was spread through a website for software developers. The website advertised a Java plug-in that could be installed on desktops.

BREACH: A few employees of one reported company installed the so-called Java plug-in, which was in fact cleverly placed malware. The incident affected a small number of systems. OUTCOME: The manufacturer worked with law enforcement to find the source of the malware. The manufacturers native antimalware software was able to catch the malware and isolate it. . 48 Case of a two-staged attack First stage: general purpose phishing aimed at people who have little security training.

Eg: (from ) Then reconnaissance (gathering of intelligence for the second stage) Second stage: customized spearphishing to the executives. Case 3 of 3

INDUSTRY: Banking and finance, manufacturing STAGING: Multiple INCIDENT: The phisher impersonated the company's bank, requesting information to address security concerns. The insider clicked on a link in a phishing email and entered confidential information. Stage 1 - phishing to multiple bank customers

Stage 2 - spear phishing to executives with likely wire-transfer authority BREACH: The disclosure included credentials and passwords that enabled outsiders to transfer funds to accounts in several countries. OUTCOME: The bank was able to reverse 70 percent of total money lost. RESPONSE: The company recovered the remainder in a court settlement resulting from a lawsuit brought against the bank. 50 OLD Articles to for the discussion on the 19th

2018 Internet Security Threat Report, available at Branch, Federal Network Resilience Cybersecurity Assurance. Unintentional Insider Threats: Social Engineering. (2014). Only the sections: 3, 5, 6.1, 6.2, 6.3 Available at M. Karami, Y. Park, D. McCoy Stress Testing the Booters: Understanding and Undermining the Business of DDoS Services, WWW '16 Proceedings of the 25th

International Conference on World Wide Web. Pages 1033-1043 (for the assignments). Available at Michel van Eeten Katsunari Yoshioka Daisuke Makita Carlos Hernandez Gaan Maciej Korczyski Arman Noroozian. Who Gets the Boot? Analyzing Victimization by DDoS-as-a-Service. Proceedings RAID 2016. (for the assignments) available at 52 QUESTIONS? / name of department 03/03/2020

PAGE 53 In Synthesis Where the Super / name of department 03/03/2020 PAGE 54

Recently Viewed Presentations

  • Analysis of Movie Braveheart - Weebly

    Analysis of Movie Braveheart - Weebly

    Analysis of Movie'Braveheart' Presentation by: Joanne Mihaly. For the purpose of this assignment I will be analysing the movie 'Braveheart'. Although based on historical events and people, I will be analysing the main characters leadership role from within the movie....
  • P&N for Technical Professionals

    P&N for Technical Professionals

    Since 2006, Giuseppe has been an award winning lecturer at leading business schools throughout Europe (Cambridge, ESADE, HEC Lausanne, HEC Paris, IESE, IMD, Imperial College, INSEAD, London Business School, Oxford, RSM, SDA Bocconi, University of Geneva, and University of St....
  • 8.4 -

    8.4 -

    Liberalism now seen as wasteful spending and too big of a government. Liberals tried to counter this by portraying themselves as champions of the middle class and the role of . gov. as protecting the middle class. New jobs created...
  • Geography of India

    Geography of India

    Geography of India. Main Idea *Indian civilizations developed first developed on the Indus River. Landforms and Rivers. India is huge. In fact, it is so big that many geographers call it a subcontinent. A subcontinent is a large landmass that...

    Day Créations réflexives Défilement manuel 1503 L'année des trois papes. En août, l'infâme et scandaleux Alexandre VI finit par délivrer l'Église de son existence.
  • The Evidential Problem of Evil Focus of the

    The Evidential Problem of Evil Focus of the

    theodicy. Explain the basis of and the two main assumptions of . Augustine's theodicy on evil. Suffering is often seen as a punishment for sin. Use a Biblical . quotation to explain the origins of this form of suffering.
  • Digestion - Weebly

    Digestion - Weebly

    HCl enters the duodenum from the stomach- HCl stimulates the coversion of prosecretin into secretin. When acids enter the small intestine an inactive chemical called prosecretin is converted to secretin- it is then absorbed into the bloodstream and carried to...
  • Ponchatoula High School - Tangipahoa Parish School Board

    Ponchatoula High School - Tangipahoa Parish School Board

    All students entering 9th grade are automatically placed on the LA Core 4 pathway. At the end of the 10th grade year, a student with parent or guardian permission may opt into the Basic Core or Career Diploma curriculum.