Tag Archives: INTERPOL World 2017

Kaspersky Lab on the Palaeontology of Cybersecurity

The Kaspersky Palaeontology of Cybersecurity Conference

Last week, Kaspersky Lab invited us to their security conference on the sidelines of INTERPOL World 2017. Titled as the Palaeontology of Cybersecurity, it focused on Kaspersky Lab’s efforts and abilities in dissecting malware and cyberattacks and tracing their sources.

It was a riveting look at how they tackled the thousands of cybersecurity threats that are active every day – from those that hit the news, like WannaCry and NotPetya, to those that continue to quietly cause damage and losses to consumers and corporations alike.

We also had the opportunity to hear from Eugene Kaspersky himself, as well as Jason Wells, an ex-military intelligence officer, who now helps companies tackle electronic surveillance and corporate espionage. Finally, we had a whole hour to grill them all on anything we wanted!

A lot was covered during the conference, so we will split them up into multiple articles :

We also had the opportunity to grill Eugene Kaspersky on his run-in with the US Senate. Make sure you check out our exclusive conversation with him :

For the video clips and a quick summary of each, please continue below.

 

The Palaeontology Of Cyberattacks

He shared how Kaspersky Labs performed digital forensics, literally the palaeontology of digital monsters, to trace their creators and to learn how to shut them down.

Please check out the full article on his presentation > The Palaeontology of Cyberattacks by Vitaly Kamluk.

[adrotate group=”1″]

 

The BitScout Cyber Forensics Tool Revealed!

BitScout is a free and open-source tool that can be used for the remote forensic investigation or collection of data from a compromised system, without risk of contamination or loss of data.

Please check out the full article on BitScout > The BitScout Free Cyber Forensics Tool Revealed!

 

South Korean Cyberattacks – From Military To ATM

Seongsu Park details how Kaspersky GReAT researchers traced the disparate South Korean cyberattacks and found the similarities that connected them.

Please check out the full article on his presentation > The South Korean Cyberattacks – From Military To ATM

Next Page > The Palaeontology of Cybersecurity Conference Part 2

 

Support Tech ARP!

If you like our work, you can help support our work by visiting our sponsors, participating in the Tech ARP Forums, or even donating to our fund. Any help you can render is greatly appreciated!

The Spring Dragon / Lotus Blossom Advanced Persistent Threat

Noushin Shabab recounts how her team tracked the Spring Dragon APT (Advanced Persistent Threat) attacks across the South China Sea region.

Please check out the full article on her presentation > Tracking The Spring Dragon Advanced Persistent Threat.

 

The Latest Cyber Technical Surveillance Counter-Measures (TSCM)

Former military intelligence officer Jason Wells gives an overview of cyber technical surveillance counter-measures over the years and in the future!

Please check out the full article on his presentation > The Latest Cyber Technical Surveillance Counter-Measures (TSCM)

 

Cyberspace – The Survival Guide

In this engaging 35-minute talk, Eugene Kaspersky shares with us his opinions on the evolving cybersecurity threats and how we can survive them.

Please check out the full article on his presentation > Eugene Kaspersky Presents Cyberspace –  The Survival Guide

[adrotate group=”1″]

 

The Kaspersky Lab Security Conference Q&A Session

At the end of the conference, we had an hour to question the Kaspersky Lab experts, Eugene Kaspersky and Jason Wells. Check out the complete Q&A session!

 

Eugene Kaspersky Interview Exclusive : No Kremlin Ties!

I took the opportunity to grill Mr. Kaspersky on his run-in with the US Senate over accusations of personal ties to the Kremlin and close affiliation with Russian intelligence agencies. Check out this exclusive video of our exchange!

Please check out the full article on this exclusive interview > Eugene Kaspersky Interview Exclusive : No Kremlin Ties!

Go Back To > First PageEvents | Home

[adrotate group=”1″]

 

Support Tech ARP!

If you like our work, you can help support our work by visiting our sponsors, participating in the Tech ARP Forums, or even donating to our fund. Any help you can render is greatly appreciated!

Eugene Kaspersky Presents Cyberspace – The Survival Guide

As the Chairman and CEO of Kaspersky Lab, Eugene Kaspersky is no stranger to cybersecurity. In fact, he created his first antivirus software while serving in the Russian Ministry of Defense in 1989 – 8 years before he founded his eponymous cybersecurity firm.

His credentials, as far as cybersecurity goes, is impeccable. That is why his keynote speech entitled “Cyberspace – The Survival Guide” was arguably the highlight of the Kaspersky Lab Palaeontology of Cybersecurity conference.

Don’t forget to check out the other Kaspersky Palaeontology of Cybersecurity presentations!

 

Eugene Kaspersky Presents Cyberspace – The Survival Guide

In this engaging 35-minute talk, Eugene Kaspersky shares with us his opinions on the evolving cybersecurity threats and how we can survive them.

Here are the key takeaway points from Eugene Kaspersky’s keynote talk :

  • Eugene Kaspersky still uses an old Sony Ericsson feature phone, which he says is “unhackable”.
  • Microsoft Windows is still the main target of cyberattacks, because it’s still the most popular operating system and the default operating system for many enterprises.
  • Cyberattacks are increasingly shifting to the mobile platform, targeting the Android operating system in particular.
  • The Mac OS platform is relatively safe because there are still not that many Mac user, or Mac programmers who can craft malware to target them.
  • However, Eugene Kaspersky (pointing at my MacBook Pro) says that Mac OS is much more vulnerable than Microsoft Windows from a cybersecurity point of view. It is only “safer” because there are not many cybercriminals who can exploit this.
  • The threat of Linux malware is growing very fast, because Internet of Things (IoT) devices are mostly Linux-based.
  • iOS attacks are limited because their zero-day vulnerabilities are very expensive for cybercriminals to purchase.
  • Kaspersky Lab collects about 300,000 unique malicious code samples per day, or more than 2 million unique code samples a week.
  • The growth in malware is exponential. Kaspersky Lab took 20 years to collect their first million unique malware code samples, but just one week in 2016 to collect 2.2 million unique malware code samples.
  • The good news is that Kaspersky Lab processes these malware code samples automatically 99.9% of the time using self-learning machine algorithms.
  • Eugene Kaspersky dismisses the tech industry’s use of the term “artificial intelligence“, insisting that they are more accurately described as “self-learning machine algorithms“.
  • Unfortunately, there is a marked growth in highly sophisticated state-sponsored and criminal cyberattacks that cannot be addressed by these means.
  • Cybercrime now costs the world US$450 billion in losses every year – the equivalent of 13 years worth of budget for all of world’s space programmes combined.
  • IoT (Internet of Things) devices are the new frontier. There are now more IoT devices than human beings on Earth. The danger though lies in the fact that most of them cannot be patched, and use common, standard passwords for easier manageability, but makes them easy to hack.[adrotate group=”2″]
  • SCADA industrial control systems are also vulnerable to cyberattacks. There are now cybercriminals that target the SCADA systems of manufacturing and transportation companies, as well as state-sponsored attacks and possible terrorist attacks.
  • Eugene Kaspersky skipped past the Elections and Government Services slide, probably due to the recent US Senate accusations. I made it a point to ask him about that controversy during the Q&A session though.
  • Cybersecurity of individuals and SMBs (small and medium businesses) are easy to solve, because you can purchase and install cybersecurity software that will handle the common cybersecurity threats.
  • Enterprises, however, are under the additional threat of professional, targeted attacks. In addition to end-point protection, they will need to be able to predict and detect cyberattacks, and respond quickly to those that are identified.

Eugene ends his presentation by opining that a lot of work needs to be done to secure the world from from cybercriminals, thanks to the prevalence of cyberspace in our lives.

Don’t forget to check out the other Kaspersky Palaeontology of Cybersecurity presentations!

Next Page > The Cyberspace – The Survival Guide Presentation Slides

 

Support Tech ARP!

If you like our work, you can help support our work by visiting our sponsors, participating in the Tech ARP Forums, or even donating to our fund. Any help you can render is greatly appreciated!

Here is the complete set of Eugene Kaspersky’s presentation slides for his talk, Cyberspace – The Survival Guide for your perusal.

[adrotate group=”1″]

Don’t forget to check out the other Kaspersky Palaeontology of Cybersecurity presentations!

Go Back To > First PageArticles | Home

[adrotate group=”1″]

 

Support Tech ARP!

If you like our work, you can help support our work by visiting our sponsors, participating in the Tech ARP Forums, or even donating to our fund. Any help you can render is greatly appreciated!

The Latest Cyber Technical Surveillance Counter-Measures

Jason Wells was a military intelligence officer for 17 years, before going into the private sector. He is now the Asia Pacific CEO of QCC Global – the world’s largest company specialising in TSCM (Technical Surveillance Counter-Measures). In this special presentation at the Kaspersky Lab Palaeontology of Cybersecurity Conference, he gave an overview of TSCM over the years before sharing the latest in Cyber TSCM, particularly with the upcoming 5G technology.

Don’t forget to check out the other Kaspersky Palaeontology of Cybersecurity presentations!

 

Cyber Technical Surveillance Counter-Measures

Like other members of QCC Global, Jason Wells is literally a poacher turned gamekeeper. He now helps organisations prevent their secrets from being leaked or intercepted by technical surveillance.

Here are the key takeaway points :

  • Physical keyloggers are still being used, because organisations ignore the risks.
  • Miniature GSM transmitters (smaller than a one Euro coin!) are now used to wirelessly transmit data over a third-party network.
  • Military-grade devices will use burst transmissions to avoid detection.
  • VOIP calls are possible to tap – as long as the device or line can be accessed, all conversations can be recorded or copied.
  • Light modulation or laser eavesdropping devices are now available to listen from a great distance.
  • WiFi light bulbs can be modified to pick up voices and transmit it to nearby devices via subtle modulation of the light wavelength or frequency.
  • A key concern, other than the typical eavesdropping of corporate offices, is backdoor access to Building Management Systems that are used in many modern buildings.
  • Public WiFi access points are a common source of “man-in-the-middle” attacks, where attackers set-up free access points that mimic actual public access points.
  • Bluetooth technology is a boon to surveillance devices because it is very low-powered. With Bluetooth Class 5, they now have a much longer range (400 m) and twice the speed, while drawing less power.[adrotate group=”2″]
  • Roughly 60% of the surveillance devices that QCC Global detects use cellular technology to transmit their data. The rest still use radio to transmit their data wirelessly.
  • Cellular technology gives an attacker great flexibility in areas of good coverage because he can dispense with additional requirements like a listening post, or rebroadcasters.
  • Using the cellular network also allows the listening device to hide amongst the many mobile devices nearby.
  • 5G technology will be a game-changer, offering new possibilities for technical surveillance.
  • With every 5G device always connected, they will make it much, much harder for counter surveillance companies like GCC Global to detect 5G listening devices.

Don’t forget to check out the other Kaspersky Palaeontology of Cybersecurity presentations!

 

The Presentation Slides

Here are Jason’s presentation slides on cyber technical surveillance counter-measures for your perusal :

Go Back To > Articles | Home

[adrotate group=”1″]

 

Support Tech ARP!

If you like our work, you can help support our work by visiting our sponsors, participating in the Tech ARP Forums, or even donating to our fund. Any help you can render is greatly appreciated!

Tracking The Spring Dragon Advanced Persistent Threat

In her role as a Senior Security Researcher in the Kaspersky Global Research & Analysis Team (GReAT), Noushin Shabab is responsible for the investigations of targeted cyberattacks with a primary focus on Australia and New Zealand. At the Kaspersky Lab Palaeontology of Cybersecurity conference, she recounted how her team tracked the Spring Dragon APT (Advanced Persistent Threat) attacks across the South China Sea region.

Don’t forget to check out the other Kaspersky Palaeontology of Cybersecurity presentations!

 

The Spring Dragon Advanced Persistent Threat

In early 2017, Kaspersky Lab researchers noted increased activity by an APT called Spring Dragon (also known as Lotus Blossom). The attacks involved new and evolved tools and techniques and targeted countries around the South China Sea. Kaspersky Lab’s experts have published their analysis of the attackers’ toolset over time in order to help organizations better understand the nature of the threat and protect themselves.

Spring Dragon is a long-running threat actor that has been targeting high profile political, governmental and educations organisations in Asia since 2012. Kaspersky Lab has been tracking the APT for the last few years.

According to Kaspersky Lab telemetry, Taiwan had the largest number of attacks followed by Indonesia, Vietnam, the Philippines, Macau, Malaysia, Hong Kong and Thailand. To help organizations better understand and protect against the threat, Kaspersky Lab’s researchers have undertaken a detailed review of 600 Spring Dragon malware samples.

Kaspersky Lab’s overview of Spring Dragon’s tools shows that:

  • The attackers’ toolset includes a unique customised set of links to command and control servers for each malware: the malware samples contained more than 200 unique IP addresses overall.
  • This toolset was accompanied by customised installation data for each attack to make detection difficult.
  • The arsenal includes various backdoor modules with different characteristics and functionalities – although they all have the capability to download additional files to the victim’s machine, upload files to its servers and execute any executable file or command on the victim’s machine. This allows the attackers to undertake a number of malicious activities on the victim’s machine – particularly cyberespionage.
  • The malware compilation timestamps suggest a time zone of GMT +8 – although the experts warn that does not represent a reliable indicator of attribution.

Noushin Shabab concludes, “We believe that Spring Dragon is going to continue resurfacing regularly in the Asian region and it’s important to be familiar with its tools and techniques. We encourage individuals and businesses to have good Yara rules and other detection mechanisms in place and strongly recommended they use – and regularly audit – a multi layered approach to security.” 

 

How Do You Protect Against Spring Dragon & Other APTs?

[adrotate group=”2″]

In order to protect your personal or business data from cyberattacks, Kaspersky Lab advise the following:

  • Implement an advanced, multi-layered security solution that covers all networks, systems and endpoints.
  • Educate and train your personnel on social engineering as this method is often used to make a victim open a malicious document or click on an infected link.
  • Conduct regular security assessments of the organisations IT infrastructure.
  • Use Kaspersky’s Threat Intelligence that tracks cyberattacks, incident or threats and provides customers with up-to-date relevant information that they are unaware of. Find out more at intelreports@kaspersky.com.

Next Page > The Spring Dragon (Lotus Blossom) APT Presentation Slides

 

Support Tech ARP!

If you like our work, you can help support our work by visiting our sponsors, participating in the Tech ARP Forums, or even donating to our fund. Any help you can render is greatly appreciated!

The Spring Dragon (Lotus Blossom) APT Presentation Slides

Here is the complete set of slides from Noushin Shabab’s presentation on the Spring Dragon (Lotus Blossom) APT attacks.

Don’t forget to check out the other Kaspersky Palaeontology of Cybersecurity presentations!

Go Back To > First PageArticles | Home

[adrotate group=”1″]

 

Support Tech ARP!

If you like our work, you can help support our work by visiting our sponsors, participating in the Tech ARP Forums, or even donating to our fund. Any help you can render is greatly appreciated!

Eugene Kaspersky Interview Exclusive : No Kremlin Ties!

At the end of the Kaspersky Lab Palaeontology of Cybersecurity conference, members of the press were allowed to question the panel of speakers, including Kaspersky Lab Chairman and CEO, Eugene Kaspersky himself.

I took the opportunity to grill Mr. Kaspersky on his run-in with the US Senate over accusations of personal ties to the Kremlin and close affiliation with Russian intelligence agencies. Check out this exclusive video of our exchange!

Don’t forget to check out the Kaspersky Palaeontology of Cybersecurity presentations!

 

Eugene Kaspersky On His Alleged Kremlin Ties

On 27 June 2017, FBI agents visited the homes of some Kaspersky Lab employees in the US. The very next day, Jeanne Shaheen (D-NH) introduced an amendment to a Pentagon spending bill that prohibits the US Department of Defense from “using software platforms developed by Kaspersky Lab“.

In response, Eugene Kaspersky (also known as Yevgeny Kaspersky) said that he would be willing to appear before the US Senate. He also offered to show Kaspersky’s source codes to the US government, if that will help assure them that there is nothing malicious in them.

 

The Eugene Kaspersky Interview Transcript

Here is a transcript of the exchange, with some paraphrasing. The Kaspersky APAC Director of GReAT, Vitaly Kamluk, also chipped in his 2 cents, as did Stephan Neumeier, the Managing Director of Kaspersky Lab Asia Pacific.

Tech ARP : You said that you would testify before the US Congress and share your source codes. Have they requested you to testify or share your source codes?

Eugene Kaspersky : We are under strange pressure from the United States. They point a finger at us, and say that we are a danger to the United States, without evidence.

They suspect that we have very strong ties with the Russian government. I’m very curious what’s [the evidence]? If not the names of the people, then at least the names of the agencies involved. Silence. So they don’t have any facts.

Okay, ask me to testify before the Senate, please.[adrotate group=”2″]

Tech ARP : Have they done so?

Eugene Kaspersky : No! No, no, no.

Tech ARP : What about your offer to release the source codes to them? Have they accepted the offer?

Eugene Kaspersky : No! They speak a lot about us, but when we say “Let’s do some real investigation. We can open anything you want.“… Silence.

Tech ARP : What about your offer to release the source codes also extend to other countries, like China, for example?

Eugene Kaspersky : No! Not like this in any other country.

Tech ARP : So [the offer to release the source codes] is only for the United States?

Eugene Kaspersky : Actually we disclose some technologies in some other countries, but I’m not going to name those countries. We did it to comply with government contract requirements.

We are a transparent company. If you have any questions, just ask us. It’s not a problem at all. So we don’t have this kind of problem in any other country but the United States.

Tech ARP : Beyond the source code, there is also the concern about data collection on US DOD employees by Kaspersky Lab, which is a Russian company. Do you have a comment on this?

Eugene Kaspersky : We only collect suspicious pieces of data, that might be malware samples. We do not collect the user’s data.

Well, we collect the user’s data if the user is a cybercriminal. If he’s developing malicious code on a computer, we will take it (the malicious code) because it looks suspicious. But the rest of the data – we do not touch, and we don’t collect any user-identifiable data.

Actually, it’s very strange when the United States say that I can cooperate with the (Russian) secret services and disclose data, but I don’t have this data.

The most confidential information that we have in our company are the cyberattack incidence reports involving our customers. We help our customers to investigate these cyberattacks but we don’t share this data with anyone. There could be information about ongoing investigations, but we don’t share this information with anyone but the law enforcement agencies that are handling the case. That’s it.

We don’t have any user-identifiable data or enterprise data, unless it’s for an investigation of a cyberattack.

Vitaly Kamluk : I also want to add that the control of whether to share data (or not) is always in the user’s hands. We never force the collection of user’s data. You can switch it on or off.

We do not hard-code the collection of data. There is a control and it’s in the user’s hands. So if certain organisations or individuals are concerned about the collection of data, they can switch it off.

Eugene Kaspersky : Yes, they can switch it off.

Tech ARP : What about telemetry, statistics, etc?

Vitaly Kamluk : You can switch it off – malware detection statistics and even malware samples. This is in the user’s control – to share or not to share.

Eugene Kaspersky : In most of the cases, we don’t know who our users are. We see their product ID when their Kaspersky product connects to the cloud for updates, but we don’t know the name of their user.

Tech ARP : There are claims that you have connections or links to the Kremlin. Can you deny or acknowledge these claims?

Eugene Kaspersky : They are my customers. We cooperate with the cyber police forces in Russia.

Tech ARP : Are you Vladimir Putin’s friend?[adrotate group=”2″]

Eugene Kaspersky : No. Is Putin my friend? No.

Mark (Moderator) : Is Donald Trump your friend?

Eugene Kaspersky : <Laughs> No. In my office, there is only one picture – my handshake with Angela Merkel. No more.

Stephan Neumeier : True.

Eugene Kaspersky : Did you see it?

Stephan Neumeier : Yes.

Eugene Kaspersky : Once I had a handshake with Lee Kuan Yew (former Prime Minister of Singapore), but unfortunately, I don’t have a picture of that.

Don’t forget to check out the Kaspersky Palaeontology of Cybersecurity presentations!

Go Back To > Articles | Home

 

Support Tech ARP!

If you like our work, you can help support our work by visiting our sponsors, participating in the Tech ARP Forums, or even donating to our fund. Any help you can render is greatly appreciated!

The BitScout Free Cyber Forensics Tool Revealed!

At the end of his Palaeontology of Cyberattack keynote, the Kaspersky APAC Director of GReAT, Vitaly Kamluk, announced the public availability of his cyber forensics tool – BitScout. This is a free and open-source tool that can be used for the remote forensic investigation or collection of data from a compromised system, without risk of contamination or loss of data.

Don’t forget to check out the other Kaspersky Palaeontology of Cybersecurity presentations!

 

The BitScout Cyber Forensics Tool

BitScout was “created independently of the Kaspersky Lab product line” and is “outside [the] scope of [the] company’s business operation“. Vitaly intended for the BitScout tool to be used by cybersecurity researchers, high-tech crime units of law enforcement agencies (LEA), as well as educational institutions.

Legitimate owners of compromised systems may cooperate and help security researchers find the infection vector or other details about the attackers. However, it is a longstanding concern the need for security researchers to travel long distances to collect crucial evidence (e.g. malware samples) from infected computers can result in expensive and delayed investigations.

The longer it takes for an attack to be understood, the longer it is before users are protected and perpetrators identified. However, the alternatives have either involved expensive tools and a knowledge of how to operate them, or the risk of contaminating or losing evidence by moving it between computers.

To solve the problem, security researchers can now use BitScout to remotely collect key forensic materials, acquire full disk images via the network or locally attached storage, or simply remotely assist in malware incident handling. Evidence data can be viewed and analyzed remotely or locally while the source data storage remains intact through reliable container-based isolation.

 

The BitScout Advantage

Kaspersky Lab experts work closely with law enforcement agencies across the world to help in the technical analysis of cyber investigations. This gives them a unique insight into the challenges LEA personnel face when fighting modern cybercrime.

The cybersecurity landscape is now so complex and sophisticated that investigators need tools that can adapt and scale to the demands of the job. BitScout is a good example of this. It can be adjusted to the particular needs of an investigator, and improved and upgraded with additional features and custom software.

Most importantly it comes free of charge, based on open-source solutions and is fully transparent: instead of relying on third party tools with proprietary code, experts can use the Bitscout open-source code to build their own swiss-army knife for digital forensics. The list of BitScout features includes:[adrotate group=”2″]

  •  Disk image acquisition even with un-trained staff
  •  Training people on the go (shared view-only terminal session)
  •  Transferring complex pieces of data to your lab for deeper inspection
  •  Remote Yara or AV scanning of offline systems (essential against rootkits)
  •  Search and view registry keys (autoruns, services, plugged USB devices)
  •  Remote file carving (recovering deleted files)
  •  Remediation of the remote system if access is authorized by the owner
  •  Remote scanning of other network nodes (useful for remote incident response)

BitScout is freely available at Vitaly Kamluk’s GitHub code repository here.

Don’t forget to check out the other Kaspersky Palaeontology of Cybersecurity presentations!

Go Back To > Articles | Home

 

Support Tech ARP!

If you like our work, you can help support our work by visiting our sponsors, participating in the Tech ARP Forums, or even donating to our fund. Any help you can render is greatly appreciated!

The Palaeontology of Cyberattacks by Vitaly Kamluk

Vitaly Kamluk is the Director of Global Research & Analysis Team (GReAT), Kaspersky Lab APAC. He has been involved in malware research at Kaspersky Lab since 2005. At the Kaspersky Lab Palaeontology of Cybersecurity conference, he gave the keynote speech on The Palaeontology of Cyberattacks.

He shared how Kaspersky Labs performed digital forensics, literally the palaeontology of digital monsters, to trace their creators and to learn how to shut them down. He also took the opportunity to officially announce the release of his open source, free remote forensics tool called BitScout.

Don’t forget to check out the other Kaspersky Palaeontology of Cybersecurity presentations!

 

The Palaeontology of Cyberattacks by Vitaly Kamluk

The Director of the APAC Kaspersky GReAT (Global Research & Analysis Team), Vitaly Kamluk, details how Kaspersky Lab dissect cyberattacks so they can take down their infrastructure and alert victims. He also talks about BitScout – the open source digital tool he created to analyse and investigate these cyberattacks.

Here are the key takeaway points :

  • Stuxnet is an example of how malware can affect and even destroy objects in the real world.
  • Digital forensics is important because only by learning from the past can we prevent it from repeating in the future.
  • The art of tracing these cyberattacks takes time and involves multiple stages like :
    • Add detection for known modules and collect new samples
    • Reverse engineer the samples
    • Decrypt sophisticated encryption and compression schemes
    • Understand the lateral movement of the attacker
    • Outline multiple attack stages in the correct order
    • Map the command and control (C&C) infrastructure
    • Set up sinkholes – servers that they can redirect victims to, and analyse the collected traffic and protocols
    • Crawl other hosts that understand the same protocols, to check if they have been compromised as well
    • Take down and acquire images of the C&C servers to identify the attackers
    • Identify victims, send out notifications to warn them, and alert global CERTs
    • Apply forensics and extract logs, stolen files, etc.
    • Collect and analyse data from all sources
    • Write a comprehensive report
  • Zero day (0-day) vulnerabilities or exploits are rare and valuable. For example, one iOS 0-day exploit was priced at US$1.5 million.
  • Even old exploits (like the Silverlight 0-day) that have been exposed years ago are still usable, because not everyone updates their operating system.
  • In the case of the Silverlight exploit, Kaspersky Lab used signature code snippets from the creator’s own public code samples to identify a new 0-day Silverlight exploit that he created as well.
  • Vitaly also shared how Kaspersky Lab tracked the Lazarus group, which was famous for its theft of $81 million from the Central Bank of Bangladesh last year (February 2016).
  • Kaspersky Lab found several artefacts that pointed to a Korean origin, including proof that at least one of the computers used in developing the malware was using a Korean version of Windows.
  • They also identified false flag attempts to pin the exploit code on Russian developers using crude Russian phrases and a commercial Russian software protector.[adrotate group=”2″]
  • Kaspersky Lab also discovered that the Lazarus group used a testing bot that was located in a North Korean server.
  • Because attribution of any cyberattack is difficult, Kaspersky Lab believes there should be better cooperation between cybersecurity companies and the police and the private sector.
  • Therefore, Kaspersky Lab is officially releasing a tool that Vitaly Kamluk himself developed – BitScout – to help them with their investigations.
  • BitScout is an open-source tool that is free for anyone to perform remote forensics on a compromised system.
  • Using virtualisation, BitScout allows a cybersecurity expert to trace and detect malware in a compromised system without making any changes to the storage drives, preserving the legal chain of custody and avoiding the perception of possible tampering with the data.

Don’t forget to check out the other Kaspersky Palaeontology of Cybersecurity presentations!

Next Page > The Palaeontology of Cyberattacks Presentation Slides

 

Support Tech ARP!

If you like our work, you can help support our work by visiting our sponsors, participating in the Tech ARP Forums, or even donating to our fund. Any help you can render is greatly appreciated!

The Palaeontology of Cyberattacks Presentation Slides

Here is the complete set of slides from Vitaly Kamluk’s presentation on the Palaeontology of Cyberattacks

Don’t forget to check out the other Kaspersky Palaeontology of Cybersecurity presentations!

Go Back To > First PageArticles | Home

[adrotate group=”1″]

 

Support Tech ARP!

If you like our work, you can help support our work by visiting our sponsors, participating in the Tech ARP Forums, or even donating to our fund. Any help you can render is greatly appreciated!