Tag Archives: Zero Day

The Palaeontology of Cyberattacks by Vitaly Kamluk

The Palaeontology of Cyberattacks by Vitaly Kamluk

Vitaly Kamluk is the Director of Global Research & Analysis Team (GReAT), Kaspersky Lab APAC. He has been involved in malware research at Kaspersky Lab since 2005. At the Kaspersky Lab Palaeontology of Cybersecurity conference, he gave the keynote speech on The Palaeontology of Cyberattacks.

He shared how Kaspersky Labs performed digital forensics, literally the palaeontology of digital monsters, to trace their creators and to learn how to shut them down. He also took the opportunity to officially announce the release of his open source, free remote forensics tool called BitScout.

Don’t forget to check out the other Kaspersky Palaeontology of Cybersecurity presentations!

 

The Palaeontology of Cyberattacks by Vitaly Kamluk

The Director of the APAC Kaspersky GReAT (Global Research & Analysis Team), Vitaly Kamluk, details how Kaspersky Lab dissect cyberattacks so they can take down their infrastructure and alert victims. He also talks about BitScout – the open source digital tool he created to analyse and investigate these cyberattacks.

Here are the key takeaway points :

  • Stuxnet is an example of how malware can affect and even destroy objects in the real world.
  • Digital forensics is important because only by learning from the past can we prevent it from repeating in the future.
  • The art of tracing these cyberattacks takes time and involves multiple stages like :
    • Add detection for known modules and collect new samples
    • Reverse engineer the samples
    • Decrypt sophisticated encryption and compression schemes
    • Understand the lateral movement of the attacker
    • Outline multiple attack stages in the correct order
    • Map the command and control (C&C) infrastructure
    • Set up sinkholes – servers that they can redirect victims to, and analyse the collected traffic and protocols
    • Crawl other hosts that understand the same protocols, to check if they have been compromised as well
    • Take down and acquire images of the C&C servers to identify the attackers
    • Identify victims, send out notifications to warn them, and alert global CERTs
    • Apply forensics and extract logs, stolen files, etc.
    • Collect and analyse data from all sources
    • Write a comprehensive report
  • Zero day (0-day) vulnerabilities or exploits are rare and valuable. For example, one iOS 0-day exploit was priced at US$1.5 million.
  • Even old exploits (like the Silverlight 0-day) that have been exposed years ago are still usable, because not everyone updates their operating system.
  • In the case of the Silverlight exploit, Kaspersky Lab used signature code snippets from the creator’s own public code samples to identify a new 0-day Silverlight exploit that he created as well.
  • Vitaly also shared how Kaspersky Lab tracked the Lazarus group, which was famous for its theft of $81 million from the Central Bank of Bangladesh last year (February 2016).
  • Kaspersky Lab found several artefacts that pointed to a Korean origin, including proof that at least one of the computers used in developing the malware was using a Korean version of Windows.
  • They also identified false flag attempts to pin the exploit code on Russian developers using crude Russian phrases and a commercial Russian software protector.[adrotate group=”2″]
  • Kaspersky Lab also discovered that the Lazarus group used a testing bot that was located in a North Korean server.
  • Because attribution of any cyberattack is difficult, Kaspersky Lab believes there should be better cooperation between cybersecurity companies and the police and the private sector.
  • Therefore, Kaspersky Lab is officially releasing a tool that Vitaly Kamluk himself developed – BitScout – to help them with their investigations.
  • BitScout is an open-source tool that is free for anyone to perform remote forensics on a compromised system.
  • Using virtualisation, BitScout allows a cybersecurity expert to trace and detect malware in a compromised system without making any changes to the storage drives, preserving the legal chain of custody and avoiding the perception of possible tampering with the data.

Don’t forget to check out the other Kaspersky Palaeontology of Cybersecurity presentations!

Next Page > The Palaeontology of Cyberattacks Presentation Slides

 

Support Tech ARP!

If you like our work, you can help support our work by visiting our sponsors, participating in the Tech ARP Forums, or even donating to our fund. Any help you can render is greatly appreciated!

The Palaeontology of Cyberattacks Presentation Slides

Here is the complete set of slides from Vitaly Kamluk’s presentation on the Palaeontology of Cyberattacks

Don’t forget to check out the other Kaspersky Palaeontology of Cybersecurity presentations!

Go Back To > First PageArticles | Home

[adrotate group=”1″]

 

Support Tech ARP!

If you like our work, you can help support our work by visiting our sponsors, participating in the Tech ARP Forums, or even donating to our fund. Any help you can render is greatly appreciated!

Trend Micro 2015 Security Roundup Details

9 March 2016 – Today, Trend Micro Incorporated released its 2015 security roundup report, “Setting the Stage: Landscape Shifts Dictate Future Threat Response Strategies,” which dissects the most significant security incidents from 2015. The research confirms attackers are now bolder, smarter and more daring in attack vectors, cyberespionage efforts and cyber underground activity on a global basis.

“Our observations for 2015 have confirmed that traditional methods of protecting data and assets are no longer sufficient and should be reassessed to maintain the highest level of corporate and personal security,” said Raimund Genes, CTO, Trend Micro. “The prevalence and sophistication of extortion, cyberespionage and expanding targeted attacks now dictate that organizational security strategies must be prepared to defend against a potentially greater onslaught in 2016. This realization can help the security community better anticipate and respond to what attackers are trying to accomplish.”

Online extortion and cyberattacks were a top concern in 2015, with several high-profile organizations being victimized. Ashley Madison, Hacking Team, the Office of Personal Management and Anthem were a few of these high-profile attacks that left millions of employees and customers exposed. A majority of data breaches in the U.S. in 2015 (41 percent) were caused by device loss, followed by malware and hacking.
Additional report highlights include:

  • Pawn Storm and Zero-Days – In 2015 there were more than 100 zero-days discovered in addition to the long-running cyberespionage campaign Pawn Storm utilized several zero-day exploits to target high-profile organizations, including a U.S. defense organization, the armed forces of a NATO country and several foreign affairs ministries.
  • Deep Web and Underground Explorations – In 2015, cybercriminal markets began to penetrate the recesses of the Deep Web. Each underground market mirrors the culture in which it resides, offering specific wares most profitable in each region.
  • Smart Technology Nightmares – Attacks against connected devices accelerated in 2015, proving their susceptibility. Smart cars and businesses, seen in Trend Micro’s GasPot experiment, were among a few of the new concerns brought by IoT technologies.
  • Angler, the ‘King of Exploit Kits’ – From malvertising to Adobe Flash, Angler Exploit Kit gained notoriety in 2015 as the most used exploit. Accounting for 57.3 percent of overall exploit kit usage. Japan, the U.S. and Australia were among the most impacted countries for this attack.
  • Data Held Hostage – Crypto-ransomware rose to 83 percent of overall ransomware use in 2015. Cryptowall was the most frequently used variant, arriving on users’ computers via email or malicious downloads.
  • Takedowns versus DRIDEX – The seizure and takedown of the notorious DRIDEX botnet contributed to a significant decrease in detections within the U.S. However, this led to a resurgence due to the Command and Control infrastructure being hosted on a bulletproof hosting provider, making it virtually impossible to eradicate altogether.
[adrotate banner=”5″]

 

Support Tech ARP!

If you like our work, you can help support out work by visiting our sponsors, participate in the Tech ARP Forums, or even donate to our fund. Any help you can render is greatly appreciated!