This document summarizes the anatomy of a targeted cyber attack known as ShadyRAT. Over 5+ years, ShadyRAT compromised over 70 victims, maintaining persistence for an average of 9 months to steal data. Attackers used open-source intelligence to profile targets, then sent malicious emails to install remote access tools allowing command and control. Stolen data was encrypted and transferred over months without detection. Lessons are that simple attacks can be highly effective when combined with social engineering and long-term access. Vigilance against such advanced persistent threats requires awareness of social media disclosures and carefully handling potentially malicious files and communications.
2. About me…
Start in 2007 as Help Desk > System Administrator.
4 years experience in IT Outsourcing.
From 2011 working in BAKOTECH® Group.
Information security previously was my hobby, now it`s my job.
I am responsible for technical support of McAfee solutions.
https://radetskiy.wordpress.com/
http://www.slideshare.net/Glok17/
http://ua.linkedin.com/pub/vladislav-radetskiy/47/405/809
Vladislav Radetskiy
Technical Lead
C|EH applicant
3. Agenda
Terminology, today battleground of cybersecurity
ShadyRAT _ successful long-term complex cybercrime operation
How can we protect our clients from such advanced attacks?
4. Basics #1
Open-source intelligence – getting information from public sources.
Usual OSINT sources are Google, Facebook, LinkedIn etc.
Social Engineering – act of deception and manipulation of human to
get profit: money, information disclosure, access to restricted area etc.
Famous: Frank William Abagnale (Catch Me If You Can), Kevin Mitnick.
5. OSINT during Cold War
“The decryption of a picture” from CIA library
3 month of analysis
by Charles V. Reeves
From Boston Edison
6. OSINT nowadays
Getting information about someone it`s not rocket science
Couple hours or even
less with tools
Name, DOB, job, family status
Habits, likes & dislikes, complex
7. Basics #2
Cyber-Attack – sequence of steps to compromise IT system
Advanced Persistent Threat (APT) – targeted, covered, long-term attack
Vulnerability – defect (a bug) in software (Microsoft, Adobe, Java)
Exploit – tool for take advantage of vulnerability (exploit-db.com)
8. Basics #3
Remote Access Tool (RAT) – tool for remote control of hacked system
Trojan / Backdoor / meterpreter etc
Command and Control (C&C) – servers on Internet which attackers used
to control compromised systems and interact with persistent malware
Steganography – method of hiding data/code in to files (images)
9. Briefing about modern battleground
Cyber-criminals:
make attacks for information or money
can use prepared tools (regardless of their technical skills)
can chose anyone as their target
use OSINT and social engineering (to make perfect lure)
10. ShadyRAT
In 2011 McAfee Labs gain access to one C&C server.
From server logs:
Duration of operation: 5+ years
Number of victims: 70+
Average duration persistence: ~ 9 months
Outcome: stolen data
Scope of targets: government, private, non-profit org…
11.
12.
13. ShadyRAT
Hi, Bob.
Remember me?
It`s me, John.
We was together on last
Yankees game.
Listen, I can give you a great
discount on ___________ .
Thanks in advance
14. ShadyRAT Bob trustfully opened attached
file, which use vulnerability to
install RAT on Bob`s system.
17. ShadyRAT RAT transfer private data from
Bob system to C&C server
Channel between RAT and C&C was
encrypted by steganography
It`s like smokescreen for security staff
18. ShadyRAT
It`s a payday for attacker –
collecting stolen data.
Which can be sold for real money
19. ShadyRAT This can be repeat again & again
3-9 months
And Bob didn't noticed anything.
Meanwhile his company go
down..
20. ShadyRAT
1. Attackers chose company-victim
2. Gathering info about employees by OSINT
3. Use Social Engineering to compose fake emails with attached files
4. Victims receive fake email and .. open attached file (.xls)
5. Exploit from attached file used to deploy RAT
6. RAT establish outbound connections to C&C and transfer data
7. Commands to RAT hidden by steganography (HTML, images)
21. ShadyRAT
What the matter?!
Attackers used vulnerabilities in system along with social engineering
Attackers has ability to search and collect data for months
Operation was not so complex (technically), rather simple
RAT was undetected by months (9 - 28)
Outcome = big amount of data which can be sold by money or used
later for blackmail
22. Any lessons learned after ShadyRAT? No!
July 2014 – January 2015 Meet CTB-Locker (Critrony)
Crypto ransomware > 350 – 700 $ for unencrypt data
Spreads by random! not targeted SPAM
26. Conclusions
Cybercrime today it`s a way to make money > business
Almost anyone can take tools and try to brake in (Kali Linux, msf etc)
At the same time anyone can be chosen like a target
Be aware about targeted attacks, OSINT and Social Engineering
27. Sources
• Dmitri Alperovitch, Vice President of McAfee Threat Research
Revealed: Operation Shady RAT (August 2011)
• Bruce Schneier, computer security and privacy specialist
The State of Incident Response (Black Hat USA 2014)
• Steven Rambam, private investigator which use OSINT, Pallorium, Inc.
“Privacy is Dead - Get Over It” (2010)
“Privacy: A Postmortem” (2012)
“…Taking Anonymity” (2014)
29. Example of human vulnerabilities
2012 - Photos of Prince William Expose Royal Air Force Passwords
30. Example of human vulnerabilities
2014 - FIFA World Cup Brazilian Security Command Center Wi-Fi Pass
b5a2112014
31. Example of human vulnerabilities
2015 – French TV5Monde exposed pass during TV interview > hacked
32. And please don’t forget …
Sometimes (usually always) Google, Facebook, twitter and LinkedIn are the primary
sources about private information about whole companies and their employees.
Information about predilections, habits and complexes of chosen people can be
recovered by OSINT and used by attacker as pre-text for Social Engineering.
33. Thank you for your attention
Vladislav Radetskiy
vr@bakotech.com
radetskiy.wordpress.com
Notas do Editor
Hello everyone. My name is Vlad and I want to tell you a story. Story about one attack _ ShadyRAT
What you need to know about me?
I am technical person, who is responsible for Intel (McAfee) solutions support.
To be extremely short – thank God I`d really like my job.
When we talk about information security there are always 50/50
= 50% technical engineering and 50% of communication with people.
(I will get back to this sentence on the end of my speech)
Before we move to the story let`s spend couple minutes on basics to be sure that we understand each other.
Then, after you will be prepared I will tell you a story.
I will give you some examples and solutions of protection in the end of my speech.
Let`s start from non-technical concepts.
OSINT came to us from military force. It starts from World War 2 and was extremely evolve during Cold War.
(Decryption picture of Urals Electric Power System from magazine “Ogonyok” in 1958)
Literally it means obtaining some data from public sources. In the past these sources were books, magazines etc.
Nowadays the major source of OSINT is Internet, I mean such resources like Google, facebook, twitter, linkedin etc.
Social Engineering is an act of psychological manipulation or deception against someone.
This is explanation from me, if you want – you can find more in Internet.
The best example of Soc. Eng. is movie “Catch Me If You Can”, I suppose many of you watched this film with Tom hanks and Di Kaprio.
The plot of this movie was based on real-life person Frank Abagnale, he posing as PAN American Pilot and make quick money on check fraud. FBI was turned him to help with investigations of finance crimes. It`s a very nice example of Soc. Eng.
Historical example of OSINT from 1958
https://www.cia.gov/library/center-for-the-study-of-intelligence/kent-csi/vol11no3/html/v11i3a03p_0001.htm
Charlie was to get confirmation of his theories and deductions within the year, an event that happens all too seldom in the intelligence business—except when catastrophe strikes. In July 1959 a U-2 photographed both Nizhnyaya Tura and Verkh Neyvinsk, Kyshtyrn being cloud-covered. Charlie was right on the substation array at the Nizhnyaya Tura complex, which turned out to be a nuclear weapons fabrication and stockpile site. The Verkh Neyvinsk gaseous diffusion plant had substations much like Charlie had deduced, though one had been cropped from the Ogonek picture. His view that the dots nearest the transmission lines represented switches rather than transformers proved correct, and his decision to estimate power usage from lines and generating stations rather than from substations was vindicated. Detailed examination of the U-2 photography showed that his estimate on power usage at Verkh Neyvinsk was only about 10 percent high, a truly remarkable achievement from a censored photograph.
Technical concepts here:
Cyber-Attack or Attack is aggressive act against IT system to get data, DOS, remote control …
Target may be single server/desktop or whole infrastructure
APT is dangerous type of attack.
There is simple analogy.
I hope many of you watched The HEAT (1995), movie about bank robbery with Al Pacino and De Niro?
Nice film with canonical gunfight directed by Andy McNab (Special Air Service (SAS) patrol Bravo Two Zero)…
But stick to the point
Common Cyber-Attack is like De Niro team – go in & go out with money.
It`s harm and loud, but it`s notable.
APT is more complicated and more hidden, usually long-term action.
It`s like put our men in foreign organization to steal data over the month or even years - Manchurian Candidate
Do you see what I mean? ATP are more dangerous because sometimes victim did not knew about source of data/money leak.
Vulnerability – is a bug in software, some defect which can be used by attackers to compromise system or make come action for which software was not intended.
Exploit – is a tool which anyone can get/buy and try to take advantage of bug system/application.
(This is the last one, I promise)
Story which I prepared for you has name “ShadyRAT”.
RAT is acronym from Remote Access Tool. This is an instrument for remote control of compromised system.
It can be any sort of Trojan or other backdoor.
C&C is server which ruining somewhere on Internet and give attackers possibility to send commands to RAT on compromised system.
It`s like a HQ of crime-organization.
Steganography is all about hiding data in files.
As an example: hide part of text in file usually in pictures.
Those technics used sometimes by criminals to cover their tracks.
You should know some things about our enemy.
Internet and people who use IT are two factors which changed rules of hacking/cyber-crime.
First of all we must agree that now cyber-crimes is business to make money.
From my humble experience I can say that many people has stereotype of “hacker”
People think that attackers are always high-skilled tech experts. It’s not true. Not for every case.
I want to explain you that today anyone can download tools or buy them and try to attack.
I mean there is no “secret-knowledge”.
I must say also about great _delusion_ attacker can choose anyone as target.
Position, salary, industry and other criteria it doesn`t really matter.
Anyone, who use IT can be target.
Maybe not personally, but like input point, like the weakest link.
And I remind you one more time about pair of OSINT + Soc. Eng.
The story about ShayRAT
Ok, now your are prepared to my story and I hope you will enjoy it.
In 2011 McAfee engineers get access to cyber-crime C&C server.
Result of log analyzing get McAfee details about APT.
This operation was run about 5 years and amount number of victims was about 70.
Average persistence in particular victim`s infrastructure was about 9months.
All this was used to gain access to information (intellectual property, private data, source code, bug databases, emails, negotiation plans, contracts etc)
As you can see attack was all around the world.
This is the first notable aspect – usually APT targeted on limited group of people or one organization.
ShadyRAT has wide victims geography – about 14 countries.
More targets was from US and Canada and other – European and Asian Countries.
There we have more details about the victims.
McAfee filtered all victims regarding their type/business field.
Please, pay attention on marked types.
When we talk about non-profit organization we can assume that they do not have enough budget for cyber security or we can suppose that they do not pay enough attention.
But look, we have organizations from Government, Industry and Technology in our list.
Even some DoD contractors was compromised.
This is the main message of my report.
APT which involve OSINT and Soc.Eng. are dangerous even for solid companies which have money for security.
The main problem is that we should pay much more attention to people which works in company not only technical measurements.
Because anyone can be used as entry-point.
1st step
Attacker use collected information from Facebook/Linkedin for example to create fake email for Bob.
It can be wide range of different pretext: nice old friends, ask for help, propose of great discount etc.
The more data about Bob the more real will be lure.
All this to force Bob open URL, file etc make one step in wrong direction to begin attack.
If Bob was not enough careful he take the lure and open file from fake email.
Wrong step for Bob, but for Attacker is a small step forward.
In attached file was exploit, which use vulnerability in software to silently install RAT on to Bob system.
2nd step. RAT was deployed and communicate with C&C to get directions.
3rd step - attacker manipulate RAT through C&C, send command.
RAT get command to collect and send data.
Another notable difference is that all communication between RAT and C&C was encrypted by steganography to hide any clues.
So even if company where Bob works has some security staff and equipment they did not noticed nothing suspicious.
Compromised system often request some web pages (HTML) and images.
It`s like smokescreen for guards.
4th step – payday.
Attacker download collected data from C&C server.
This information can be sold for money later or used for blackmail…
The biggest danger is that Bob may even not know about breach and data leak.
Company where Bob works may go down because competitors will be outstrip.
All because competitors pay for stolen information (negotiation / finance plans, source codes etc.)
Again step-by-step
You can ask me “So what? Someone opened .XLS file and lost data.. Not a big story”
It`s a normal question, but listen.
ShadyRAT is only one example.
They (Attackers) used only one vulnerability, not complex.
This attack can be more complicated but event on simple level they get success.
RAT was undetected in 90% long period of time.
Even if protection measurements was enough to detect RAT the companies usually did not make full investigation to track leaked data.
It`s not APT.
It was couple month ago.
Email was totally fake, no OSINT, no custom text…
But still someone open those files
Sample of STB screen
Let`s talk about protection.
Single AV is not the answer.
Intel (McAfee) provide complex endpoint protection to minimize risk of APT.
Just imagine protection system which act like human immune system it means reacts on threat and self-learning capable.
TIE is DB of threads, storage of profiles.
ATD is “sandbox” which provide static and dynamic analysis of potential harm file/attachment/URL.
We can not get patch for human vulnerability.
Even trained people can make a mistake.
But we can run and test behavior of potential harm files before they will executed on desktops/servers.
After all let`s repeat the key points.
Cyber-crimes is only business.
There are prepared tools so attacker can be non-technical person (now it`s not a problem).
Anyone who works with computers, IT in general are in risk.
I really need additional 30 seconds of your attention.
Despite of time limit my story was short.
If you interested – please use sources.
Main source information about ShaddyRAT is report of Dmitri Alperovitch
Bruce Schneier in cyber-security is like Chris Costa or Gabriel Suarez in tactical firearms manipulation (if you know what I am talking about…)
And last but not least – Steven Rambam, private investigator.
His talks change my mind about Internet.
I suggest you watch those videos on YouTube to better understand me.
Ok, I prepared something else for you
Just in case you need real-life examples
Are you ready?
This picture represents most popular passwords which people used on their systems and Internet accounts.
How do you think which passwords attacker will be try first? Those simples are many years included in various Dictionaries…
Sometimes press can make a favor for Cyber-criminals.
This slide show consequences of bad password management.
Royal Air Force changed password and asked about photos censure..
But this can be repeat again.
How do you think, are people can learn lessons from someone mistakes?
Please make a deep breath
I mean it`s not funny.
This is chief of Security C&C and on background we can see password from their Wi-Fi network.
If you think this is the last one.. You are wrong.
Most recent example of human factor.
I can put some irony there, because those story was about IT crimes and information security…
All this examples show us how we can be vulnerable.
So as I said on the beginning – information security is always 50/50
50% – technology
50% - human factor
To be protected you need train your employees and implement complex solutions.
Be aware about what you put in to Internet.
Think about how this information can be used against you.
It`s like “… anything you say can and will be used against you”
Be extremely careful and prudent when you use Information Technologies.
Use complex protection and train your people resist Soc.Engin.