Tweet
Tomer Bar - OopsSec -The bad, the worst and the ugly of APT’s operations security
Tomer Bar, Director of Security Research at SafeBreach
Presentation Title: OopsSec -The bad, the worst and the ugly of APT’s operations security
Length of presentation: 45 minutes
Demo, Tool
Advanced Persistent Threat groups invest in developing their arsenal of exploits and malware to stay below the radar and persist on the target machines for as long as possible. We were curious if the same efforts are invested in the operation security of these campaigns.
We started a journey researching active campaigns from the Middle East to the Far East including the Palestinian Authority, Turkey, and Iran, Russia, China, and North Korea. These campaigns were both state-sponsored, surveillance-targeted attacks and large-scale financially-motivated attacks.
We analyzed every technology used throughout the attack chain: Windows (Go-lang/.Net/Delphi) and Android malware; both on Windows and Linux-based C2 servers.
We found unbelievable mistakes which allow us to discover new advanced TTPs used by attackers, for example: bypassing iCloud two-factor authentication' and crypto wallet and NFT stealing methods. We were able to join the attackers' internal groups, view their chats, bank accounts and crypto wallets. In some cases, we were able to take down the entire campaign.
We will present our latest breakthroughs from our seven-year mind-game against the sophisticated Infy threat actor who successfully ran a 15-year active campaign using the most secured opSec attack chain we've encountered. We will explain how they improved their opSec over the years and how we recently managed to monitor their activity and could even cause a large-scale misinformation counterattack.
We will conclude by explaining how organizations can better defend themselves.
SPEAKER BIO:
Tomer Bar is a hands-on security researcher with ~20 years of unique experience in cyber security. In the past, he ran research groups for the Israeli government and then led the endpoint malware research for Palo Alto Networks. Currently, he leads the SafeBreach Labs as the director of security research.
His main interests are Windows vulnerability research, reverse engineering, and APT research.
His recent discoveries are the PrintDemon vulnerabilities in the Windows Spooler mechanism which were a candidate in the best privilege escalation of 2021 Pwnie awards and several research studies on Iranian APT campaigns.
He is a contributor to the MITRE ATT&CK® framework.
He presented his research at BlackHat 2020, Defcon 2020, 2021, and Sector 2020 conferences.
safebreach.com
https://www.linkedin.com/in/tomer-bar-878a348b
REFERENCES:
Please provide a simple bibliography and/or works cited. List sources you have used (whether referenced or not) in the process of finalizing your presentation. Please remember to credit prior works and acknowledge others. References will be posted online with your talk information. We want attendees interested in your talk to be able to research what has been helpful for you in developing this presentation.
1.After finishing my research I found a public research by Checkpoint which detail some of the findings I also found independently regarding the MAAS Android https://research.checkpoint.com/2021/smishing-botnets-going-viral-in-iran/,
2. Bad Patch prior research from 2017 - https://unit42.paloaltonetworks.com/unit42-badpatch/
3. SharpPanda prior research from 2021 - https://research.checkpoint.com/2021/chinese-apt-group-targets-southeast-asian-government-with-previously-unknown-backdoor/
4. Kimsuky - KGH Backdoor - cybereason.com/blog/research/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite, https://blog.alyac.co.kr
5. rampant-kitten prior research from 2020 - https://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/
6. Moses Staff prior research from 2022 - https://www.cybereason.com/blog/research/strifewater-rat-iranian-apt-moses-staff-adds-new-trojan-to-ransomware-operations
7. Infy prior research between 2015 and 2017 - https://www.paloaltonetworks.com/blog/tag/infy/
[]
Tomer Bar, Director of Security Research at SafeBreach
Presentation Title: OopsSec -The bad, the worst and the ugly of APT’s operations security
Length of presentation: 45 minutes
Demo, Tool
Advanced Persistent Threat groups invest in developing their arsenal of exploits and malware to stay below the radar and persist on the target machines for as long as possible. We were curious if the same efforts are invested in the operation security of these campaigns.
We started a journey researching active campaigns from the Middle East to the Far East including the Palestinian Authority, Turkey, and Iran, Russia, China, and North Korea. These campaigns were both state-sponsored, surveillance-targeted attacks and large-scale financially-motivated attacks.
We analyzed every technology used throughout the attack chain: Windows (Go-lang/.Net/Delphi) and Android malware; both on Windows and Linux-based C2 servers.
We found unbelievable mistakes which allow us to discover new advanced TTPs used by attackers, for example: bypassing iCloud two-factor authentication' and crypto wallet and NFT stealing methods. We were able to join the attackers' internal groups, view their chats, bank accounts and crypto wallets. In some cases, we were able to take down the entire campaign.
We will present our latest breakthroughs from our seven-year mind-game against the sophisticated Infy threat actor who successfully ran a 15-year active campaign using the most secured opSec attack chain we've encountered. We will explain how they improved their opSec over the years and how we recently managed to monitor their activity and could even cause a large-scale misinformation counterattack.
We will conclude by explaining how organizations can better defend themselves.
SPEAKER BIO:
Tomer Bar is a hands-on security researcher with ~20 years of unique experience in cyber security. In the past, he ran research groups for the Israeli government and then led the endpoint malware research for Palo Alto Networks. Currently, he leads the SafeBreach Labs as the director of security research.
His main interests are Windows vulnerability research, reverse engineering, and APT research.
His recent discoveries are the PrintDemon vulnerabilities in the Windows Spooler mechanism which were a candidate in the best privilege escalation of 2021 Pwnie awards and several research studies on Iranian APT campaigns.
He is a contributor to the MITRE ATT&CK® framework.
He presented his research at BlackHat 2020, Defcon 2020, 2021, and Sector 2020 conferences.
safebreach.com
https://www.linkedin.com/in/tomer-bar-878a348b
REFERENCES:
Please provide a simple bibliography and/or works cited. List sources you have used (whether referenced or not) in the process of finalizing your presentation. Please remember to credit prior works and acknowledge others. References will be posted online with your talk information. We want attendees interested in your talk to be able to research what has been helpful for you in developing this presentation.
1.After finishing my research I found a public research by Checkpoint which detail some of the findings I also found independently regarding the MAAS Android https://research.checkpoint.com/2021/smishing-botnets-going-viral-in-iran/,
2. Bad Patch prior research from 2017 - https://unit42.paloaltonetworks.com/unit42-badpatch/
3. SharpPanda prior research from 2021 - https://research.checkpoint.com/2021/chinese-apt-group-targets-southeast-asian-government-with-previously-unknown-backdoor/
4. Kimsuky - KGH Backdoor - cybereason.com/blog/research/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite, https://blog.alyac.co.kr
5. rampant-kitten prior research from 2020 - https://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/
6. Moses Staff prior research from 2022 - https://www.cybereason.com/blog/research/strifewater-rat-iranian-apt-moses-staff-adds-new-trojan-to-ransomware-operations
7. Infy prior research between 2015 and 2017 - https://www.paloaltonetworks.com/blog/tag/infy/
[]