KEMBAR78
UQ_Cybercrime_Professionalism_Lecture_2024_07.pdf
Uploaded byJonathanOliver26
PDF, PPTX12 views

UQ_Cybercrime_Professionalism_Lecture_2024_07.pdf

The document discusses the evolution and professionalism of cybercrime over the past 25 years, highlighting various malicious techniques and attack vectors used by cybercriminals. It emphasizes the strategic aspects of cyberattacks, such as optimizing processes and utilizing business models for better execution. Additionally, it covers the challenges faced in detecting and responding to ransomware, particularly in light of advancements in machine learning technologies.

Download as PDF, PPTX
Cyber Crime Professionalism Jon Oliver Adjunct Professor at Uni Qld
My Background Academic background in Machine Learning Building antispam filters 2002 -> 2008 Cyber security 2008 to 2024 Academia Industry Sweet Spot
Technical Capability 1999 Melissa Virus 2002 Spamming 2005 Botnets 2007 Webthreats 2010 Zeus: Banking Trojan 2017 Fileless / Living off the Land 2011 Blackhole: Exploit Kits 2014 CryptoLocker: Ransomware 2016: Cridex: Breach based Ransomware 2017 Coinminer 2019 Ransomware as a Service (RaaS) 2021 RaaS double extortion Business Model Cybercrime over 25 years…
Cyber Criminal Professionalism • Often requires no technical innovation • Excellent execution • Measuring every aspect of a cyber attack • Presenting this data in a UI • Optimizing each step • Perfecting their business model
Preventing Cyber Crime Technical Knowledge + Understanding the business model (study underground forums, read reports of criminals being arrested, …)
1. Measuring BlackHole Exploit Kit (BHEK) Ref: http://media.blackhat.com/bh-us-12/Briefings/Jones/BH_US_12_Jones_State_Web_Exploits_Slides.pdf
compromised.com/fHNDZW/index.html Malicious web server The Threat: Exploit Kit Spam
BHEK UI
Advertising / Release Notes BlackHole exploit Kit 2.0 Рады приветствовать вам совершенно новую версию связки эксплойтов. За более чем 2 года существования нашего проекта, старый движок связки изрядно заездили и затаскали, АВ компании стали очень быстро распознавать по неким критериям что это BlackHole и помечать ее как malware. В новой версии мы переписали все с нуля, причем с нуля переписана не только часть с выдачей эксплойтов, но и админ панель. Из новшеств по выдаче: 1. Мы максимально защитили эксплойты от автоскачивания их АВ компаниями, теперь генерируется динамический УРЛ, который действителен в течении нескольких секунд, нужных лишь для одного заражения потенциально заходящего на ссылку человека. 2. Теперь так же максимально защищен и ваш ехе, АВ компания не сможет его просто так скачать, что позволит держать ваши ехе максимально долго в чистоте. 3. JAR и PDF файлы выдаются только тем версиям плагинов, которые уязвимы, если плагин не уязвим, сплойт не выдается, и не пачкается лишний раз.
BlackHole exploit Kit 2.0 Are pleased to welcome you to a brand new version of the bundle of exploits. For more than 2 years of existence of our project, the old engine arrival and ligaments badly worn, AV companies have become very quick to recognize that this kind of criteria BlackHole and flag it as malware. In the new version we have rewritten from scratch, and re-written from scratch is not only part of the issuance of exploits, but also the admin panel. Of the innovations on the issue: 1. Implemented maximum protection from Automatic systems for downloading exploits, used by AV companies: generate a dynamic URL, which is valid for a few seconds, you need only to one victim at a time. 2. Now, Your executable also protected from multiple downloads, AV company can not just download it, which will keep your exe as long as clean. 3. JAR and PDF exploits show only for detected vulnerable versions of plug-ins if the plug is not vulnerable,exploits not issued, and not get in detection loop. …
JRE <= 1.6.0_27 1.5.0_31 JRE <= 1.7.0_02 1.6.0_30 1.5.0_33 JRE <= 1.7.0_03 1.6.0_32 1.5.0_32 JRE <= 1.7.0_06 JRE <= 1.7.0_07 JRE <= 1.7.0_10 JRE <= 1.7.0_15 Flash <= 11.5.502.1 46 CVE-2011-3544 gogonaggogonaExp.class CVE-2012-0507 GondadExx.Ohno.class CVE-2012-1723 Gond1723.Gondattack.class CVE-2012-4681 cve2012xxxx.Gondvv.class CVE-2012-5076 gond20125076.Gondqq.class CVE-2013-0422 Xml20130422.XML20130422 .class CVE-2013-1493 yQCI.class CVE-2013-0634 xxxx.swf MSIE <= 7 CVE-2012-1889 javascript CVE-2012-4969 javascript Yes Yes Yes Yes Yes Yes Yes Yes Yes No No No No No No No No No Dispatcher SWF Vulnerability MSIE Vulnerability Infection! Pain to crawl Anti-crawling and serving vulnerable documents by client environment Serve blank page Client IP in black list? Yes No Landing Page
Cybercriminal Firewall Rules iptables -A INPUT -s aa.119.145.16/28 -j DROP #Kaspersky Labs iptables -A INPUT -s aa.119.145.16/28 -j DROP #Kaspersky Labs … iptables -A INPUT -s bb.188.199.136/29 -j DROP #SYMANTECGMBH iptables -A INPUT -s bb.227.131.216/29 -j DROP #Symantec Ltd … iptables -A INPUT -s xx.110.201.32/29 -j DROP #TREND MICRO DEUTSCHLAND GMBH iptables -A INPUT -s yy.93.166.128/28 -j DROP #Trend Micro UK Limited iptables -A INPUT -s zz.23.206.192/29 -j DROP #TRENDMICROITALYS.R.L. …
Cybercriminal Firewall Rules /dev/null Security Companies
2. Evading Security Solutions
Scan4U
Scan4U Competitors AVDetect VirusCheckMate. https://documents.trendmicro.com/assets/white_papers/wp-the-rise-and-fall-of-scan4you.pdf
Professional Operations: TorrentLocker 2014-2017 Ref: http://www.trendmicro.com.au/cloud-content/au/pdfs/security-intelligence/white-papers/australian_web_threat_landscape_-v7.pdf
2
Evading Spam Filters Technique TorrentLocker Outbreaks Honeypots Send email to legitimate email accounts IP Reputation Use rented servers Header analysis / phishing detection Don’t spoof Use email authentication Antispam Content Send plausible content Phishing lists Compromise many legitimate web- servers Misc Low volume. Optimize timing
TorrentLocker – A typical spam run • state-nsw-gov.com, state1-nsw-gov.com, state2-nsw-gov.com, state3-nsw- gov.com, state4-nsw-gov.com sent a spam outbreak • Between 1am and 9am • Constituted approx 0.13% of email sent to Australian email addresses • Appeared to be sent to a carefully culled email address list • < 1% were to invalid email addresses • Used Email Authentication (DKIM and SPF)
TorrentLocker – using Email Authentication ;; ANSWER SECTION: info-service-osr.org. 3593 IN TXT "v=DMARC1; p=reject; rua=mailto:admin@info-service-osr.org" info-service-osr.org. 3593 IN TXT "v=spf1 ip4:194.58.1.1/16 ip4:193.124.1.1/16 ip4:151.248.1.1/16 a mx ~all"
TorrentLocker – compromised webservers 96 on a single outbreak hxxp://ahaliapublicschool.org/files/awmGz1ZvAL4zyy.php hxxp://alokitogrambangla.org/jscripts/P8sMnGioHtzHwwlvzqklwqGuUeh7Z54.php hxxp://alternativ-medizin.org/cms2/media/WHw0iGEgoEdkWEn.php ... hxxp://ttcchurch.org/uploadify/ND4wLfkrAizuISqskln2AX2WJ.php hxxp://turismodegalicia.org/uploadify/dh4F61g7aAupmqaiEDKgNZcY.php hxxp://www.bkmlaw.org/8XNjrWBqEIFXWA45N1eoCrBCjpGx.php
TorrentLocker – using Captcha
Cyber Business Models
Value of Compromised Machine Monetization Approach Return Spam $ Banking Trojan $$ Stealing Intellectual Property $$ Ransomware (Opportunistic – spam based) $$$ Coinmining $ to $$$ Ransomware (Breach based) $$$$ Double Extortion Ransomware $$$$$
https://www.techtarget.com/searchsecurity/definition/double-extortion-ransomware
Security: Before / After Ransomware Criteria Pre Ransomware Post Ransomware Detection urgency Within a few hours was often adequate At time of infection Errors to avoid Critical False Positives Missed detections Impact of missed detection Often small Use some resources: network / power / … Files encrypted + more Blackmail / extortion ML Strength
Comment 1 Industry was too slow in adopting Machine Learning (ML) for malware
https://www.cpomagazine.com/cyber-security/as-ukraine-war-rages-conti-ransomware-gang-throws-support-behind-russian-government/
2021: 4640 papers on ML for detecting ransomware
2022: 17,100 papers on ML for detecting ransomware
So why are ransomware attacks still happening? ML evasion? Something else?
x Source: “Intriguing properties of Neural Networks”, Szegedy et al., Feb 2014, https://arxiv.org/pdf/1312.6199.pdf Tricking ML Speaker Insect Dog Ostrich
x
Not Quite… Breach-based/ Fileless Ransomware Ref: https://blogs.vmware.com/cloud/2020/08/27/investigating-stopping-fileless-attacks-carbon-black-cloud/ https://community.carbonblack.com/t5/Knowledge-Base/Cb-Defense-Understanding-quot-repmgr-quot-or-quot-Cb-Defense/ta-p/47542
Ransomware by RDP Abuse: Phase 1 Step 1 RDP server Brute force: Johnsmith abc123 Maryjones qw3rty … Bot Step 2 Found User and Password admin l3tm31n! Bot Bot Step 3 Bad actor sells RDP credentials on Underground forum Bad Actor
Phase 1 (cont.) Sells RDP credentials
Ransomware by RDP Abuse: Phase 2 Ransomware (RW) Actor purchases credentials on underground forum Bad Actor RW Actor
© 2020 Trend Micro Inc. 41 A growing category of cyber-crime consists of breaking into corporate networks and doing nothing else – except selling that illicit access to others for about $7,000 a go, says infosec biz Digital Shadows. The firm described what it said was a "notable increase" in the number of stolen-creds-for- sale postings, with the average price for a working access method being $7,100 and comprising around 17 per cent of listings seen by Digital Shadows. This price increases to $9,800 for remote desktop protocol (RDP) access, echoing research from ESET showing a 700 per cent increase in the number of RDP access attempts during 2020.
Ransomware by RDP Abuse: Phase 3 RDP server 1. Ransomware (RW) actor logs in with stolen credentials 2. Turns off Security / Makes multiple attempts / Privilege Escalation / … 3. Infects with ransomware OR 1. Ransomware (RW) actor logs in with stolen credentials 2. Fileless ransomware RW Actor
https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmwcb-solution-brief-vmware-carbon-black-next-gen-av.pdf
Ransomware and ML Machine Learning does not work if someone turns it off… Many ransomware groups have adopted this approach
https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/
Advantages of Breach Based Ransomware • Can target victims who may be in a situation where they feel compelled to pay ransom • Can increase the amount of money you demand ($$$$)
Cyber criminal professionalism Perfect the Business Model Perfect the Business Model Optimising the infection process Many elements of a cyber attack are available for rent Pay $$$ for premium services (the latest vulnerability, freshly compromised credentials) Customer service Release notes Tracking every component of the infection process

More Related Content

PPT
Volume And Vectors 090416
byAnthony Arrott
 
PPTX
Malware Analysis For The Enterprise
byJason Ross
 
PPTX
Kurt baumgartner lan_deskse2012
byKurt Baumgartner
 
PPTX
ITSolutions|Currie Network Security Seminar
byDaniel Versola
 
PPTX
Disruptionware-TRustedCISO103020v0.7.pptx
byDebra Baker, CISSP CSSP
 
PDF
Battling Malware In The Enterprise
byAyed Al Qartah
 
PDF
20130321 Cybercrime threats on e-commerce online shops
byLuc Beirens
 
PPTX
Blue Teaming on a Budget of Zero
byKyle Bubp
 
Volume And Vectors 090416
byAnthony Arrott
 
Malware Analysis For The Enterprise
byJason Ross
 
Kurt baumgartner lan_deskse2012
byKurt Baumgartner
 
ITSolutions|Currie Network Security Seminar
byDaniel Versola
 
Disruptionware-TRustedCISO103020v0.7.pptx
byDebra Baker, CISSP CSSP
 
Battling Malware In The Enterprise
byAyed Al Qartah
 
20130321 Cybercrime threats on e-commerce online shops
byLuc Beirens
 
Blue Teaming on a Budget of Zero
byKyle Bubp
 

Similar to UQ_Cybercrime_Professionalism_Lecture_2024_07.pdf

PDF
3. Ransomware (cyber awareness series)
byIsaac Feliciano
 
PPTX
How to beat ransomware
byPaladionNetworks01
 
PPTX
DevnexusRansomeware.pptx
bySteve Poole
 
PPTX
The Cybercriminal Underground: Understanding and categorising criminal market...
byMark Arena
 
PPTX
The Cybercriminal Underground: Understanding and categorising criminal market...
byMark Arena
 
PDF
Modern Malware and Threats
byMarketingArrowECS_CZ
 
PDF
Modern malware and threats
byMartin Holovský
 
PPTX
Exploring the Capabilities and Economics of Cybercrime
byCylance
 
PPTX
How to stay protected against ransomware
bySophos Benelux
 
PDF
RIFDHY RM ( Cybersecurity ).pdf
byRifDhy22
 
PDF
Cambodia CERT Seminar: Incident response for ransomeware attacks
byAPNIC
 
PPTX
Overview of Vulnerability Scanning.pptx
byAjayKumar73315
 
PDF
Ransomeware : A High Profile Attack
byIRJET Journal
 
PDF
Issa jason dablow
byISSA LA
 
PDF
Tietoturvallisuuden_kevatseminaari_2013_Jarno_Niemela
byValtiokonttori / Statskontoret / State Treasury of Finland
 
PPTX
Game Over or Game Changing? Why Software Development May Never be the same again
bySteve Poole
 
PDF
Revolutionary Security. Ultimate Performance. Minimal Management.
byWebroot
 
PPTX
Cyber Resilency VANCOUVER, BC Nov 2017
byKevin Murphy
 
PPTX
COMPUTER SEMINAR network security threats .pptx
bymanishae08
 
PPTX
Devoxx France 2022: Game Over or Game Changing? Why Software Development May ...
bySteve Poole
 
3. Ransomware (cyber awareness series)
byIsaac Feliciano
 
How to beat ransomware
byPaladionNetworks01
 
DevnexusRansomeware.pptx
bySteve Poole
 
The Cybercriminal Underground: Understanding and categorising criminal market...
byMark Arena
 
The Cybercriminal Underground: Understanding and categorising criminal market...
byMark Arena
 
Modern Malware and Threats
byMarketingArrowECS_CZ
 
Modern malware and threats
byMartin Holovský
 
Exploring the Capabilities and Economics of Cybercrime
byCylance
 
How to stay protected against ransomware
bySophos Benelux
 
RIFDHY RM ( Cybersecurity ).pdf
byRifDhy22
 
Cambodia CERT Seminar: Incident response for ransomeware attacks
byAPNIC
 
Overview of Vulnerability Scanning.pptx
byAjayKumar73315
 
Ransomeware : A High Profile Attack
byIRJET Journal
 
Issa jason dablow
byISSA LA
 
Tietoturvallisuuden_kevatseminaari_2013_Jarno_Niemela
byValtiokonttori / Statskontoret / State Treasury of Finland
 
Game Over or Game Changing? Why Software Development May Never be the same again
bySteve Poole
 
Revolutionary Security. Ultimate Performance. Minimal Management.
byWebroot
 
Cyber Resilency VANCOUVER, BC Nov 2017
byKevin Murphy
 
COMPUTER SEMINAR network security threats .pptx
bymanishae08
 
Devoxx France 2022: Game Over or Game Changing? Why Software Development May ...
bySteve Poole
 

More from JonathanOliver26

PDF
blackhole.pdf
byJonathanOliver26
 
PDF
HACT_Fast_Search_COINS_pub.pdf
byJonathanOliver26
 
PDF
2021_TLSH_SOC_pub.pdf
byJonathanOliver26
 
PDF
2019 TrustCom: The role of ML and AI in Security
byJonathanOliver26
 
PDF
Using lexigraphical distancing to block spam
byJonathanOliver26
 
PDF
Introduction to MML and Supervised Learning
byJonathanOliver26
 
PDF
Privacy solutions decode2021_jon_oliver
byJonathanOliver26
 
PDF
Privacy log files
byJonathanOliver26
 
blackhole.pdf
byJonathanOliver26
 
HACT_Fast_Search_COINS_pub.pdf
byJonathanOliver26
 
2021_TLSH_SOC_pub.pdf
byJonathanOliver26
 
2019 TrustCom: The role of ML and AI in Security
byJonathanOliver26
 
Using lexigraphical distancing to block spam
byJonathanOliver26
 
Introduction to MML and Supervised Learning
byJonathanOliver26
 
Privacy solutions decode2021_jon_oliver
byJonathanOliver26
 
Privacy log files
byJonathanOliver26
 

Recently uploaded

PDF
Expert Python App Development Company for Modern Enterprises
bySynapseIndia
 
PDF
KV Caching Strategies for Latency-Critical LLM Applications by John Thomson
byScyllaDB
 
PDF
Application Monitoring and Observability: Elastic Stack Solution for Producti...
byPattabhi Amperayani
 
PDF
How to Measure Microsoft 365 Copilot Success and Manage AI Risk: Advanced Str...
byNikki Chapple
 
PDF
Dragino商品カタログ 2025.7 LoRaWAN・NB-IoT・LTE-M(LTE Cat.M1)対応センサーリスト
byCRI Japan, Inc.
 
PDF
Meta and Apple close to settling EU cases.pdf
byLUMINATIVE MEDIA/PROJECT COUNSEL MEDIA GROUP
 
PPTX
"Daily workflows with Cursor IDE", Maksym Anisimov
byFwdays
 
PDF
Ask Me Anything About AI Assist: Practical Answers for Real Workflows
bySafe Software
 
PDF
NSSHOEU-J 4x35mm² Cable Specification.pdf
byAnhui Feichun Special Cable Co., Ltd.
 
PDF
Unlock This Brilliant App Freezur That Builds Brainrot Videos That Captivate ...
bySOFTTECHHUB
 
PDF
AGV PROTOCOL BRAND KIT COMPLETE VIEW.pdf
byfagbolade
 
PPTX
CBD Belgium 2025 - The adventures of a Microsoft 365 Platform Owner.pptx
byJasper Oosterveld
 
PPTX
BioVault.net ADW 2025 CODATA: SyftBox: a General Purpose Solution for Data Vi...
byMadhava Jay
 
PDF
Cassandra vs. ScyllaDB: Evolutionary Differences
byScyllaDB
 
PPTX
Top Trends in Kubernetes Security: TalosCon 2025
byCheryl Hung
 
PDF
The invisible key: Securing the new attack vector of OAuth tokens
byGianluca Varisco
 
PDF
Data Structure - 12 Graph
byAndiNurkholis1
 
PPTX
Session 5 - Specialized AI Associate Series: Build a Document Understanding ...
byDianaGray10
 
PDF
2025 October Patch Tuesday
byIvanti
 
PDF
The Journey Is The Reward - Apple Maps Travel Companion
byJohn Andrews
 
Expert Python App Development Company for Modern Enterprises
bySynapseIndia
 
KV Caching Strategies for Latency-Critical LLM Applications by John Thomson
byScyllaDB
 
Application Monitoring and Observability: Elastic Stack Solution for Producti...
byPattabhi Amperayani
 
How to Measure Microsoft 365 Copilot Success and Manage AI Risk: Advanced Str...
byNikki Chapple
 
Dragino商品カタログ 2025.7 LoRaWAN・NB-IoT・LTE-M(LTE Cat.M1)対応センサーリスト
byCRI Japan, Inc.
 
Meta and Apple close to settling EU cases.pdf
byLUMINATIVE MEDIA/PROJECT COUNSEL MEDIA GROUP
 
"Daily workflows with Cursor IDE", Maksym Anisimov
byFwdays
 
Ask Me Anything About AI Assist: Practical Answers for Real Workflows
bySafe Software
 
NSSHOEU-J 4x35mm² Cable Specification.pdf
byAnhui Feichun Special Cable Co., Ltd.
 
Unlock This Brilliant App Freezur That Builds Brainrot Videos That Captivate ...
bySOFTTECHHUB
 
AGV PROTOCOL BRAND KIT COMPLETE VIEW.pdf
byfagbolade
 
CBD Belgium 2025 - The adventures of a Microsoft 365 Platform Owner.pptx
byJasper Oosterveld
 
BioVault.net ADW 2025 CODATA: SyftBox: a General Purpose Solution for Data Vi...
byMadhava Jay
 
Cassandra vs. ScyllaDB: Evolutionary Differences
byScyllaDB
 
Top Trends in Kubernetes Security: TalosCon 2025
byCheryl Hung
 
The invisible key: Securing the new attack vector of OAuth tokens
byGianluca Varisco
 
Data Structure - 12 Graph
byAndiNurkholis1
 
Session 5 - Specialized AI Associate Series: Build a Document Understanding ...
byDianaGray10
 
2025 October Patch Tuesday
byIvanti
 
The Journey Is The Reward - Apple Maps Travel Companion
byJohn Andrews
 

UQ_Cybercrime_Professionalism_Lecture_2024_07.pdf

  • 1.
    Cyber Crime Professionalism JonOliver Adjunct Professor at Uni Qld
  • 2.
    My Background Academic backgroundin Machine Learning Building antispam filters 2002 -> 2008 Cyber security 2008 to 2024 Academia Industry Sweet Spot
  • 3.
    Technical Capability 1999 Melissa Virus 2002 Spamming 2005 Botnets 2007 Webthreats 2010 Zeus: Banking Trojan 2017Fileless / Living off the Land 2011 Blackhole: Exploit Kits 2014 CryptoLocker: Ransomware 2016: Cridex: Breach based Ransomware 2017 Coinminer 2019 Ransomware as a Service (RaaS) 2021 RaaS double extortion Business Model Cybercrime over 25 years…
  • 4.
    Cyber Criminal Professionalism •Often requires no technical innovation • Excellent execution • Measuring every aspect of a cyber attack • Presenting this data in a UI • Optimizing each step • Perfecting their business model
  • 5.
    Preventing Cyber Crime TechnicalKnowledge + Understanding the business model (study underground forums, read reports of criminals being arrested, …)
  • 6.
    1. Measuring BlackHole ExploitKit (BHEK) Ref: http://media.blackhat.com/bh-us-12/Briefings/Jones/BH_US_12_Jones_State_Web_Exploits_Slides.pdf
  • 7.
  • 8.
  • 9.
    Advertising / ReleaseNotes BlackHole exploit Kit 2.0 Рады приветствовать вам совершенно новую версию связки эксплойтов. За более чем 2 года существования нашего проекта, старый движок связки изрядно заездили и затаскали, АВ компании стали очень быстро распознавать по неким критериям что это BlackHole и помечать ее как malware. В новой версии мы переписали все с нуля, причем с нуля переписана не только часть с выдачей эксплойтов, но и админ панель. Из новшеств по выдаче: 1. Мы максимально защитили эксплойты от автоскачивания их АВ компаниями, теперь генерируется динамический УРЛ, который действителен в течении нескольких секунд, нужных лишь для одного заражения потенциально заходящего на ссылку человека. 2. Теперь так же максимально защищен и ваш ехе, АВ компания не сможет его просто так скачать, что позволит держать ваши ехе максимально долго в чистоте. 3. JAR и PDF файлы выдаются только тем версиям плагинов, которые уязвимы, если плагин не уязвим, сплойт не выдается, и не пачкается лишний раз.
  • 10.
    BlackHole exploit Kit2.0 Are pleased to welcome you to a brand new version of the bundle of exploits. For more than 2 years of existence of our project, the old engine arrival and ligaments badly worn, AV companies have become very quick to recognize that this kind of criteria BlackHole and flag it as malware. In the new version we have rewritten from scratch, and re-written from scratch is not only part of the issuance of exploits, but also the admin panel. Of the innovations on the issue: 1. Implemented maximum protection from Automatic systems for downloading exploits, used by AV companies: generate a dynamic URL, which is valid for a few seconds, you need only to one victim at a time. 2. Now, Your executable also protected from multiple downloads, AV company can not just download it, which will keep your exe as long as clean. 3. JAR and PDF exploits show only for detected vulnerable versions of plug-ins if the plug is not vulnerable,exploits not issued, and not get in detection loop. …
  • 11.
    JRE <= 1.6.0_27 1.5.0_31 JRE <= 1.7.0_02 1.6.0_30 1.5.0_33 JRE<= 1.7.0_03 1.6.0_32 1.5.0_32 JRE <= 1.7.0_06 JRE <= 1.7.0_07 JRE <= 1.7.0_10 JRE <= 1.7.0_15 Flash <= 11.5.502.1 46 CVE-2011-3544 gogonaggogonaExp.class CVE-2012-0507 GondadExx.Ohno.class CVE-2012-1723 Gond1723.Gondattack.class CVE-2012-4681 cve2012xxxx.Gondvv.class CVE-2012-5076 gond20125076.Gondqq.class CVE-2013-0422 Xml20130422.XML20130422 .class CVE-2013-1493 yQCI.class CVE-2013-0634 xxxx.swf MSIE <= 7 CVE-2012-1889 javascript CVE-2012-4969 javascript Yes Yes Yes Yes Yes Yes Yes Yes Yes No No No No No No No No No Dispatcher SWF Vulnerability MSIE Vulnerability Infection! Pain to crawl Anti-crawling and serving vulnerable documents by client environment Serve blank page Client IP in black list? Yes No Landing Page
  • 12.
    Cybercriminal Firewall Rules iptables-A INPUT -s aa.119.145.16/28 -j DROP #Kaspersky Labs iptables -A INPUT -s aa.119.145.16/28 -j DROP #Kaspersky Labs … iptables -A INPUT -s bb.188.199.136/29 -j DROP #SYMANTECGMBH iptables -A INPUT -s bb.227.131.216/29 -j DROP #Symantec Ltd … iptables -A INPUT -s xx.110.201.32/29 -j DROP #TREND MICRO DEUTSCHLAND GMBH iptables -A INPUT -s yy.93.166.128/28 -j DROP #Trend Micro UK Limited iptables -A INPUT -s zz.23.206.192/29 -j DROP #TRENDMICROITALYS.R.L. …
  • 13.
  • 14.
  • 15.
  • 16.
  • 17.
    Professional Operations: TorrentLocker 2014-2017 Ref:http://www.trendmicro.com.au/cloud-content/au/pdfs/security-intelligence/white-papers/australian_web_threat_landscape_-v7.pdf
  • 18.
  • 19.
    Evading Spam Filters TechniqueTorrentLocker Outbreaks Honeypots Send email to legitimate email accounts IP Reputation Use rented servers Header analysis / phishing detection Don’t spoof Use email authentication Antispam Content Send plausible content Phishing lists Compromise many legitimate web- servers Misc Low volume. Optimize timing
  • 20.
    TorrentLocker – Atypical spam run • state-nsw-gov.com, state1-nsw-gov.com, state2-nsw-gov.com, state3-nsw- gov.com, state4-nsw-gov.com sent a spam outbreak • Between 1am and 9am • Constituted approx 0.13% of email sent to Australian email addresses • Appeared to be sent to a carefully culled email address list • < 1% were to invalid email addresses • Used Email Authentication (DKIM and SPF)
  • 21.
    TorrentLocker – usingEmail Authentication ;; ANSWER SECTION: info-service-osr.org. 3593 IN TXT "v=DMARC1; p=reject; rua=mailto:admin@info-service-osr.org" info-service-osr.org. 3593 IN TXT "v=spf1 ip4:194.58.1.1/16 ip4:193.124.1.1/16 ip4:151.248.1.1/16 a mx ~all"
  • 22.
    TorrentLocker – compromisedwebservers 96 on a single outbreak hxxp://ahaliapublicschool.org/files/awmGz1ZvAL4zyy.php hxxp://alokitogrambangla.org/jscripts/P8sMnGioHtzHwwlvzqklwqGuUeh7Z54.php hxxp://alternativ-medizin.org/cms2/media/WHw0iGEgoEdkWEn.php ... hxxp://ttcchurch.org/uploadify/ND4wLfkrAizuISqskln2AX2WJ.php hxxp://turismodegalicia.org/uploadify/dh4F61g7aAupmqaiEDKgNZcY.php hxxp://www.bkmlaw.org/8XNjrWBqEIFXWA45N1eoCrBCjpGx.php
  • 23.
  • 24.
  • 25.
    Value of CompromisedMachine Monetization Approach Return Spam $ Banking Trojan $$ Stealing Intellectual Property $$ Ransomware (Opportunistic – spam based) $$$ Coinmining $ to $$$ Ransomware (Breach based) $$$$ Double Extortion Ransomware $$$$$
  • 26.
  • 27.
    Security: Before /After Ransomware Criteria Pre Ransomware Post Ransomware Detection urgency Within a few hours was often adequate At time of infection Errors to avoid Critical False Positives Missed detections Impact of missed detection Often small Use some resources: network / power / … Files encrypted + more Blackmail / extortion ML Strength
  • 28.
    Comment 1 Industry wastoo slow in adopting Machine Learning (ML) for malware
  • 30.
  • 31.
    2021: 4640 papers on MLfor detecting ransomware
  • 32.
  • 33.
    So why areransomware attacks still happening? ML evasion? Something else?
  • 34.
    x Source: “Intriguing propertiesof Neural Networks”, Szegedy et al., Feb 2014, https://arxiv.org/pdf/1312.6199.pdf Tricking ML Speaker Insect Dog Ostrich
  • 35.
  • 36.
    Not Quite… Breach-based/ FilelessRansomware Ref: https://blogs.vmware.com/cloud/2020/08/27/investigating-stopping-fileless-attacks-carbon-black-cloud/ https://community.carbonblack.com/t5/Knowledge-Base/Cb-Defense-Understanding-quot-repmgr-quot-or-quot-Cb-Defense/ta-p/47542
  • 37.
    Ransomware by RDPAbuse: Phase 1 Step 1 RDP server Brute force: Johnsmith abc123 Maryjones qw3rty … Bot Step 2 Found User and Password admin l3tm31n! Bot Bot Step 3 Bad actor sells RDP credentials on Underground forum Bad Actor
  • 38.
  • 39.
    Ransomware by RDPAbuse: Phase 2 Ransomware (RW) Actor purchases credentials on underground forum Bad Actor RW Actor
  • 40.
    © 2020 TrendMicro Inc. 41 A growing category of cyber-crime consists of breaking into corporate networks and doing nothing else – except selling that illicit access to others for about $7,000 a go, says infosec biz Digital Shadows. The firm described what it said was a "notable increase" in the number of stolen-creds-for- sale postings, with the average price for a working access method being $7,100 and comprising around 17 per cent of listings seen by Digital Shadows. This price increases to $9,800 for remote desktop protocol (RDP) access, echoing research from ESET showing a 700 per cent increase in the number of RDP access attempts during 2020.
  • 41.
    Ransomware by RDPAbuse: Phase 3 RDP server 1. Ransomware (RW) actor logs in with stolen credentials 2. Turns off Security / Makes multiple attempts / Privilege Escalation / … 3. Infects with ransomware OR 1. Ransomware (RW) actor logs in with stolen credentials 2. Fileless ransomware RW Actor
  • 42.
  • 43.
    Ransomware and ML MachineLearning does not work if someone turns it off… Many ransomware groups have adopted this approach
  • 44.
  • 45.
    Advantages of BreachBased Ransomware • Can target victims who may be in a situation where they feel compelled to pay ransom • Can increase the amount of money you demand ($$$$)
  • 46.
    Cyber criminal professionalism Perfectthe Business Model Perfect the Business Model Optimising the infection process Many elements of a cyber attack are available for rent Pay $$$ for premium services (the latest vulnerability, freshly compromised credentials) Customer service Release notes Tracking every component of the infection process