c2b_default

Bangeter actors_attacks-80.pdf

Bangeter actors_attacks-80.pdf

Bangeter actors_attacks-80.pdf

18
0.0 (0)

Fichier Détails

Cartes-fiches 18
Langue English
Catégorie Technique
Niveau Université
Crée / Actualisé 19.06.2019 / 01.07.2021
Lien de web
https://card2brain.ch/box/20190619_bangeter_actorsattacks80_pdf
Intégrer
<iframe src="https://card2brain.ch/box/20190619_bangeter_actorsattacks80_pdf/embed" width="780" height="150" scrolling="no" frameborder="0"></iframe>
Étudier

What are the 6 steps in the kill-chain? (phases an attacker goes through)

Connecte-toi pour voir des images.

  1. Reconnaisance
  2. First Foothold (Spear Phishing, Waterhole)
  3. Dropper as first Backdoor
  4. Lateral Movement
  5. Data Theft
  6. Data Exfiltration

What is malware?

Malware (short for malicious software) is software designed to infiltrate or damge a computer system without the owner's being informed or giving consent. 

Once malware has compromised a system, an attacker can (sometimes fulliy) control the system.

What are typical areas where malware can be used?

Typical areas of malware usage:

  • Cybercrime
  • Espionage
  • Disruption
  • Cyber war
  • Lawful interception

What is the difference between targeted and non targeted malware use?

Opportunistic /non-targeted attacks (~cybercrim): Attack on a large weakly targeted population, often oppertunistic. Even if success rate is low, the absolute number of successful infections and the resulting revenue might be high.

Targeted attacks (~espionage): Attacks that are targeted at few individuals.

What is meant by the tearm infection vector?

Infection vector: refers to the means and techniqyes for delivering a piece of malware onto the victime machine.

Name some examples of technical vulnrabilities.

There are may differen types of technical vulnerabilities:

  • Misconfiguration of firewall, Web server, etc...
  • Weak passwords allow login, and take over
  • Etc...
  • Software vulnerabilities are particularly interesting, since they allow for very powerfull attacks. They may be deployed via different infection vectors.

What is a software vulnerability?

Connecte-toi pour voir des images.

A software vulnerability is a (sometimes) subtle programming error that triggers when processing maliciously crafted input data provided by an attacker, allowing the attacker to git her code executed in the victim program / process.

In short: Input data is turned into code.

What is meant by the terms (software) exploit and patch?

The malicious data / code that triggers a vulnerability is called a (software) exploit.

patch is a software update that removes a known software vulnerability.

What is the live cycle of a zoro-day vulnrability? At which phase is it the most dangerous?

Connecte-toi pour voir des images.

The most dangerus phase is after the vulnerability is disclosed publicly and befor ts, tp and ta.

This is becuase the vulnrability is public allowing others to exploit it, and now real defenses or mitigations are posible.

Why do most cybercriminals not use zero-day exploits?

  • Zero-day exploits are hard to find / expensive (they are typically used by espionage / nation state actors)
  • Cybercriminals rather use "other day" vulnerabilities, i.e. fresh known vulnerabilities which are able to compromise unpatched systems.

Microsoft patch tuesday -> exploit wednesday :D

What are the 6 steps of a drive by download?

Connecte-toi pour voir des images.

  1. Attacker compromises a legitimate "good" website. Attacker inserts malicious code in "good" website e.g. an IFRAME
  2. User visits the "good" website. The users browser or plugin vulnerable
  3. User is silently redirected to the 'bad' website through the hidden IFRAME. Attacker can now identify os version and vulnerabilities.
  4. Malicious code is downloaded to the user.
  5. Leveraging the vulnerabilities the malicious code is installed on the user's computer.
  6. Malicious software takes advantege of the user's system.

ZEUS used the drive by download technique

What is a watering-hole attack?

Watering-hole attacks use drive by download as an infiction vector, by preparing a website that is known to be visited by your target audience (and are thus semi-targeted)

E.g. if you know that employees  of the targeted company X often order pizzas from www.tonis-pizza-lausanne.ch they'll use the pizza site for the drive by downloads.

Name some document types that are used as malicious documments.

Microsoft office documents

  • may contain VBA macros
  • VBA is a powerful programming language, which gives attacker logs of possiblities to drop and execute  malicious pauload.
  • Payload is either embedded in document (dropper) or downloaded from the internet (downloader)

 

PDF dockuments

  • may contain scripts e.g. JavaScript.

Document attacks are the most prevalent infection vector. Malicious documents do not make use of exploits.

  • may

What is social engineering?

Social engineering is tricking the human into performing an action that allows for the execution of malware
 

Some examples:

  • Get person to open attachment / file
  • Make them run a program or script
  • Get them to plug in a usb device
  • etc...

What is the difference between phishing and spearphishing?

Phishing is non targeted: Mail is sent to many users in the hope that a small subset of users fall for the trick and install the malware.

Spearphishing is targeted either against a individual person or a small group. The email is crafted in a specific personalized way to make them interact with attacker.

 

What is an infection proxie?

Log in to view images.

Does not need to be at the level of the ISP but can also be a local wifi such as the one at starbucks.

A pinaple access point can be used to intercep wifi traffic.

What is a payload and what types of activities does it carry out?

payload: In information security, the term pauload generally refers to the part of malicious code that performs the destructive operations.

activities of payloads:

  • execute malicious activity ("effective payload")
    • Information theft, modification, store information
    • Abuse computing resources
  • Communicate with command and control server
    • Update
    • Exfiltrate data
  • Propagate 
  • Anti-forensics, e.g. hiding ("rootkit" techniques) and self defense technique

Name some examples of malicious activities?

  • Information theft
    • Key logging
    • Take screenshots
    • Email addresses
  • Information storage and modifaction
    • Store ilegal data, software, etc..
    • HTML injection into browser to proactively harvest data
    • Modify payment info in e-banking transactions, so called "transaction generators"
  • Abuse of computing resources
    • Proxy
    • Sending spam
    • Click fraud
  • Propagation
    • Copy malware to network shares, USB sticks
    • Network based spreading via remote exploits, open ports etc..
    • Email malware to recipients in address book etc...

Most current malware does not propagate, too noisy and hard to control (see morisworm)

Early malware did this so called

Study