SlideShare a Scribd company logo

New wave of attacks in Ukraine 2016

Download as PPTX, PDF
Marina Krotofil
Marina Krotofil

Few examples of attach techniques used in 2016 campaign

Internet
1 of 11
NEW WAVE OF ATTACKS IN UKRAINE Marina Krotofil based on materials from Aleksey Yasinskiy
Short description  Similarly to last year, the wave of attacks has started in month of July • It is hot and everybody is in careless summer mood • Embedded macros • Many people are on vacation and those who are not -> performing duties of those who are on vacation (and open aaaaall the attachments)  The attacks grew in sophistication (in comparison to 2015) • New added routines to detect installed security protections on the infected machine • Improved obfuscation techniques  Similarly to last year, there is a “silence” period • Several C&C center went off line • Now immediate destructive attacks A new wave of destructive attacks is awaited
New wave of infection via spear fishing July 14, 2016 Angry customer is complaining about financial spam (scam). He received an email from a Diamantbank stating that he took a large credit but did not start paying for it. He now awes bank a large sum of money and is threatened with legal actions against him. Also the customer understand it was a scam, he OPENED the attachment (and got infected)
Discussions on motherhood portals July 14, 2016 Mothers discussing receiving similar financial spam (scam). Although do realize it was spam, they all opened attachment first.
Structure of embedded macros
Analysis of embedded macros SandBox and ISP detection routines
Anti-spam detection techniques Malicious code is embedded into romantic lyrics to avoid detection by the spam detection algorithms (e.g. ratio of text to code)
Obfuscation techniques Making code looking like a pure noise
Obfuscation techniques Nesting doll: code in the code These pieces of code will eventually assemble into malicious line of code
False alarm Legitimate security application behaving like a malware. It draw attention during inspection of the machine but turned to be a false alarm. Ugh. Annoying.
Afterword  There is a version that Ukraine is used among other countries as a playgroud for testing new attach strategies and techniques • The purpose of the infection is currently still unclear • Malware is becoming more intelligent and more aware of its environment • About 1 month after infection it is very hard to detect malware on the infected machine For more information about attacks in Ukraine see • Analysis of embedded macros: https://socprime.com/en/blog/infrastructure-infiltration-via-rtf/ • Analysis of other malicious activities: https://socprime.com/en/blog/ Aleksey Yasinskiy: Head of ISSP Labs & Research Center @Aleksey_yas; https:// Marina Krotofil: Lead Security Researcher at Honeywell Industrial Cyber Security Lab @marmusha Opinions are our own

Recommended

Ransomware
RansomwareRansomware
RansomwareDevAkabari
 
Cyber security
Cyber securityCyber security
Cyber securitymanoj duli
 
Cyber Attack Methodologies
Cyber Attack MethodologiesCyber Attack Methodologies
Cyber Attack MethodologiesGeeks Anonymes
 
Evolution of ransomware
Evolution of ransomwareEvolution of ransomware
Evolution of ransomwareCharles Steve
 
Cyber security
Cyber securityCyber security
Cyber securitySakib Sami
 
Avar2011 changing security_awareness_training
Avar2011 changing security_awareness_trainingAvar2011 changing security_awareness_training
Avar2011 changing security_awareness_trainingYoungjun Chang
 
Home cyber security
Home cyber securityHome cyber security
Home cyber securityMichael File
 
Cyber security presentation
Cyber security presentationCyber security presentation
Cyber security presentationParab Mishra
 

Recommended

Ransomware
RansomwareRansomware
RansomwareDevAkabari
 
Cyber security
Cyber securityCyber security
Cyber securitymanoj duli
 
Cyber Attack Methodologies
Cyber Attack MethodologiesCyber Attack Methodologies
Cyber Attack MethodologiesGeeks Anonymes
 
Evolution of ransomware
Evolution of ransomwareEvolution of ransomware
Evolution of ransomwareCharles Steve
 
Cyber security
Cyber securityCyber security
Cyber securitySakib Sami
 
Avar2011 changing security_awareness_training
Avar2011 changing security_awareness_trainingAvar2011 changing security_awareness_training
Avar2011 changing security_awareness_trainingYoungjun Chang
 
Home cyber security
Home cyber securityHome cyber security
Home cyber securityMichael File
 
Cyber security presentation
Cyber security presentationCyber security presentation
Cyber security presentationParab Mishra
 
Cyber security
Cyber securityCyber security
Cyber securityvishakha bhagwat
 
CyberSecurity - UH IEEE Presentation 2015-04
CyberSecurity - UH IEEE Presentation 2015-04CyberSecurity - UH IEEE Presentation 2015-04
CyberSecurity - UH IEEE Presentation 2015-04Kyle Lai
 
How COVID-19 Changed The Cyber Security Worldwide? — Cyberroot Risk Advisory
How COVID-19 Changed The Cyber Security Worldwide? — Cyberroot Risk AdvisoryHow COVID-19 Changed The Cyber Security Worldwide? — Cyberroot Risk Advisory
How COVID-19 Changed The Cyber Security Worldwide? — Cyberroot Risk AdvisoryCR Group
 
Cyber security
Cyber securityCyber security
Cyber securityShivaani srinivas iyer
 
Cyber Security Research Project Topics
Cyber Security Research Project TopicsCyber Security Research Project Topics
Cyber Security Research Project TopicsMatlab Simulation
 
INTRODUCTION TO CYBER FORENSICS
INTRODUCTION TO CYBER FORENSICSINTRODUCTION TO CYBER FORENSICS
INTRODUCTION TO CYBER FORENSICSSylvain Martinez
 
Cyber Crime 101: The Impact of Cyber Crime on Higher Education in South Africa
Cyber Crime 101: The Impact of Cyber Crime on Higher Education in South AfricaCyber Crime 101: The Impact of Cyber Crime on Higher Education in South Africa
Cyber Crime 101: The Impact of Cyber Crime on Higher Education in South AfricaJacqueline Fick
 
seminar report on What is ransomware
seminar report on What is ransomwareseminar report on What is ransomware
seminar report on What is ransomwareJawhar Ali
 
Anatomy of a cyber attack
Anatomy of a cyber attackAnatomy of a cyber attack
Anatomy of a cyber attackMark Silver
 
Ransomware - Friend or Foe
Ransomware - Friend or FoeRansomware - Friend or Foe
Ransomware - Friend or FoeSrinivas Thimmaiah
 
Tools and methods used in cyber crime
Tools and methods used in cyber crimeTools and methods used in cyber crime
Tools and methods used in cyber crimeshubhravrat Deshpande
 
Ransomware 2017: New threats emerge
Ransomware 2017: New threats emergeRansomware 2017: New threats emerge
Ransomware 2017: New threats emergeSymantec Security Response
 
Cybercrime & Cybersecurity
Cybercrime & CybersecurityCybercrime & Cybersecurity
Cybercrime & CybersecurityRitamaJana
 
Netpluz - Managed Firewall & Endpoint Protection
Netpluz - Managed Firewall & Endpoint Protection Netpluz - Managed Firewall & Endpoint Protection
Netpluz - Managed Firewall & Endpoint Protection Netpluz Asia Pte Ltd
 
Ransomware Detection: Don’t Pay Up. Backup.
Ransomware Detection: Don’t Pay Up. Backup.Ransomware Detection: Don’t Pay Up. Backup.
Ransomware Detection: Don’t Pay Up. Backup.marketingunitrends
 
Network Security Research Paper
Network Security Research PaperNetwork Security Research Paper
Network Security Research PaperPankaj Jha
 
cyber security | What Is Cyber Security | Hello World Session
cyber security | What Is Cyber Security | Hello World Sessioncyber security | What Is Cyber Security | Hello World Session
cyber security | What Is Cyber Security | Hello World SessionYasserElsnbary
 
WEB SECURITY
WEB SECURITYWEB SECURITY
WEB SECURITYMDERAMTALUKDER
 
Chapter 1, Transformasi antivirus
Chapter 1, Transformasi antivirusChapter 1, Transformasi antivirus
Chapter 1, Transformasi antivirusAdi Saputra
 
Cyber Security Terms
Cyber Security TermsCyber Security Terms
Cyber Security TermsSuryaprakash Nehra
 
Your money or your files
Your money or your filesYour money or your files
Your money or your filesRoel Palmaers
 
MMW April 2016 Ransomware Resurgence
MMW April 2016 Ransomware Resurgence MMW April 2016 Ransomware Resurgence
MMW April 2016 Ransomware Resurgence Cyphort
 

More Related Content

What's hot

CyberSecurity - UH IEEE Presentation 2015-04
CyberSecurity - UH IEEE Presentation 2015-04CyberSecurity - UH IEEE Presentation 2015-04
CyberSecurity - UH IEEE Presentation 2015-04Kyle Lai
 
How COVID-19 Changed The Cyber Security Worldwide? — Cyberroot Risk Advisory
How COVID-19 Changed The Cyber Security Worldwide? — Cyberroot Risk AdvisoryHow COVID-19 Changed The Cyber Security Worldwide? — Cyberroot Risk Advisory
How COVID-19 Changed The Cyber Security Worldwide? — Cyberroot Risk AdvisoryCR Group
 
Cyber Security Research Project Topics
Cyber Security Research Project TopicsCyber Security Research Project Topics
Cyber Security Research Project TopicsMatlab Simulation
 
INTRODUCTION TO CYBER FORENSICS
INTRODUCTION TO CYBER FORENSICSINTRODUCTION TO CYBER FORENSICS
INTRODUCTION TO CYBER FORENSICSSylvain Martinez
 
Cyber Crime 101: The Impact of Cyber Crime on Higher Education in South Africa
Cyber Crime 101: The Impact of Cyber Crime on Higher Education in South AfricaCyber Crime 101: The Impact of Cyber Crime on Higher Education in South Africa
Cyber Crime 101: The Impact of Cyber Crime on Higher Education in South AfricaJacqueline Fick
 
seminar report on What is ransomware
seminar report on What is ransomwareseminar report on What is ransomware
seminar report on What is ransomwareJawhar Ali
 
Anatomy of a cyber attack
Anatomy of a cyber attackAnatomy of a cyber attack
Anatomy of a cyber attackMark Silver
 
Tools and methods used in cyber crime
Tools and methods used in cyber crimeTools and methods used in cyber crime
Tools and methods used in cyber crimeshubhravrat Deshpande
 
Cybercrime & Cybersecurity
Cybercrime & CybersecurityCybercrime & Cybersecurity
Cybercrime & CybersecurityRitamaJana
 
Netpluz - Managed Firewall & Endpoint Protection
Netpluz - Managed Firewall & Endpoint Protection Netpluz - Managed Firewall & Endpoint Protection
Netpluz - Managed Firewall & Endpoint Protection Netpluz Asia Pte Ltd
 
Ransomware Detection: Don’t Pay Up. Backup.
Ransomware Detection: Don’t Pay Up. Backup.Ransomware Detection: Don’t Pay Up. Backup.
Ransomware Detection: Don’t Pay Up. Backup.marketingunitrends
 
Network Security Research Paper
Network Security Research PaperNetwork Security Research Paper
Network Security Research PaperPankaj Jha
 
cyber security | What Is Cyber Security | Hello World Session
cyber security | What Is Cyber Security | Hello World Sessioncyber security | What Is Cyber Security | Hello World Session
cyber security | What Is Cyber Security | Hello World SessionYasserElsnbary
 
Chapter 1, Transformasi antivirus
Chapter 1, Transformasi antivirusChapter 1, Transformasi antivirus
Chapter 1, Transformasi antivirusAdi Saputra
 

What's hot (20)

Cyber security
Cyber securityCyber security
Cyber security
 
CyberSecurity - UH IEEE Presentation 2015-04
CyberSecurity - UH IEEE Presentation 2015-04CyberSecurity - UH IEEE Presentation 2015-04
CyberSecurity - UH IEEE Presentation 2015-04
 
How COVID-19 Changed The Cyber Security Worldwide? — Cyberroot Risk Advisory
How COVID-19 Changed The Cyber Security Worldwide? — Cyberroot Risk AdvisoryHow COVID-19 Changed The Cyber Security Worldwide? — Cyberroot Risk Advisory
How COVID-19 Changed The Cyber Security Worldwide? — Cyberroot Risk Advisory
 
Cyber security
Cyber securityCyber security
Cyber security
 
Cyber Security Research Project Topics
Cyber Security Research Project TopicsCyber Security Research Project Topics
Cyber Security Research Project Topics
 
INTRODUCTION TO CYBER FORENSICS
INTRODUCTION TO CYBER FORENSICSINTRODUCTION TO CYBER FORENSICS
INTRODUCTION TO CYBER FORENSICS
 
Cyber Crime 101: The Impact of Cyber Crime on Higher Education in South Africa
Cyber Crime 101: The Impact of Cyber Crime on Higher Education in South AfricaCyber Crime 101: The Impact of Cyber Crime on Higher Education in South Africa
Cyber Crime 101: The Impact of Cyber Crime on Higher Education in South Africa
 
seminar report on What is ransomware
seminar report on What is ransomwareseminar report on What is ransomware
seminar report on What is ransomware
 
Anatomy of a cyber attack
Anatomy of a cyber attackAnatomy of a cyber attack
Anatomy of a cyber attack
 
Ransomware - Friend or Foe
Ransomware - Friend or FoeRansomware - Friend or Foe
Ransomware - Friend or Foe
 
Tools and methods used in cyber crime
Tools and methods used in cyber crimeTools and methods used in cyber crime
Tools and methods used in cyber crime
 
Ransomware 2017: New threats emerge
Ransomware 2017: New threats emergeRansomware 2017: New threats emerge
Ransomware 2017: New threats emerge
 
Cybercrime & Cybersecurity
Cybercrime & CybersecurityCybercrime & Cybersecurity
Cybercrime & Cybersecurity
 
Netpluz - Managed Firewall & Endpoint Protection
Netpluz - Managed Firewall & Endpoint Protection Netpluz - Managed Firewall & Endpoint Protection
Netpluz - Managed Firewall & Endpoint Protection
 
Ransomware Detection: Don’t Pay Up. Backup.
Ransomware Detection: Don’t Pay Up. Backup.Ransomware Detection: Don’t Pay Up. Backup.
Ransomware Detection: Don’t Pay Up. Backup.
 
Network Security Research Paper
Network Security Research PaperNetwork Security Research Paper
Network Security Research Paper
 
cyber security | What Is Cyber Security | Hello World Session
cyber security | What Is Cyber Security | Hello World Sessioncyber security | What Is Cyber Security | Hello World Session
cyber security | What Is Cyber Security | Hello World Session
 
WEB SECURITY
WEB SECURITYWEB SECURITY
WEB SECURITY
 
Chapter 1, Transformasi antivirus
Chapter 1, Transformasi antivirusChapter 1, Transformasi antivirus
Chapter 1, Transformasi antivirus
 
Cyber Security Terms
Cyber Security TermsCyber Security Terms
Cyber Security Terms
 

Similar to New wave of attacks in Ukraine 2016

Your money or your files
Your money or your filesYour money or your files
Your money or your filesRoel Palmaers
 
MMW April 2016 Ransomware Resurgence
MMW April 2016 Ransomware Resurgence MMW April 2016 Ransomware Resurgence
MMW April 2016 Ransomware Resurgence Cyphort
 
Cyber security and current trends
Cyber security and current trendsCyber security and current trends
Cyber security and current trendsShreedeep Rayamajhi
 
Combating RANSOMWare
Combating RANSOMWareCombating RANSOMWare
Combating RANSOMWareUmer Saeed
 
MID_Modern_Threats_Landscape_GTI_Alex_de_Graaf_EN
MID_Modern_Threats_Landscape_GTI_Alex_de_Graaf_ENMID_Modern_Threats_Landscape_GTI_Alex_de_Graaf_EN
MID_Modern_Threats_Landscape_GTI_Alex_de_Graaf_ENVladyslav Radetsky
 
Utilizing Internet for Fraud Examination and Investigation
Utilizing Internet for Fraud Examination and InvestigationUtilizing Internet for Fraud Examination and Investigation
Utilizing Internet for Fraud Examination and InvestigationGoutama Bachtiar
 
IBM X-Force Threat Intelligence Quarterly Q4 2015
IBM X-Force Threat Intelligence Quarterly Q4 2015IBM X-Force Threat Intelligence Quarterly Q4 2015
IBM X-Force Threat Intelligence Quarterly Q4 2015Andreanne Clarke
 
A Secure Network Bridging the Gap
A Secure Network Bridging the GapA Secure Network Bridging the Gap
A Secure Network Bridging the GapColloqueRISQ
 
Industry reactions to wanna cry ransomware attacks
Industry reactions to wanna cry ransomware attacksIndustry reactions to wanna cry ransomware attacks
Industry reactions to wanna cry ransomware attackskevinmass30
 
Ransomware all locked up book
Ransomware all locked up bookRansomware all locked up book
Ransomware all locked up bookDiego Souza
 
Case Study: Wannacry Ransomware attacks Telefónica
Case Study: Wannacry Ransomware attacks TelefónicaCase Study: Wannacry Ransomware attacks Telefónica
Case Study: Wannacry Ransomware attacks TelefónicaSergio Renteria Nuñez
 
The financial sector under siege from vicious banking malware @ReveeliumBlog
The financial sector under siege from vicious banking malware @ReveeliumBlogThe financial sector under siege from vicious banking malware @ReveeliumBlog
The financial sector under siege from vicious banking malware @ReveeliumBlogITrust - Cybersecurity as a Service
 
Check point 2015-securityreport
Check point 2015-securityreportCheck point 2015-securityreport
Check point 2015-securityreportEIINSTITUT
 
Problems With Battling Malware Have Been Discussed, Moving...
Problems With Battling Malware Have Been Discussed, Moving...Problems With Battling Malware Have Been Discussed, Moving...
Problems With Battling Malware Have Been Discussed, Moving...Deb Birch
 

Similar to New wave of attacks in Ukraine 2016 (20)

Your money or your files
Your money or your filesYour money or your files
Your money or your files
 
MMW April 2016 Ransomware Resurgence
MMW April 2016 Ransomware Resurgence MMW April 2016 Ransomware Resurgence
MMW April 2016 Ransomware Resurgence
 
Cyber security and current trends
Cyber security and current trendsCyber security and current trends
Cyber security and current trends
 
Combating RANSOMWare
Combating RANSOMWareCombating RANSOMWare
Combating RANSOMWare
 
MID_Modern_Threats_Landscape_GTI_Alex_de_Graaf_EN
MID_Modern_Threats_Landscape_GTI_Alex_de_Graaf_ENMID_Modern_Threats_Landscape_GTI_Alex_de_Graaf_EN
MID_Modern_Threats_Landscape_GTI_Alex_de_Graaf_EN
 
Utilizing Internet for Fraud Examination and Investigation
Utilizing Internet for Fraud Examination and InvestigationUtilizing Internet for Fraud Examination and Investigation
Utilizing Internet for Fraud Examination and Investigation
 
IBM X-Force Threat Intelligence Quarterly Q4 2015
IBM X-Force Threat Intelligence Quarterly Q4 2015IBM X-Force Threat Intelligence Quarterly Q4 2015
IBM X-Force Threat Intelligence Quarterly Q4 2015
 
Threat report h1_2013
Threat report h1_2013Threat report h1_2013
Threat report h1_2013
 
A Secure Network Bridging the Gap
A Secure Network Bridging the GapA Secure Network Bridging the Gap
A Secure Network Bridging the Gap
 
Ransomware-as-a-Service: The business of distributing cyber attacks
Ransomware-as-a-Service: The business of distributing cyber attacksRansomware-as-a-Service: The business of distributing cyber attacks
Ransomware-as-a-Service: The business of distributing cyber attacks
 
Industry reactions to wanna cry ransomware attacks
Industry reactions to wanna cry ransomware attacksIndustry reactions to wanna cry ransomware attacks
Industry reactions to wanna cry ransomware attacks
 
Ransomware all locked up book
Ransomware all locked up bookRansomware all locked up book
Ransomware all locked up book
 
Case Study: Wannacry Ransomware attacks Telefónica
Case Study: Wannacry Ransomware attacks TelefónicaCase Study: Wannacry Ransomware attacks Telefónica
Case Study: Wannacry Ransomware attacks Telefónica
 
The financial sector under siege from vicious banking malware @ReveeliumBlog
The financial sector under siege from vicious banking malware @ReveeliumBlogThe financial sector under siege from vicious banking malware @ReveeliumBlog
The financial sector under siege from vicious banking malware @ReveeliumBlog
 
Wannacry Virus
Wannacry VirusWannacry Virus
Wannacry Virus
 
Wannacry
WannacryWannacry
Wannacry
 
Check point 2015-securityreport
Check point 2015-securityreportCheck point 2015-securityreport
Check point 2015-securityreport
 
Spyware
SpywareSpyware
Spyware
 
File000145
File000145File000145
File000145
 
Problems With Battling Malware Have Been Discussed, Moving...
Problems With Battling Malware Have Been Discussed, Moving...Problems With Battling Malware Have Been Discussed, Moving...
Problems With Battling Malware Have Been Discussed, Moving...
 

More from Marina Krotofil

S4x16 europe krotofil_granular_dataflowsics
S4x16 europe krotofil_granular_dataflowsicsS4x16 europe krotofil_granular_dataflowsics
S4x16 europe krotofil_granular_dataflowsicsMarina Krotofil
 
CS3STHLM_2019_krotofil_kopeytsev
CS3STHLM_2019_krotofil_kopeytsevCS3STHLM_2019_krotofil_kopeytsev
CS3STHLM_2019_krotofil_kopeytsevMarina Krotofil
 
If I Were MITRE ATT&CK Developer: Challenges to Consider when Developing ICS ...
If I Were MITRE ATT&CK Developer: Challenges to Consider when Developing ICS ...If I Were MITRE ATT&CK Developer: Challenges to Consider when Developing ICS ...
If I Were MITRE ATT&CK Developer: Challenges to Consider when Developing ICS ...Marina Krotofil
 
A Diet of Poisoned Fruit: Designing Implants & OT Payloads for ICS Embedded D...
A Diet of Poisoned Fruit: Designing Implants & OT Payloads for ICS Embedded D...A Diet of Poisoned Fruit: Designing Implants & OT Payloads for ICS Embedded D...
A Diet of Poisoned Fruit: Designing Implants & OT Payloads for ICS Embedded D...Marina Krotofil
 
Defcon through the_eyes_of_the_attacker_2018_slides
Defcon through the_eyes_of_the_attacker_2018_slidesDefcon through the_eyes_of_the_attacker_2018_slides
Defcon through the_eyes_of_the_attacker_2018_slidesMarina Krotofil
 
"Man-in-the-SCADA": Anatomy of Data Integrity Attacks in Industrial Control S...
"Man-in-the-SCADA": Anatomy of Data Integrity Attacks in Industrial Control S..."Man-in-the-SCADA": Anatomy of Data Integrity Attacks in Industrial Control S...
"Man-in-the-SCADA": Anatomy of Data Integrity Attacks in Industrial Control S...Marina Krotofil
 
S4 krotofil afternoon_sesh_2017
S4 krotofil afternoon_sesh_2017S4 krotofil afternoon_sesh_2017
S4 krotofil afternoon_sesh_2017Marina Krotofil
 
S4 krotofil morning_sesh_2017
S4 krotofil morning_sesh_2017S4 krotofil morning_sesh_2017
S4 krotofil morning_sesh_2017Marina Krotofil
 
Mission Impact Assessment for Industrial Control Systems
Mission Impact Assessment for Industrial Control SystemsMission Impact Assessment for Industrial Control Systems
Mission Impact Assessment for Industrial Control SystemsMarina Krotofil
 
BlackHat_2015_Slides_Krotofil_FINAL
BlackHat_2015_Slides_Krotofil_FINALBlackHat_2015_Slides_Krotofil_FINAL
BlackHat_2015_Slides_Krotofil_FINALMarina Krotofil
 
DefCon_2015_Slides_Krotofil_Larsen
DefCon_2015_Slides_Krotofil_LarsenDefCon_2015_Slides_Krotofil_Larsen
DefCon_2015_Slides_Krotofil_LarsenMarina Krotofil
 

More from Marina Krotofil (15)

S4x16 europe krotofil_granular_dataflowsics
S4x16 europe krotofil_granular_dataflowsicsS4x16 europe krotofil_granular_dataflowsics
S4x16 europe krotofil_granular_dataflowsics
 
Dhs icsjwg 2015_v3
Dhs icsjwg 2015_v3Dhs icsjwg 2015_v3
Dhs icsjwg 2015_v3
 
CS3STHLM_2019_krotofil_kopeytsev
CS3STHLM_2019_krotofil_kopeytsevCS3STHLM_2019_krotofil_kopeytsev
CS3STHLM_2019_krotofil_kopeytsev
 
If I Were MITRE ATT&CK Developer: Challenges to Consider when Developing ICS ...
If I Were MITRE ATT&CK Developer: Challenges to Consider when Developing ICS ...If I Were MITRE ATT&CK Developer: Challenges to Consider when Developing ICS ...
If I Were MITRE ATT&CK Developer: Challenges to Consider when Developing ICS ...
 
A Diet of Poisoned Fruit: Designing Implants & OT Payloads for ICS Embedded D...
A Diet of Poisoned Fruit: Designing Implants & OT Payloads for ICS Embedded D...A Diet of Poisoned Fruit: Designing Implants & OT Payloads for ICS Embedded D...
A Diet of Poisoned Fruit: Designing Implants & OT Payloads for ICS Embedded D...
 
Defcon through the_eyes_of_the_attacker_2018_slides
Defcon through the_eyes_of_the_attacker_2018_slidesDefcon through the_eyes_of_the_attacker_2018_slides
Defcon through the_eyes_of_the_attacker_2018_slides
 
"Man-in-the-SCADA": Anatomy of Data Integrity Attacks in Industrial Control S...
"Man-in-the-SCADA": Anatomy of Data Integrity Attacks in Industrial Control S..."Man-in-the-SCADA": Anatomy of Data Integrity Attacks in Industrial Control S...
"Man-in-the-SCADA": Anatomy of Data Integrity Attacks in Industrial Control S...
 
S4 krotofil afternoon_sesh_2017
S4 krotofil afternoon_sesh_2017S4 krotofil afternoon_sesh_2017
S4 krotofil afternoon_sesh_2017
 
S4 krotofil morning_sesh_2017
S4 krotofil morning_sesh_2017S4 krotofil morning_sesh_2017
S4 krotofil morning_sesh_2017
 
S4x16_Europe_Krotofil
S4x16_Europe_KrotofilS4x16_Europe_Krotofil
S4x16_Europe_Krotofil
 
presentation_sas2016_V3
presentation_sas2016_V3presentation_sas2016_V3
presentation_sas2016_V3
 
Mission Impact Assessment for Industrial Control Systems
Mission Impact Assessment for Industrial Control SystemsMission Impact Assessment for Industrial Control Systems
Mission Impact Assessment for Industrial Control Systems
 
MKAD_black_V2
MKAD_black_V2MKAD_black_V2
MKAD_black_V2
 
BlackHat_2015_Slides_Krotofil_FINAL
BlackHat_2015_Slides_Krotofil_FINALBlackHat_2015_Slides_Krotofil_FINAL
BlackHat_2015_Slides_Krotofil_FINAL
 
DefCon_2015_Slides_Krotofil_Larsen
DefCon_2015_Slides_Krotofil_LarsenDefCon_2015_Slides_Krotofil_Larsen
DefCon_2015_Slides_Krotofil_Larsen
 

Recently uploaded

20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdfMatthew Sinclair
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样ayvbos
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsMonica Sydney
 
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency""Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency"growthgrids
 
Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.krishnachandrapal52
 
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制pxcywzqs
 
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime NagercoilNagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoilmeghakumariji156
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查ydyuyu
 
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac RoomVip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Roommeghakumariji156
 
Microsoft Azure Arc Customer Deck Microsoft
Microsoft Azure Arc Customer Deck MicrosoftMicrosoft Azure Arc Customer Deck Microsoft
Microsoft Azure Arc Customer Deck MicrosoftAanSulistiyo
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...gajnagarg
 
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrStory Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrHenryBriggs2
 
75539-Cyber Security Challenges PPT.pptx
75539-Cyber Security Challenges PPT.pptx75539-Cyber Security Challenges PPT.pptx
75539-Cyber Security Challenges PPT.pptxAsmae Rabhi
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfJOHNBEBONYAP1
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样ayvbos
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC
 
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsMonica Sydney
 
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...kajalverma014
 
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查ydyuyu
 

Recently uploaded (20)

20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
 
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency""Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
 
Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.
 
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
 
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime NagercoilNagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
 
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac RoomVip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
 
Microsoft Azure Arc Customer Deck Microsoft
Microsoft Azure Arc Customer Deck MicrosoftMicrosoft Azure Arc Customer Deck Microsoft
Microsoft Azure Arc Customer Deck Microsoft
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
 
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrStory Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
 
75539-Cyber Security Challenges PPT.pptx
75539-Cyber Security Challenges PPT.pptx75539-Cyber Security Challenges PPT.pptx
75539-Cyber Security Challenges PPT.pptx
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
 
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
 
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
 
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
 

New wave of attacks in Ukraine 2016

  • 1. NEW WAVE OF ATTACKS IN UKRAINE Marina Krotofil based on materials from Aleksey Yasinskiy
  • 2. Short description  Similarly to last year, the wave of attacks has started in month of July • It is hot and everybody is in careless summer mood • Embedded macros • Many people are on vacation and those who are not -> performing duties of those who are on vacation (and open aaaaall the attachments)  The attacks grew in sophistication (in comparison to 2015) • New added routines to detect installed security protections on the infected machine • Improved obfuscation techniques  Similarly to last year, there is a “silence” period • Several C&C center went off line • Now immediate destructive attacks A new wave of destructive attacks is awaited
  • 3. New wave of infection via spear fishing July 14, 2016 Angry customer is complaining about financial spam (scam). He received an email from a Diamantbank stating that he took a large credit but did not start paying for it. He now awes bank a large sum of money and is threatened with legal actions against him. Also the customer understand it was a scam, he OPENED the attachment (and got infected)
  • 4. Discussions on motherhood portals July 14, 2016 Mothers discussing receiving similar financial spam (scam). Although do realize it was spam, they all opened attachment first.
  • 6. Analysis of embedded macros SandBox and ISP detection routines
  • 7. Anti-spam detection techniques Malicious code is embedded into romantic lyrics to avoid detection by the spam detection algorithms (e.g. ratio of text to code)
  • 8. Obfuscation techniques Making code looking like a pure noise
  • 9. Obfuscation techniques Nesting doll: code in the code These pieces of code will eventually assemble into malicious line of code
  • 10. False alarm Legitimate security application behaving like a malware. It draw attention during inspection of the machine but turned to be a false alarm. Ugh. Annoying.
  • 11. Afterword  There is a version that Ukraine is used among other countries as a playgroud for testing new attach strategies and techniques • The purpose of the infection is currently still unclear • Malware is becoming more intelligent and more aware of its environment • About 1 month after infection it is very hard to detect malware on the infected machine For more information about attacks in Ukraine see • Analysis of embedded macros: https://socprime.com/en/blog/infrastructure-infiltration-via-rtf/ • Analysis of other malicious activities: https://socprime.com/en/blog/ Aleksey Yasinskiy: Head of ISSP Labs & Research Center @Aleksey_yas; https:// Marina Krotofil: Lead Security Researcher at Honeywell Industrial Cyber Security Lab @marmusha Opinions are our own