There is nothing mystical about cyber security. Any company can be a target – if not specifically selected, then a target of opportunity. Cyber attackers try to get their victims any way they can, and will do anything to profit. Watch the recording of cyber-security first webinar and download the presentation materiel to learn more how you can prevent from targeted cyber attacks. Article URL : https://business.f-secure.com/cyber-security-what-is-it-all-about/

1. Threat Landscape
CyberSecurityWebinarSeries
Webinar1,May4th,2015
Jarno Niemelä
Twitter: @jarnomn

2. WHAT’S THISALL
ABOUT
Enemies, every company has them
 Large or strategically important companies
have enemies who target them specifically
 The rest will be targets of opportunity
A normal company has to worry about
 Undirected malware attacks
 For profit criminals
 Activists, hackers, script kiddies
 Spies who are after your customers and
using you as path for attack
© F-Secure2

3. STAGES OFATTACK
1. Recon Target and build exploit and malware for attack
2. Get in contact with target and attack
3. Get C&C access to target beach-head malware
4. Move within target network
5. Monetize
6. Persist as long as possible
© F-Secure3

4. RECON
Exploits are always specific to certain program, and sometimes even version
 Thus in order to weaponize, attacker must know his target
 Or use mass attacks and rely on luck
 Network scanning, banner grabbing, etc basic techniques
 OSINT, what software @company.com users have posted or asked about
 Are any vendors using the company as reference?
 DNS timing recon, query target DNS and time the answers
 Anything that is in use in the company will answer fast
 Humint, call people and ask, pretend to be student and send
questionnaires
© F-Secure4

5. ATTACK OVER
EMAIL
SPAM: the attacker builds a generic email…
 …and hopes that message hits home to someone
Spear Phishing: Victim gets tailored email with a document
 The document is from known sender
 Topic of document is what could be expected
 All in all it looks like regular business mail
 Except that it contains an exploit and backdoor
© F-Secure5

6. ATTACK OVERHACKED
WEBSITES
Attacker searches web for vulnerable pages
 Vulnerable pages are hacked to attack users
 The page contains
 either direct attack
 Or redirection to attack server
 Both criminals and spies use web attacks
 Criminals go after any web page which has users
 Spies selectively target pages favored by intended targets
 This is called watering hole attack, lie & wait for the victims to come
© F-Secure

7. ANYTHINGGOESFOR
ATTACK
It’s not only the naughty pages
 Attackers will use any popular
site that they are able to take
over
© F-Secure

8. SEARCH ENGINE POISONING
Why chase victims when you can lure them?
 Attacker picks searches that interest targets
 Uses search engine optimization tricks
to get to top hits
 And waits for user to click on the result
 After user visits the page the flow continues
as in hacked site
© F-Secure

9. TRAFFICINJECTION
Attacker gets MITM (Man in the Middle)
access to traffic
 Hacked router or “legal” interception interface
 “Free” Wifi access point or evil twin
 Chinas “great cannon”, traffic injection at border
With MITM attacker can inject traffic
 Exploits into any web page
 On the fly trojanizing of software updates
or other executables
 Javascript injection, to make victim into DDOS slave
© F-Secure

10. SOCIALENGINEERING
ATTACKS
Sometimes attacker does not have exploit kit at his disposal, so he uses scams
 Most typical cases are
 Fake updates to Flash, codecs, etc
 Fake movies, images, etc
 Trojanized pirate copies
 Sometimes attackers use additional tricks
 Such as DNS poisoning to make it look like
that content is coming from trusted domain
© F-Secure

11. DISTRIBUTION THROUGH
AFFILIATES
Sometimes attacker
does not know how to
monetize victim
 So he sells the
access to victim
 Botnet operator buys victims in bulk
 And monetizes them
 This is called affiliate networks, basically it’s digital slave trade
ZeroAccess Botnet
Operator
Affiliates
Victims
Exploit kit
Pay-per-
install
Spam
Fake video
$500 per
1000 installs

12. USB: BRIDGING
AIRGAP
USB or other media stick loaded with malware
 USB autoplay (doesn’t work against up to date OS)
 Icon or media recognition exploit
 Use traditional trick of masking executable as document
 Craft special USB that actually acts as USB keyboard
and use “copy con foo.exe” and then “cmd /c foo.exe” to run
it
 Emulate network card and have automated exploit kit on the
stick, or use DCHP to change users DNS settings
 Or just plain document exploit
Introduce USB to victim
 Hope that victim plugs in said USB device
 http://hakshop.myshopify.com/products/usb-rubber-ducky-deluxe
© F-Secure12

13. MOBILEMALWARE
Mobile malware is almost exclusively
Android problem
 However there are few that target unlocked iPhones
The Android malware is based on trojans
fooling the user to install
 Fake Flashplayer or other updates shown by hacked websites
 Trojanized or fake apps in third party app stores or Google Play
 URL links in SMS, What’s App, Skype, Email or other spam
Once installed the malware tries to monetize
 Sending premium SMS
 Ransomware, lock the phone or files
 Assisting PC based banker attacks
© F-Secure13
Fastest growing Android malware families

14. CONCLUSION
Attackers will try to get victims any way they can
 And will do anything to get profit from victims
 Which means that even if you are not interesting target
 Your customers may be, and thus so are you
 Or you get hit simply because you are an easy target
 This means that as a defender you need comprehensive protection
© F-Secure