SlideShare una empresa de Scribd logo

【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】

Hacks in Taiwan (HITCON)
Hacks in Taiwan (HITCON)

【HITCON FreeTalk 2021 - 近期供應鏈及勒索病毒事件剖析】 ➠ Talk: SolarWinds 供應鏈攻擊事件分析 ➠ Speaker: Fox-IT 研究員 Zywu, 台灣駭客協會理事 CK ➠ Video: https://fb.watch/4hg1RYiQWw/

Presentaciones y charlas públicas
1 de 41
Descargar para leer sin conexión
SolarWinds Hacked - find the targets ZY WU & CK Chen
About ZY Wu • Threat analysts at Fox-IT intel team • Malware analysis & threat intel • Find me at zong-yu.wu@fox-it.com CK Chen • HITCON Member • HITCON 2021 Review Board Chairman • Researcher, focus on malware analysis, APT investigation and threat intel
Agenda • What happened? • Define the supply chain attack • Impact Assessment – Finding the targets • How special it is?
Kudos to Danny at Fox-IT YJ at TrendMicro Anonymous Hamster at Exercise wheel
CrowdStrike release SUNSPOT investigation report 2021.01.11 2021.01.13 CISA: bypass MFA in cloud services FireEye released Remediation for Microsoft 365 2021.01.19 2021.01.19 MalwareBytes claim to be hacked Microsoft Deep dive into the Solorigate second-stage activation 2021.01.22 2021.02.18 Microsoft Internal Solorigate Investigation – Final Update Microsoft, FireEye New SUNSHUTTLE Backdoor Targeting U.S.- Based Entity 2021.03.04 FireEye hacked, Red team tools leaked 2020.12.09 2020.12.13 CISA issued emergence directive WSJ, REUTERS U.S. Treasury and Commerce departments Hacked 2020.12.13-14 2020.12.15-18 Second malware Supernova discovered Microsoft, FireEye, GoDaddy establish killswitch 2020.12.17 2020.12.17 Microsoft report potential victims Microsoft confirmed source code stolen 2020.12.31 2021.01.05 CISA, DNI, NSA suspect the actor is Russia-based Department of Justice confirmed hacked 2021.01.06
AB (A %verb% B) Target Supplier Attacker Target Afraid of (the insider) Relied on Afraid of Supplier Relied on - Afraid of Attacker Interested in Proxy through -
Advantage of exploiting Supply Chain • Abuse the trust between supplier and targets • It is possible to find a weaker supplier among those • Compromising a whole range of companies if the major supplier in a sector is taken
Attack Against Code Dev. Commit -> Build (Signing) -> Test -> Deploy Commit -> SUNSPOT injects SUNBURST -> Build (Signing) -> Test (SUNBURST stay low) -> Deploy -> SUNBURST’s party time
Impact Assessment • More likely espionage purpose, but this is tough to do impact assessment. • In this presentation, I invite you to take a journey with me to picture targeted industry.
Malwares on the Desk SUNSPOT (injector) SUNBURST (Beacon) TEARDROP (Loader) RAINDROP (Loader) GoldMax Inside SolarWinds Running at Victims’ Env. SiBot GoldFinder CobaltStrike
SUNBURST under X-Ray • The beacon, the backdoor, installed to SolarWinds Orion Platform. • It avoids being launched in any dev. env.
SUNBURST under X-Ray The malware use customized FNV-1A hash algorithm to store resources:
Malware stays low under these AD domains: It checks antivirus driver/process/service and analysis tool as well. https://github.com/fireeye/sunburst_countermeasures/blob/mai n/hashcat.potfile swdev.local saas.swi emea.sales dmz.local pci.local lab.local apac.lab dev.local swdev.dmz lab.rio cork.lab lab.brno lab.na test Solarwinds SUNBURST was coded like a legitimate class, for example: Encode Process Name in fact Mimicking the legitimate traffic on the Platform
SUNBURST under X-Ray • The beacon, the backdoor, installed to SolarWinds Orion Platform. • It avoids being launched in any dev. env. • The callback domain is generated by victim information on DNS protocol. • Stage 1 – on DNS to get the HTTP sever • Stage 2 – on HTTP for the backdoor
• There are up to 4 different types (2 encoding x 2 input), giving an example: 57tadh50ha5mr9ah6ee0o6iuir0iwu0c.appsync-api.us-east-1.avsvmcloud.com SUNBURST Callback Protocol Prefix Fixed Random C&C 15 else Encoded GUID Encoded AD domain name 06a4ea63c80ee24a scc.state.va. -> The AD domain can be retrieved by a DNS query! -> Reverse Engineering to decode
SUNBURST Callback Protocol • DNS traffic, for those are not running on SSL, is not encrypted • It is possible to gather the domains which were been queried at a certain time by listening the network traffic from the internet backbone. • This dataset is called Passive DNS record.
ASSOCIATED [T+AVs] TRUNCATED Backdoor stopped PASSIVE [domain[:15], domain[15:]] Potential Target, Response magic A record Not interesting ACTIVE Backdoor on HTTP [T+AVs + Active bit] Select Target, Response HTTP C&C server at CNAME DGA Encoding method for PASSIVE state DGA Encoding method for ASSOCIATED/ACTIVE state
Searching the victims (in PASSIVE mode) 57tadh50ha5mr9ah6ee0o6iuir0iwu0c.appsync-api.us-east-1.avsvmcloud.com m1g39j9sctjtv6m0f6.appsync-api.us-east-1.avsvmcloud.com Prefix Fixed Random C&C 15 else Encoded GUID Encoded AD domain name 06a4ea63c80ee24a scc.state.va. Prefix Fixed Random C&C 15 Encoded GUID 06a4ea63c80ee24a us Add up to scc.state.va.us DGA Encoding method for PASSIVE state
Unique entry # PASSIVE 28,737 ASSOCIATED 7,029 ACTIVE 119
ASSOCIATED [T+AVs] TRUNCATED Backdoor stopped ACTIVE Backdoor on HTTP [T+AVs + Active bit] Select Target, Response HTTP C&C server at CNAME DGA Encoding method for PASSIVE state DGA Encoding method for ASSOCIATED/ACTIVE state
Searching the targets (in ACTIVE mode) 9q5jifedn8aflr4ge3nu.appsync-api.us-east-1.avsvmcloud.com Prefix Fixed Random C&C 8 3 else GUID Meta Running Antivirus 06a4ea63c80ee24a mode=1 active=1 timestamp=2020-05-31 12:00:00 The GUID is mapped to scc.state.va.us DGA Encoding method for ASSOCIATED/ACTIVE state
Searching the targets (in ACTIVE mode) scc.state.va.us central.pima.gov mgt.srb.europa fc.gov ddsn.gov phpds.org central.pima.gov Government HQ.FIDELLA lagnr.chevronte xaco.net coxnet.cox.com Energy ng.ds.army.mil nsanet.local Defense corp.qualys.com paloaltonetworks.com logitech.local wctc.msft ggsg-us.cisco.com cisco.com fox.local Tech/CyberSecurity
AB (A %verb% B) Target Supplier Attacker Target Afraid of (the insider) Relied on & Afraid of Afraid of Supplier Relied on - Afraid of Attacker Interested in Proxy through -
Software Supply Chain While better defense mechanism is deployed, threat actor move their target to the weakest point of supply chain More complicated software -> more complicated supply chain We talk a lot about supply chain, so… What’s the supply chain of you daily used software?
Stack Overflow Source Code Library Code Text Book/Doc Copy Code compiler Version Control Static Library Linker Executables CI Release Site Update Dispatch Dynamic library Executables Loader Executing In side your program, do you know where is every component come from? Every step here is possible to be compromised
Stack Overflow Source Code Library Code Text Book/Doc Copy Code compiler Version Control Static Library Linker Executables CI Release Site Update Dispatch Dynamic library Executables Loader Executing Stack Overflow Considered Harmful?The Impact of Copy&Paste on Android Application Security(2015)
Stack Overflow Source Code Library Code Text Book/Doc Copy Code compiler Version Control Static Library Linker Executables CI Release Site Update Dispatch Dynamic library Executables Loader Executing Malicious event-stream backdoor (2019) Ruby strong_password Backdoor (2019)
Stack Overflow Source Code Library Code Text Book/Doc Copy Code compiler Version Control Static Library Linker Executables CI Release Site Update Dispatch Dynamic library Executables Loader Executing XcodeGhost (2015)
Stack Overflow Source Code Library Code Text Book/Doc Copy Code compiler Version Control Static Library Linker Executables CI Release Site Update Dispatch Dynamic library Executables Loader Executing CCleaner Attack (2018)
Stack Overflow Source Code Library Code Text Book/Doc Copy Code compiler Version Control Static Library Linker Executables CI Release Site Update Dispatch Dynamic library Executables Loader Executing Operation GG(2015)
Stack Overflow Source Code Library Code Text Book/Doc Copy Code compiler Version Control Static Library Linker Executables CI Release Site Update Dispatch Dynamic library Executables Loader Executing
APTs Utilize Supply Chain Attacks • While most organization gradually enhance their security, adversarial try to compromised the weakest point of partner/supply chain first. ASUS Shadow Hammer(2019) Discovered by Kaspersky ASUS Web Storage(2019) We discover this operation in the same time as ESET
APTs Utilize Supply Chain Attacks • While most organization gradually enhance their security, adversarial try to compromised the weakest point of partner/supply chain first. SolarWinds Supply Chain Attack (2021)
Highlight TTPs • Supply Chain Attack: Large number of enterprises are potential victims • Compromise DevOps: Keep Stealthy in Develop Environment • Sophiscated Malware: Separate the Malware’s Execution Path • Attacking the Cloud Service
Attacking the Cloud Service • Lateral movement from on-premises networks to gain unauthorized access to the victim’s Microsoft 365 environment • Golden SAML Attack • Modify Trusted Domains • Hijack Azure AD Applications • Compromise the credentials of on-premises user accounts that are synchronized to Microsoft 365
Mitigation • Threat Hunting for Malicious IoCs • FireEye’s Red Team Tool IoCs • SunBurst IoCs • CISA “Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations” • Summary about the IoCs • https://shorturl.at/fxKTV
Mitigation • Mandiant Azure AD Investigator • https://github.com/fireeye/Mandiant-Azure-AD-Investigator • CISA “Strengthening Security Configurations to Defend Against Attackers Targeting Cloud Services” • https://github.com/cisagov/Sparrow
Lesson Learned • While being compromised is hard to avoid, proactive threat hunting and response to the incident. • Communicate and share with security community • Sophiscated APT attacks • Supply Chain Attack • Compromised DepOp Process • Laverage cloud service attacks • Supply chain security will still be the loophole for enterprises’ security • Using threat intelligence, e.g. PDNS, to help us understand threat actor’s targets • Cloud Services become a new attack vector for LM
Q&A

Recomendados

【HITCON Hackathon 2017】 TrendMicro Datasets
【HITCON Hackathon 2017】 TrendMicro Datasets【HITCON Hackathon 2017】 TrendMicro Datasets
【HITCON Hackathon 2017】 TrendMicro DatasetsHacks in Taiwan (HITCON)
 
【HITCON FreeTalk 2018 - Spectre & Meltdown 漏洞的修補策略與 risk mitigation】
【HITCON FreeTalk 2018 - Spectre & Meltdown 漏洞的修補策略與 risk mitigation】【HITCON FreeTalk 2018 - Spectre & Meltdown 漏洞的修補策略與 risk mitigation】
【HITCON FreeTalk 2018 - Spectre & Meltdown 漏洞的修補策略與 risk mitigation】Hacks in Taiwan (HITCON)
 
【HITCON FreeTalk 2018 - 從晶片設計角度看硬體安全】
【HITCON FreeTalk 2018 - 從晶片設計角度看硬體安全】【HITCON FreeTalk 2018 - 從晶片設計角度看硬體安全】
【HITCON FreeTalk 2018 - 從晶片設計角度看硬體安全】Hacks in Taiwan (HITCON)
 
CONFidence2015: Real World Threat Hunting - Martin Nystrom
CONFidence2015: Real World Threat Hunting - Martin NystromCONFidence2015: Real World Threat Hunting - Martin Nystrom
CONFidence2015: Real World Threat Hunting - Martin NystromPROIDEA
 
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoBSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoKatie Nickels
 
TRISIS in Perspective
TRISIS in PerspectiveTRISIS in Perspective
TRISIS in PerspectiveDragos, Inc.
 
Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKThreat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKKatie Nickels
 
Threat Hunting with Cyber Kill Chain
Threat Hunting with Cyber Kill ChainThreat Hunting with Cyber Kill Chain
Threat Hunting with Cyber Kill ChainSuwitcha Musijaral CISSP,CISA,GWAPT,SNORTCP
 

Recomendados

【HITCON Hackathon 2017】 TrendMicro Datasets
【HITCON Hackathon 2017】 TrendMicro Datasets【HITCON Hackathon 2017】 TrendMicro Datasets
【HITCON Hackathon 2017】 TrendMicro DatasetsHacks in Taiwan (HITCON)
 
【HITCON FreeTalk 2018 - Spectre & Meltdown 漏洞的修補策略與 risk mitigation】
【HITCON FreeTalk 2018 - Spectre & Meltdown 漏洞的修補策略與 risk mitigation】【HITCON FreeTalk 2018 - Spectre & Meltdown 漏洞的修補策略與 risk mitigation】
【HITCON FreeTalk 2018 - Spectre & Meltdown 漏洞的修補策略與 risk mitigation】Hacks in Taiwan (HITCON)
 
【HITCON FreeTalk 2018 - 從晶片設計角度看硬體安全】
【HITCON FreeTalk 2018 - 從晶片設計角度看硬體安全】【HITCON FreeTalk 2018 - 從晶片設計角度看硬體安全】
【HITCON FreeTalk 2018 - 從晶片設計角度看硬體安全】Hacks in Taiwan (HITCON)
 
CONFidence2015: Real World Threat Hunting - Martin Nystrom
CONFidence2015: Real World Threat Hunting - Martin NystromCONFidence2015: Real World Threat Hunting - Martin Nystrom
CONFidence2015: Real World Threat Hunting - Martin NystromPROIDEA
 
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoBSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoKatie Nickels
 
TRISIS in Perspective
TRISIS in PerspectiveTRISIS in Perspective
TRISIS in PerspectiveDragos, Inc.
 
Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKThreat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKKatie Nickels
 
Threat Hunting with Cyber Kill Chain
Threat Hunting with Cyber Kill ChainThreat Hunting with Cyber Kill Chain
Threat Hunting with Cyber Kill ChainSuwitcha Musijaral CISSP,CISA,GWAPT,SNORTCP
 
DFIR Training: RDP Triage
DFIR Training: RDP TriageDFIR Training: RDP Triage
DFIR Training: RDP TriageChristopher Gerritz
 
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...MITRE - ATT&CKcon
 
ATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudMITRE ATT&CK
 
CLÍNICA DE RESPUESTAS A INCIDENTES Y THREAT HUNTING - WORKSHOP DAY TÉCNICO DE...
CLÍNICA DE RESPUESTAS A INCIDENTES Y THREAT HUNTING - WORKSHOP DAY TÉCNICO DE...CLÍNICA DE RESPUESTAS A INCIDENTES Y THREAT HUNTING - WORKSHOP DAY TÉCNICO DE...
CLÍNICA DE RESPUESTAS A INCIDENTES Y THREAT HUNTING - WORKSHOP DAY TÉCNICO DE...Cristian Garcia G.
 
Russia the threat landscape
Russia the threat landscapeRussia the threat landscape
Russia the threat landscapeАльбина Минуллина
 
A look at current cyberattacks in Ukraine
A look at current cyberattacks in UkraineA look at current cyberattacks in Ukraine
A look at current cyberattacks in UkraineKaspersky
 
CSF18 - Guarding Against the Unknown - Rafael Narezzi
CSF18 - Guarding Against the Unknown - Rafael NarezziCSF18 - Guarding Against the Unknown - Rafael Narezzi
CSF18 - Guarding Against the Unknown - Rafael NarezziNCCOMMS
 
CoinMiners are Evasive - BsidesTLV
CoinMiners are Evasive - BsidesTLVCoinMiners are Evasive - BsidesTLV
CoinMiners are Evasive - BsidesTLVThomas Roccia
 
Trisis in Perspective: Implications for ICS Defenders
Trisis in Perspective: Implications for ICS DefendersTrisis in Perspective: Implications for ICS Defenders
Trisis in Perspective: Implications for ICS DefendersDragos, Inc.
 
Secure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSecure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSebastien Gioria
 
DFIR Austin Training (Feb 2020): Remote Access & Deploying Agents
DFIR Austin Training (Feb 2020): Remote Access & Deploying AgentsDFIR Austin Training (Feb 2020): Remote Access & Deploying Agents
DFIR Austin Training (Feb 2020): Remote Access & Deploying AgentsChristopher Gerritz
 
Honey, I Stole Your C2 Server: A Dive into Attacker Infrastructure
Honey, I Stole Your C2 Server: A Dive into Attacker InfrastructureHoney, I Stole Your C2 Server: A Dive into Attacker Infrastructure
Honey, I Stole Your C2 Server: A Dive into Attacker InfrastructureShakacon
 
Reassessing the 2016 CRASHOVERRIDE Cyber Attack
Reassessing the 2016 CRASHOVERRIDE Cyber AttackReassessing the 2016 CRASHOVERRIDE Cyber Attack
Reassessing the 2016 CRASHOVERRIDE Cyber AttackDragos, Inc.
 
Behavior-Based Defense in ICS
Behavior-Based Defense in ICSBehavior-Based Defense in ICS
Behavior-Based Defense in ICSDragos, Inc.
 
The Four Types of Threat Detection and Use Cases in Industrial Security
The Four Types of Threat Detection and Use Cases in Industrial SecurityThe Four Types of Threat Detection and Use Cases in Industrial Security
The Four Types of Threat Detection and Use Cases in Industrial SecurityDragos, Inc.
 
MITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESET
MITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESETMITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESET
MITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESETMITRE - ATT&CKcon
 
Dragos and CyberWire: ICS Ransomware
Dragos and CyberWire: ICS Ransomware Dragos and CyberWire: ICS Ransomware
Dragos and CyberWire: ICS Ransomware Dragos, Inc.
 
TRITON: The Next Generation of ICS Malware
TRITON: The Next Generation of ICS MalwareTRITON: The Next Generation of ICS Malware
TRITON: The Next Generation of ICS MalwareThomas Roccia
 
Using ATTACK to Create Cyber DBTS for Nuclear Power Plants
Using ATTACK to Create Cyber DBTS for Nuclear Power PlantsUsing ATTACK to Create Cyber DBTS for Nuclear Power Plants
Using ATTACK to Create Cyber DBTS for Nuclear Power PlantsMITRE - ATT&CKcon
 
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE - ATT&CKcon
 
Software Supply Chain Attacks (June 2021)
Software Supply Chain Attacks (June 2021)Software Supply Chain Attacks (June 2021)
Software Supply Chain Attacks (June 2021)TzahiArabov
 
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdftheVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdfGabriel Mathenge
 

Más contenido relacionado

La actualidad más candente

MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...MITRE - ATT&CKcon
 
ATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudMITRE ATT&CK
 
CLÍNICA DE RESPUESTAS A INCIDENTES Y THREAT HUNTING - WORKSHOP DAY TÉCNICO DE...
CLÍNICA DE RESPUESTAS A INCIDENTES Y THREAT HUNTING - WORKSHOP DAY TÉCNICO DE...CLÍNICA DE RESPUESTAS A INCIDENTES Y THREAT HUNTING - WORKSHOP DAY TÉCNICO DE...
CLÍNICA DE RESPUESTAS A INCIDENTES Y THREAT HUNTING - WORKSHOP DAY TÉCNICO DE...Cristian Garcia G.
 
A look at current cyberattacks in Ukraine
A look at current cyberattacks in UkraineA look at current cyberattacks in Ukraine
A look at current cyberattacks in UkraineKaspersky
 
CSF18 - Guarding Against the Unknown - Rafael Narezzi
CSF18 - Guarding Against the Unknown - Rafael NarezziCSF18 - Guarding Against the Unknown - Rafael Narezzi
CSF18 - Guarding Against the Unknown - Rafael NarezziNCCOMMS
 
CoinMiners are Evasive - BsidesTLV
CoinMiners are Evasive - BsidesTLVCoinMiners are Evasive - BsidesTLV
CoinMiners are Evasive - BsidesTLVThomas Roccia
 
Trisis in Perspective: Implications for ICS Defenders
Trisis in Perspective: Implications for ICS DefendersTrisis in Perspective: Implications for ICS Defenders
Trisis in Perspective: Implications for ICS DefendersDragos, Inc.
 
Secure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSecure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSebastien Gioria
 
DFIR Austin Training (Feb 2020): Remote Access & Deploying Agents
DFIR Austin Training (Feb 2020): Remote Access & Deploying AgentsDFIR Austin Training (Feb 2020): Remote Access & Deploying Agents
DFIR Austin Training (Feb 2020): Remote Access & Deploying AgentsChristopher Gerritz
 
Honey, I Stole Your C2 Server: A Dive into Attacker Infrastructure
Honey, I Stole Your C2 Server: A Dive into Attacker InfrastructureHoney, I Stole Your C2 Server: A Dive into Attacker Infrastructure
Honey, I Stole Your C2 Server: A Dive into Attacker InfrastructureShakacon
 
Reassessing the 2016 CRASHOVERRIDE Cyber Attack
Reassessing the 2016 CRASHOVERRIDE Cyber AttackReassessing the 2016 CRASHOVERRIDE Cyber Attack
Reassessing the 2016 CRASHOVERRIDE Cyber AttackDragos, Inc.
 
Behavior-Based Defense in ICS
Behavior-Based Defense in ICSBehavior-Based Defense in ICS
Behavior-Based Defense in ICSDragos, Inc.
 
The Four Types of Threat Detection and Use Cases in Industrial Security
The Four Types of Threat Detection and Use Cases in Industrial SecurityThe Four Types of Threat Detection and Use Cases in Industrial Security
The Four Types of Threat Detection and Use Cases in Industrial SecurityDragos, Inc.
 
MITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESET
MITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESETMITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESET
MITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESETMITRE - ATT&CKcon
 
Dragos and CyberWire: ICS Ransomware
Dragos and CyberWire: ICS Ransomware Dragos and CyberWire: ICS Ransomware
Dragos and CyberWire: ICS Ransomware Dragos, Inc.
 
TRITON: The Next Generation of ICS Malware
TRITON: The Next Generation of ICS MalwareTRITON: The Next Generation of ICS Malware
TRITON: The Next Generation of ICS MalwareThomas Roccia
 
Using ATTACK to Create Cyber DBTS for Nuclear Power Plants
Using ATTACK to Create Cyber DBTS for Nuclear Power PlantsUsing ATTACK to Create Cyber DBTS for Nuclear Power Plants
Using ATTACK to Create Cyber DBTS for Nuclear Power PlantsMITRE - ATT&CKcon
 
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE - ATT&CKcon
 

La actualidad más candente (20)

DFIR Training: RDP Triage
DFIR Training: RDP TriageDFIR Training: RDP Triage
DFIR Training: RDP Triage
 
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...
 
ATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudATT&CKING Containers in The Cloud
ATT&CKING Containers in The Cloud
 
CLÍNICA DE RESPUESTAS A INCIDENTES Y THREAT HUNTING - WORKSHOP DAY TÉCNICO DE...
CLÍNICA DE RESPUESTAS A INCIDENTES Y THREAT HUNTING - WORKSHOP DAY TÉCNICO DE...CLÍNICA DE RESPUESTAS A INCIDENTES Y THREAT HUNTING - WORKSHOP DAY TÉCNICO DE...
CLÍNICA DE RESPUESTAS A INCIDENTES Y THREAT HUNTING - WORKSHOP DAY TÉCNICO DE...
 
Russia the threat landscape
Russia the threat landscapeRussia the threat landscape
Russia the threat landscape
 
A look at current cyberattacks in Ukraine
A look at current cyberattacks in UkraineA look at current cyberattacks in Ukraine
A look at current cyberattacks in Ukraine
 
CSF18 - Guarding Against the Unknown - Rafael Narezzi
CSF18 - Guarding Against the Unknown - Rafael NarezziCSF18 - Guarding Against the Unknown - Rafael Narezzi
CSF18 - Guarding Against the Unknown - Rafael Narezzi
 
CoinMiners are Evasive - BsidesTLV
CoinMiners are Evasive - BsidesTLVCoinMiners are Evasive - BsidesTLV
CoinMiners are Evasive - BsidesTLV
 
Trisis in Perspective: Implications for ICS Defenders
Trisis in Perspective: Implications for ICS DefendersTrisis in Perspective: Implications for ICS Defenders
Trisis in Perspective: Implications for ICS Defenders
 
Secure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSecure Coding for Java - An Introduction
Secure Coding for Java - An Introduction
 
DFIR Austin Training (Feb 2020): Remote Access & Deploying Agents
DFIR Austin Training (Feb 2020): Remote Access & Deploying AgentsDFIR Austin Training (Feb 2020): Remote Access & Deploying Agents
DFIR Austin Training (Feb 2020): Remote Access & Deploying Agents
 
Honey, I Stole Your C2 Server: A Dive into Attacker Infrastructure
Honey, I Stole Your C2 Server: A Dive into Attacker InfrastructureHoney, I Stole Your C2 Server: A Dive into Attacker Infrastructure
Honey, I Stole Your C2 Server: A Dive into Attacker Infrastructure
 
Reassessing the 2016 CRASHOVERRIDE Cyber Attack
Reassessing the 2016 CRASHOVERRIDE Cyber AttackReassessing the 2016 CRASHOVERRIDE Cyber Attack
Reassessing the 2016 CRASHOVERRIDE Cyber Attack
 
Behavior-Based Defense in ICS
Behavior-Based Defense in ICSBehavior-Based Defense in ICS
Behavior-Based Defense in ICS
 
The Four Types of Threat Detection and Use Cases in Industrial Security
The Four Types of Threat Detection and Use Cases in Industrial SecurityThe Four Types of Threat Detection and Use Cases in Industrial Security
The Four Types of Threat Detection and Use Cases in Industrial Security
 
MITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESET
MITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESETMITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESET
MITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESET
 
Dragos and CyberWire: ICS Ransomware
Dragos and CyberWire: ICS Ransomware Dragos and CyberWire: ICS Ransomware
Dragos and CyberWire: ICS Ransomware
 
TRITON: The Next Generation of ICS Malware
TRITON: The Next Generation of ICS MalwareTRITON: The Next Generation of ICS Malware
TRITON: The Next Generation of ICS Malware
 
Using ATTACK to Create Cyber DBTS for Nuclear Power Plants
Using ATTACK to Create Cyber DBTS for Nuclear Power PlantsUsing ATTACK to Create Cyber DBTS for Nuclear Power Plants
Using ATTACK to Create Cyber DBTS for Nuclear Power Plants
 
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
 

Similar a 【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】

Software Supply Chain Attacks (June 2021)
Software Supply Chain Attacks (June 2021)Software Supply Chain Attacks (June 2021)
Software Supply Chain Attacks (June 2021)TzahiArabov
 
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdftheVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdfGabriel Mathenge
 
VMworld 2013: Security Automation Workflows with NSX
VMworld 2013: Security Automation Workflows with NSX VMworld 2013: Security Automation Workflows with NSX
VMworld 2013: Security Automation Workflows with NSX VMworld
 
Securing your Cloud Environment
Securing your Cloud EnvironmentSecuring your Cloud Environment
Securing your Cloud EnvironmentShapeBlue
 
Automating cloud security - Jonny Griffin
Automating cloud security - Jonny GriffinAutomating cloud security - Jonny Griffin
Automating cloud security - Jonny GriffinJonnathan Griffin
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2ShapeBlue
 
festival ICT 2013: Gli attacchi mirati e la Difesa Personalizzata Trend Micro
festival ICT 2013: Gli attacchi mirati e la Difesa Personalizzata Trend Microfestival ICT 2013: Gli attacchi mirati e la Difesa Personalizzata Trend Micro
festival ICT 2013: Gli attacchi mirati e la Difesa Personalizzata Trend Microfestival ICT 2016
 
Catch Me If You Can - Finding APTs in your network
Catch Me If You Can - Finding APTs in your networkCatch Me If You Can - Finding APTs in your network
Catch Me If You Can - Finding APTs in your networkDefCamp
 
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...VMworld
 
Tech Throwdown: Secure Containerization vs Whitelisting
Tech Throwdown: Secure Containerization vs WhitelistingTech Throwdown: Secure Containerization vs Whitelisting
Tech Throwdown: Secure Containerization vs WhitelistingInvincea, Inc.
 
How to measure your security response readiness?
How to measure your security response readiness?How to measure your security response readiness?
How to measure your security response readiness?Tomasz Jakubowski
 
Stranger Danger: Your Java Attack Surface Just Got Bigger | JBCNConf 2022
Stranger Danger: Your Java Attack Surface Just Got Bigger | JBCNConf 2022Stranger Danger: Your Java Attack Surface Just Got Bigger | JBCNConf 2022
Stranger Danger: Your Java Attack Surface Just Got Bigger | JBCNConf 2022Brian Vermeer
 
AktaionPPTv5_JZedits
AktaionPPTv5_JZeditsAktaionPPTv5_JZedits
AktaionPPTv5_JZeditsRod Soto
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliveryBlack Duck by Synopsys
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliveryTim Mackey
 
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxSecure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxlior mazor
 
Armo webinar rethinking your cloud security in the shadow of the solar winds ...
Armo webinar rethinking your cloud security in the shadow of the solar winds ...Armo webinar rethinking your cloud security in the shadow of the solar winds ...
Armo webinar rethinking your cloud security in the shadow of the solar winds ...LibbySchulze
 
Order vs. Mad Science: Analyzing Black Hat Swarm Intelligence
Order vs. Mad Science: Analyzing Black Hat Swarm IntelligenceOrder vs. Mad Science: Analyzing Black Hat Swarm Intelligence
Order vs. Mad Science: Analyzing Black Hat Swarm IntelligencePriyanka Aash
 
Criminal IP ASM | Threat Intelligence-based Automated Attack Surface Managem...
Criminal IP ASM | Threat Intelligence-based Automated Attack Surface Managem...Criminal IP ASM | Threat Intelligence-based Automated Attack Surface Managem...
Criminal IP ASM | Threat Intelligence-based Automated Attack Surface Managem...Criminal IP
 
Using Splunk for Information Security
Using Splunk for Information SecurityUsing Splunk for Information Security
Using Splunk for Information SecuritySplunk
 

Similar a 【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】 (20)

Software Supply Chain Attacks (June 2021)
Software Supply Chain Attacks (June 2021)Software Supply Chain Attacks (June 2021)
Software Supply Chain Attacks (June 2021)
 
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdftheVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
 
VMworld 2013: Security Automation Workflows with NSX
VMworld 2013: Security Automation Workflows with NSX VMworld 2013: Security Automation Workflows with NSX
VMworld 2013: Security Automation Workflows with NSX
 
Securing your Cloud Environment
Securing your Cloud EnvironmentSecuring your Cloud Environment
Securing your Cloud Environment
 
Automating cloud security - Jonny Griffin
Automating cloud security - Jonny GriffinAutomating cloud security - Jonny Griffin
Automating cloud security - Jonny Griffin
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2
 
festival ICT 2013: Gli attacchi mirati e la Difesa Personalizzata Trend Micro
festival ICT 2013: Gli attacchi mirati e la Difesa Personalizzata Trend Microfestival ICT 2013: Gli attacchi mirati e la Difesa Personalizzata Trend Micro
festival ICT 2013: Gli attacchi mirati e la Difesa Personalizzata Trend Micro
 
Catch Me If You Can - Finding APTs in your network
Catch Me If You Can - Finding APTs in your networkCatch Me If You Can - Finding APTs in your network
Catch Me If You Can - Finding APTs in your network
 
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...
 
Tech Throwdown: Secure Containerization vs Whitelisting
Tech Throwdown: Secure Containerization vs WhitelistingTech Throwdown: Secure Containerization vs Whitelisting
Tech Throwdown: Secure Containerization vs Whitelisting
 
How to measure your security response readiness?
How to measure your security response readiness?How to measure your security response readiness?
How to measure your security response readiness?
 
Stranger Danger: Your Java Attack Surface Just Got Bigger | JBCNConf 2022
Stranger Danger: Your Java Attack Surface Just Got Bigger | JBCNConf 2022Stranger Danger: Your Java Attack Surface Just Got Bigger | JBCNConf 2022
Stranger Danger: Your Java Attack Surface Just Got Bigger | JBCNConf 2022
 
AktaionPPTv5_JZedits
AktaionPPTv5_JZeditsAktaionPPTv5_JZedits
AktaionPPTv5_JZedits
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous Delivery
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous Delivery
 
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxSecure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
 
Armo webinar rethinking your cloud security in the shadow of the solar winds ...
Armo webinar rethinking your cloud security in the shadow of the solar winds ...Armo webinar rethinking your cloud security in the shadow of the solar winds ...
Armo webinar rethinking your cloud security in the shadow of the solar winds ...
 
Order vs. Mad Science: Analyzing Black Hat Swarm Intelligence
Order vs. Mad Science: Analyzing Black Hat Swarm IntelligenceOrder vs. Mad Science: Analyzing Black Hat Swarm Intelligence
Order vs. Mad Science: Analyzing Black Hat Swarm Intelligence
 
Criminal IP ASM | Threat Intelligence-based Automated Attack Surface Managem...
Criminal IP ASM | Threat Intelligence-based Automated Attack Surface Managem...Criminal IP ASM | Threat Intelligence-based Automated Attack Surface Managem...
Criminal IP ASM | Threat Intelligence-based Automated Attack Surface Managem...
 
Using Splunk for Information Security
Using Splunk for Information SecurityUsing Splunk for Information Security
Using Splunk for Information Security
 

Más de Hacks in Taiwan (HITCON)

HITCON FreeTalk 2024 台灣駭客協會媒體小聚【議題二:Cyber War - 網路戰與地緣政治】
HITCON FreeTalk 2024 台灣駭客協會媒體小聚【議題二:Cyber War - 網路戰與地緣政治】HITCON FreeTalk 2024 台灣駭客協會媒體小聚【議題二:Cyber War - 網路戰與地緣政治】
HITCON FreeTalk 2024 台灣駭客協會媒體小聚【議題二:Cyber War - 網路戰與地緣政治】Hacks in Taiwan (HITCON)
 
HITCON FreeTalk 2024 台灣駭客協會媒體小聚【議題一:資安地圖 - 資安領域與趨勢介紹】
HITCON FreeTalk 2024 台灣駭客協會媒體小聚【議題一:資安地圖 - 資安領域與趨勢介紹】HITCON FreeTalk 2024 台灣駭客協會媒體小聚【議題一:資安地圖 - 資安領域與趨勢介紹】
HITCON FreeTalk 2024 台灣駭客協會媒體小聚【議題一:資安地圖 - 資安領域與趨勢介紹】Hacks in Taiwan (HITCON)
 
HITCON FreeTalk 2022 - 自己的SOC自己管-- SOC建置的心路歷程分享
HITCON FreeTalk 2022 - 自己的SOC自己管-- SOC建置的心路歷程分享HITCON FreeTalk 2022 - 自己的SOC自己管-- SOC建置的心路歷程分享
HITCON FreeTalk 2022 - 自己的SOC自己管-- SOC建置的心路歷程分享Hacks in Taiwan (HITCON)
 
HITCON FreeTalk 2022 - Zero Trust Architecture 讀書筆記
HITCON FreeTalk 2022 - Zero Trust Architecture 讀書筆記 HITCON FreeTalk 2022 - Zero Trust Architecture 讀書筆記
HITCON FreeTalk 2022 - Zero Trust Architecture 讀書筆記 Hacks in Taiwan (HITCON)
 
HITCON FreeTalk 2022 - Defeat 0day is not as Difficult as You Think
HITCON FreeTalk 2022 - Defeat 0day is not as Difficult as You ThinkHITCON FreeTalk 2022 - Defeat 0day is not as Difficult as You Think
HITCON FreeTalk 2022 - Defeat 0day is not as Difficult as You ThinkHacks in Taiwan (HITCON)
 
【HITCON FreeTalk 2022 - 我把在網頁框架發現的密碼學漏洞變成 CTF 題了】
【HITCON FreeTalk 2022 - 我把在網頁框架發現的密碼學漏洞變成 CTF 題了】【HITCON FreeTalk 2022 - 我把在網頁框架發現的密碼學漏洞變成 CTF 題了】
【HITCON FreeTalk 2022 - 我把在網頁框架發現的密碼學漏洞變成 CTF 題了】Hacks in Taiwan (HITCON)
 
【HITCON FreeTalk 2021 - From fakespy to Guerilla: Understanding Android malw...
【HITCON FreeTalk 2021 - From fakespy to Guerilla: Understanding Android malw...【HITCON FreeTalk 2021 - From fakespy to Guerilla: Understanding Android malw...
【HITCON FreeTalk 2021 - From fakespy to Guerilla: Understanding Android malw...Hacks in Taiwan (HITCON)
 
【HITCON FreeTalk】HITCON 2017 下半年活動介紹
【HITCON FreeTalk】HITCON 2017 下半年活動介紹【HITCON FreeTalk】HITCON 2017 下半年活動介紹
【HITCON FreeTalk】HITCON 2017 下半年活動介紹Hacks in Taiwan (HITCON)
 
HITCON TALK 技術解析 SWIFT Network 攻擊
HITCON TALK 技術解析 SWIFT Network 攻擊 HITCON TALK 技術解析 SWIFT Network 攻擊
HITCON TALK 技術解析 SWIFT Network 攻擊 Hacks in Taiwan (HITCON)
 
HITCON TALK 台灣駭客協會年度活動簡介
HITCON TALK 台灣駭客協會年度活動簡介HITCON TALK 台灣駭客協會年度活動簡介
HITCON TALK 台灣駭客協會年度活動簡介Hacks in Taiwan (HITCON)
 
Hacker as a maker 如何利用 mtk 7688 設計出超炫的 ctf 決賽戰場燈控效果
Hacker as a maker 如何利用 mtk 7688 設計出超炫的 ctf 決賽戰場燈控效果Hacker as a maker 如何利用 mtk 7688 設計出超炫的 ctf 決賽戰場燈控效果
Hacker as a maker 如何利用 mtk 7688 設計出超炫的 ctf 決賽戰場燈控效果Hacks in Taiwan (HITCON)
 
2015 資安從業人員的寶(鬼)島求生
2015 資安從業人員的寶(鬼)島求生2015 資安從業人員的寶(鬼)島求生
2015 資安從業人員的寶(鬼)島求生Hacks in Taiwan (HITCON)
 

Más de Hacks in Taiwan (HITCON) (20)

HITCON FreeTalk 2024 台灣駭客協會媒體小聚【議題二:Cyber War - 網路戰與地緣政治】
HITCON FreeTalk 2024 台灣駭客協會媒體小聚【議題二:Cyber War - 網路戰與地緣政治】HITCON FreeTalk 2024 台灣駭客協會媒體小聚【議題二:Cyber War - 網路戰與地緣政治】
HITCON FreeTalk 2024 台灣駭客協會媒體小聚【議題二:Cyber War - 網路戰與地緣政治】
 
HITCON FreeTalk 2024 台灣駭客協會媒體小聚【議題一:資安地圖 - 資安領域與趨勢介紹】
HITCON FreeTalk 2024 台灣駭客協會媒體小聚【議題一:資安地圖 - 資安領域與趨勢介紹】HITCON FreeTalk 2024 台灣駭客協會媒體小聚【議題一:資安地圖 - 資安領域與趨勢介紹】
HITCON FreeTalk 2024 台灣駭客協會媒體小聚【議題一:資安地圖 - 資安領域與趨勢介紹】
 
HITCON CISO Summit 2023 - Closing
HITCON CISO Summit 2023 - ClosingHITCON CISO Summit 2023 - Closing
HITCON CISO Summit 2023 - Closing
 
HITCON FreeTalk 2022 - 自己的SOC自己管-- SOC建置的心路歷程分享
HITCON FreeTalk 2022 - 自己的SOC自己管-- SOC建置的心路歷程分享HITCON FreeTalk 2022 - 自己的SOC自己管-- SOC建置的心路歷程分享
HITCON FreeTalk 2022 - 自己的SOC自己管-- SOC建置的心路歷程分享
 
HITCON FreeTalk 2022 - Zero Trust Architecture 讀書筆記
HITCON FreeTalk 2022 - Zero Trust Architecture 讀書筆記 HITCON FreeTalk 2022 - Zero Trust Architecture 讀書筆記
HITCON FreeTalk 2022 - Zero Trust Architecture 讀書筆記
 
HITCON FreeTalk 2022 - Defeat 0day is not as Difficult as You Think
HITCON FreeTalk 2022 - Defeat 0day is not as Difficult as You ThinkHITCON FreeTalk 2022 - Defeat 0day is not as Difficult as You Think
HITCON FreeTalk 2022 - Defeat 0day is not as Difficult as You Think
 
【HITCON FreeTalk 2022 - 我把在網頁框架發現的密碼學漏洞變成 CTF 題了】
【HITCON FreeTalk 2022 - 我把在網頁框架發現的密碼學漏洞變成 CTF 題了】【HITCON FreeTalk 2022 - 我把在網頁框架發現的密碼學漏洞變成 CTF 題了】
【HITCON FreeTalk 2022 - 我把在網頁框架發現的密碼學漏洞變成 CTF 題了】
 
【HITCON FreeTalk 2021 - From fakespy to Guerilla: Understanding Android malw...
【HITCON FreeTalk 2021 - From fakespy to Guerilla: Understanding Android malw...【HITCON FreeTalk 2021 - From fakespy to Guerilla: Understanding Android malw...
【HITCON FreeTalk 2021 - From fakespy to Guerilla: Understanding Android malw...
 
【HITCON FreeTalk】Supply Chain Attack
【HITCON FreeTalk】Supply Chain Attack【HITCON FreeTalk】Supply Chain Attack
【HITCON FreeTalk】Supply Chain Attack
 
【HITCON FreeTalk】HITCON 2017 下半年活動介紹
【HITCON FreeTalk】HITCON 2017 下半年活動介紹【HITCON FreeTalk】HITCON 2017 下半年活動介紹
【HITCON FreeTalk】HITCON 2017 下半年活動介紹
 
HITCON TALK 技術解析 SWIFT Network 攻擊
HITCON TALK 技術解析 SWIFT Network 攻擊 HITCON TALK 技術解析 SWIFT Network 攻擊
HITCON TALK 技術解析 SWIFT Network 攻擊
 
HITCON TALK ATM 金融攻擊事件解析
HITCON TALK ATM 金融攻擊事件解析HITCON TALK ATM 金融攻擊事件解析
HITCON TALK ATM 金融攻擊事件解析
 
HITCON TALK 產業視野下的 InfoSec
HITCON TALK 產業視野下的 InfoSecHITCON TALK 產業視野下的 InfoSec
HITCON TALK 產業視野下的 InfoSec
 
HITCON TALK 台灣駭客協會年度活動簡介
HITCON TALK 台灣駭客協會年度活動簡介HITCON TALK 台灣駭客協會年度活動簡介
HITCON TALK 台灣駭客協會年度活動簡介
 
HITCON CTF 導覽
HITCON CTF 導覽HITCON CTF 導覽
HITCON CTF 導覽
 
Ctf hello,world!
Ctf hello,world! Ctf hello,world!
Ctf hello,world!
 
Hacker as a maker 如何利用 mtk 7688 設計出超炫的 ctf 決賽戰場燈控效果
Hacker as a maker 如何利用 mtk 7688 設計出超炫的 ctf 決賽戰場燈控效果Hacker as a maker 如何利用 mtk 7688 設計出超炫的 ctf 決賽戰場燈控效果
Hacker as a maker 如何利用 mtk 7688 設計出超炫的 ctf 決賽戰場燈控效果
 
2015 資安從業人員的寶(鬼)島求生
2015 資安從業人員的寶(鬼)島求生2015 資安從業人員的寶(鬼)島求生
2015 資安從業人員的寶(鬼)島求生
 
CTF 經驗分享
CTF 經驗分享CTF 經驗分享
CTF 經驗分享
 
台灣資安人才培育現況
台灣資安人才培育現況台灣資安人才培育現況
台灣資安人才培育現況
 

Último

call girls in delhi malviya nagar @9811711561@
call girls in delhi malviya nagar @9811711561@call girls in delhi malviya nagar @9811711561@
call girls in delhi malviya nagar @9811711561@vikas rana
 
Gaps, Issues and Challenges in the Implementation of Mother Tongue Based-Mult...
Gaps, Issues and Challenges in the Implementation of Mother Tongue Based-Mult...Gaps, Issues and Challenges in the Implementation of Mother Tongue Based-Mult...
Gaps, Issues and Challenges in the Implementation of Mother Tongue Based-Mult...marjmae69
 
PHYSICS PROJECT BY MSC - NANOTECHNOLOGY
PHYSICS PROJECT BY MSC - NANOTECHNOLOGYPHYSICS PROJECT BY MSC - NANOTECHNOLOGY
PHYSICS PROJECT BY MSC - NANOTECHNOLOGYpruthirajnayak525
 
The Ten Facts About People With Autism Presentation
The Ten Facts About People With Autism PresentationThe Ten Facts About People With Autism Presentation
The Ten Facts About People With Autism PresentationNathan Young
 
Call Girls in Rohini Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Rohini Delhi 💯Call Us 🔝8264348440🔝Call Girls in Rohini Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Rohini Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Mathan flower ppt.pptx slide orchids ✨🌸
Mathan flower ppt.pptx slide orchids ✨🌸Mathan flower ppt.pptx slide orchids ✨🌸
Mathan flower ppt.pptx slide orchids ✨🌸mathanramanathan2005
 
James Joyce, Dubliners and Ulysses.ppt !
James Joyce, Dubliners and Ulysses.ppt !James Joyce, Dubliners and Ulysses.ppt !
James Joyce, Dubliners and Ulysses.ppt !risocarla2016
 
The 3rd Intl. Workshop on NL-based Software Engineering
The 3rd Intl. Workshop on NL-based Software EngineeringThe 3rd Intl. Workshop on NL-based Software Engineering
The 3rd Intl. Workshop on NL-based Software EngineeringSebastiano Panichella
 
Call Girls In Aerocity 🤳 Call Us +919599264170
Call Girls In Aerocity 🤳 Call Us +919599264170Call Girls In Aerocity 🤳 Call Us +919599264170
Call Girls In Aerocity 🤳 Call Us +919599264170Escort Service
 
Event 4 Introduction to Open Source.pptx
Event 4 Introduction to Open Source.pptxEvent 4 Introduction to Open Source.pptx
Event 4 Introduction to Open Source.pptxaryanv1753
 
Work Remotely with Confluence ACE 2.pptx
Work Remotely with Confluence ACE 2.pptxWork Remotely with Confluence ACE 2.pptx
Work Remotely with Confluence ACE 2.pptxmavinoikein
 
Genesis part 2 Isaiah Scudder 04-24-2024.pptx
Genesis part 2 Isaiah Scudder 04-24-2024.pptxGenesis part 2 Isaiah Scudder 04-24-2024.pptx
Genesis part 2 Isaiah Scudder 04-24-2024.pptxFamilyWorshipCenterD
 
Dutch Power - 26 maart 2024 - Henk Kras - Circular Plastics
Dutch Power - 26 maart 2024 - Henk Kras - Circular PlasticsDutch Power - 26 maart 2024 - Henk Kras - Circular Plastics
Dutch Power - 26 maart 2024 - Henk Kras - Circular PlasticsDutch Power
 
SaaStr Workshop Wednesday w/ Kyle Norton, Owner.com
SaaStr Workshop Wednesday w/ Kyle Norton, Owner.comSaaStr Workshop Wednesday w/ Kyle Norton, Owner.com
SaaStr Workshop Wednesday w/ Kyle Norton, Owner.comsaastr
 
SBFT Tool Competition 2024 -- Python Test Case Generation Track
SBFT Tool Competition 2024 -- Python Test Case Generation TrackSBFT Tool Competition 2024 -- Python Test Case Generation Track
SBFT Tool Competition 2024 -- Python Test Case Generation TrackSebastiano Panichella
 
miladyskindiseases-200705210221 2.!!pptx
miladyskindiseases-200705210221 2.!!pptxmiladyskindiseases-200705210221 2.!!pptx
miladyskindiseases-200705210221 2.!!pptxCarrieButtitta
 
Presentation for the Strategic Dialogue on the Future of Agriculture, Brussel...
Presentation for the Strategic Dialogue on the Future of Agriculture, Brussel...Presentation for the Strategic Dialogue on the Future of Agriculture, Brussel...
Presentation for the Strategic Dialogue on the Future of Agriculture, Brussel...Krijn Poppe
 
Genshin Impact PPT Template by EaTemp.pptx
Genshin Impact PPT Template by EaTemp.pptxGenshin Impact PPT Template by EaTemp.pptx
Genshin Impact PPT Template by EaTemp.pptxJohnree4
 
Anne Frank A Beacon of Hope amidst darkness ppt.pptx
Anne Frank A Beacon of Hope amidst darkness ppt.pptxAnne Frank A Beacon of Hope amidst darkness ppt.pptx
Anne Frank A Beacon of Hope amidst darkness ppt.pptxnoorehahmad
 
PAG-UNLAD NG EKONOMIYA na dapat isaalang alang sa pag-aaral.
PAG-UNLAD NG EKONOMIYA na dapat isaalang alang sa pag-aaral.PAG-UNLAD NG EKONOMIYA na dapat isaalang alang sa pag-aaral.
PAG-UNLAD NG EKONOMIYA na dapat isaalang alang sa pag-aaral.KathleenAnnCordero2
 

Último (20)

call girls in delhi malviya nagar @9811711561@
call girls in delhi malviya nagar @9811711561@call girls in delhi malviya nagar @9811711561@
call girls in delhi malviya nagar @9811711561@
 
Gaps, Issues and Challenges in the Implementation of Mother Tongue Based-Mult...
Gaps, Issues and Challenges in the Implementation of Mother Tongue Based-Mult...Gaps, Issues and Challenges in the Implementation of Mother Tongue Based-Mult...
Gaps, Issues and Challenges in the Implementation of Mother Tongue Based-Mult...
 
PHYSICS PROJECT BY MSC - NANOTECHNOLOGY
PHYSICS PROJECT BY MSC - NANOTECHNOLOGYPHYSICS PROJECT BY MSC - NANOTECHNOLOGY
PHYSICS PROJECT BY MSC - NANOTECHNOLOGY
 
The Ten Facts About People With Autism Presentation
The Ten Facts About People With Autism PresentationThe Ten Facts About People With Autism Presentation
The Ten Facts About People With Autism Presentation
 
Call Girls in Rohini Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Rohini Delhi 💯Call Us 🔝8264348440🔝Call Girls in Rohini Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Rohini Delhi 💯Call Us 🔝8264348440🔝
 
Mathan flower ppt.pptx slide orchids ✨🌸
Mathan flower ppt.pptx slide orchids ✨🌸Mathan flower ppt.pptx slide orchids ✨🌸
Mathan flower ppt.pptx slide orchids ✨🌸
 
James Joyce, Dubliners and Ulysses.ppt !
James Joyce, Dubliners and Ulysses.ppt !James Joyce, Dubliners and Ulysses.ppt !
James Joyce, Dubliners and Ulysses.ppt !
 
The 3rd Intl. Workshop on NL-based Software Engineering
The 3rd Intl. Workshop on NL-based Software EngineeringThe 3rd Intl. Workshop on NL-based Software Engineering
The 3rd Intl. Workshop on NL-based Software Engineering
 
Call Girls In Aerocity 🤳 Call Us +919599264170
Call Girls In Aerocity 🤳 Call Us +919599264170Call Girls In Aerocity 🤳 Call Us +919599264170
Call Girls In Aerocity 🤳 Call Us +919599264170
 
Event 4 Introduction to Open Source.pptx
Event 4 Introduction to Open Source.pptxEvent 4 Introduction to Open Source.pptx
Event 4 Introduction to Open Source.pptx
 
Work Remotely with Confluence ACE 2.pptx
Work Remotely with Confluence ACE 2.pptxWork Remotely with Confluence ACE 2.pptx
Work Remotely with Confluence ACE 2.pptx
 
Genesis part 2 Isaiah Scudder 04-24-2024.pptx
Genesis part 2 Isaiah Scudder 04-24-2024.pptxGenesis part 2 Isaiah Scudder 04-24-2024.pptx
Genesis part 2 Isaiah Scudder 04-24-2024.pptx
 
Dutch Power - 26 maart 2024 - Henk Kras - Circular Plastics
Dutch Power - 26 maart 2024 - Henk Kras - Circular PlasticsDutch Power - 26 maart 2024 - Henk Kras - Circular Plastics
Dutch Power - 26 maart 2024 - Henk Kras - Circular Plastics
 
SaaStr Workshop Wednesday w/ Kyle Norton, Owner.com
SaaStr Workshop Wednesday w/ Kyle Norton, Owner.comSaaStr Workshop Wednesday w/ Kyle Norton, Owner.com
SaaStr Workshop Wednesday w/ Kyle Norton, Owner.com
 
SBFT Tool Competition 2024 -- Python Test Case Generation Track
SBFT Tool Competition 2024 -- Python Test Case Generation TrackSBFT Tool Competition 2024 -- Python Test Case Generation Track
SBFT Tool Competition 2024 -- Python Test Case Generation Track
 
miladyskindiseases-200705210221 2.!!pptx
miladyskindiseases-200705210221 2.!!pptxmiladyskindiseases-200705210221 2.!!pptx
miladyskindiseases-200705210221 2.!!pptx
 
Presentation for the Strategic Dialogue on the Future of Agriculture, Brussel...
Presentation for the Strategic Dialogue on the Future of Agriculture, Brussel...Presentation for the Strategic Dialogue on the Future of Agriculture, Brussel...
Presentation for the Strategic Dialogue on the Future of Agriculture, Brussel...
 
Genshin Impact PPT Template by EaTemp.pptx
Genshin Impact PPT Template by EaTemp.pptxGenshin Impact PPT Template by EaTemp.pptx
Genshin Impact PPT Template by EaTemp.pptx
 
Anne Frank A Beacon of Hope amidst darkness ppt.pptx
Anne Frank A Beacon of Hope amidst darkness ppt.pptxAnne Frank A Beacon of Hope amidst darkness ppt.pptx
Anne Frank A Beacon of Hope amidst darkness ppt.pptx
 
PAG-UNLAD NG EKONOMIYA na dapat isaalang alang sa pag-aaral.
PAG-UNLAD NG EKONOMIYA na dapat isaalang alang sa pag-aaral.PAG-UNLAD NG EKONOMIYA na dapat isaalang alang sa pag-aaral.
PAG-UNLAD NG EKONOMIYA na dapat isaalang alang sa pag-aaral.
 

【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】

  • 1. SolarWinds Hacked - find the targets ZY WU & CK Chen
  • 2. About ZY Wu • Threat analysts at Fox-IT intel team • Malware analysis & threat intel • Find me at zong-yu.wu@fox-it.com CK Chen • HITCON Member • HITCON 2021 Review Board Chairman • Researcher, focus on malware analysis, APT investigation and threat intel
  • 3. Agenda • What happened? • Define the supply chain attack • Impact Assessment – Finding the targets • How special it is?
  • 4. Kudos to Danny at Fox-IT YJ at TrendMicro Anonymous Hamster at Exercise wheel
  • 5.
  • 6. CrowdStrike release SUNSPOT investigation report 2021.01.11 2021.01.13 CISA: bypass MFA in cloud services FireEye released Remediation for Microsoft 365 2021.01.19 2021.01.19 MalwareBytes claim to be hacked Microsoft Deep dive into the Solorigate second-stage activation 2021.01.22 2021.02.18 Microsoft Internal Solorigate Investigation – Final Update Microsoft, FireEye New SUNSHUTTLE Backdoor Targeting U.S.- Based Entity 2021.03.04 FireEye hacked, Red team tools leaked 2020.12.09 2020.12.13 CISA issued emergence directive WSJ, REUTERS U.S. Treasury and Commerce departments Hacked 2020.12.13-14 2020.12.15-18 Second malware Supernova discovered Microsoft, FireEye, GoDaddy establish killswitch 2020.12.17 2020.12.17 Microsoft report potential victims Microsoft confirmed source code stolen 2020.12.31 2021.01.05 CISA, DNI, NSA suspect the actor is Russia-based Department of Justice confirmed hacked 2021.01.06
  • 7.
  • 8. AB (A %verb% B) Target Supplier Attacker Target Afraid of (the insider) Relied on Afraid of Supplier Relied on - Afraid of Attacker Interested in Proxy through -
  • 9. Advantage of exploiting Supply Chain • Abuse the trust between supplier and targets • It is possible to find a weaker supplier among those • Compromising a whole range of companies if the major supplier in a sector is taken
  • 10. Attack Against Code Dev. Commit -> Build (Signing) -> Test -> Deploy Commit -> SUNSPOT injects SUNBURST -> Build (Signing) -> Test (SUNBURST stay low) -> Deploy -> SUNBURST’s party time
  • 11. Impact Assessment • More likely espionage purpose, but this is tough to do impact assessment. • In this presentation, I invite you to take a journey with me to picture targeted industry.
  • 12. Malwares on the Desk SUNSPOT (injector) SUNBURST (Beacon) TEARDROP (Loader) RAINDROP (Loader) GoldMax Inside SolarWinds Running at Victims’ Env. SiBot GoldFinder CobaltStrike
  • 13. SUNBURST under X-Ray • The beacon, the backdoor, installed to SolarWinds Orion Platform. • It avoids being launched in any dev. env.
  • 14. SUNBURST under X-Ray The malware use customized FNV-1A hash algorithm to store resources:
  • 15. Malware stays low under these AD domains: It checks antivirus driver/process/service and analysis tool as well. https://github.com/fireeye/sunburst_countermeasures/blob/mai n/hashcat.potfile swdev.local saas.swi emea.sales dmz.local pci.local lab.local apac.lab dev.local swdev.dmz lab.rio cork.lab lab.brno lab.na test Solarwinds SUNBURST was coded like a legitimate class, for example: Encode Process Name in fact Mimicking the legitimate traffic on the Platform
  • 16. SUNBURST under X-Ray • The beacon, the backdoor, installed to SolarWinds Orion Platform. • It avoids being launched in any dev. env. • The callback domain is generated by victim information on DNS protocol. • Stage 1 – on DNS to get the HTTP sever • Stage 2 – on HTTP for the backdoor
  • 17. • There are up to 4 different types (2 encoding x 2 input), giving an example: 57tadh50ha5mr9ah6ee0o6iuir0iwu0c.appsync-api.us-east-1.avsvmcloud.com SUNBURST Callback Protocol Prefix Fixed Random C&C 15 else Encoded GUID Encoded AD domain name 06a4ea63c80ee24a scc.state.va. -> The AD domain can be retrieved by a DNS query! -> Reverse Engineering to decode
  • 18. SUNBURST Callback Protocol • DNS traffic, for those are not running on SSL, is not encrypted • It is possible to gather the domains which were been queried at a certain time by listening the network traffic from the internet backbone. • This dataset is called Passive DNS record.
  • 19. ASSOCIATED [T+AVs] TRUNCATED Backdoor stopped PASSIVE [domain[:15], domain[15:]] Potential Target, Response magic A record Not interesting ACTIVE Backdoor on HTTP [T+AVs + Active bit] Select Target, Response HTTP C&C server at CNAME DGA Encoding method for PASSIVE state DGA Encoding method for ASSOCIATED/ACTIVE state
  • 20. Searching the victims (in PASSIVE mode) 57tadh50ha5mr9ah6ee0o6iuir0iwu0c.appsync-api.us-east-1.avsvmcloud.com m1g39j9sctjtv6m0f6.appsync-api.us-east-1.avsvmcloud.com Prefix Fixed Random C&C 15 else Encoded GUID Encoded AD domain name 06a4ea63c80ee24a scc.state.va. Prefix Fixed Random C&C 15 Encoded GUID 06a4ea63c80ee24a us Add up to scc.state.va.us DGA Encoding method for PASSIVE state
  • 21. Unique entry # PASSIVE 28,737 ASSOCIATED 7,029 ACTIVE 119
  • 22. ASSOCIATED [T+AVs] TRUNCATED Backdoor stopped ACTIVE Backdoor on HTTP [T+AVs + Active bit] Select Target, Response HTTP C&C server at CNAME DGA Encoding method for PASSIVE state DGA Encoding method for ASSOCIATED/ACTIVE state
  • 23. Searching the targets (in ACTIVE mode) 9q5jifedn8aflr4ge3nu.appsync-api.us-east-1.avsvmcloud.com Prefix Fixed Random C&C 8 3 else GUID Meta Running Antivirus 06a4ea63c80ee24a mode=1 active=1 timestamp=2020-05-31 12:00:00 The GUID is mapped to scc.state.va.us DGA Encoding method for ASSOCIATED/ACTIVE state
  • 24. Searching the targets (in ACTIVE mode) scc.state.va.us central.pima.gov mgt.srb.europa fc.gov ddsn.gov phpds.org central.pima.gov Government HQ.FIDELLA lagnr.chevronte xaco.net coxnet.cox.com Energy ng.ds.army.mil nsanet.local Defense corp.qualys.com paloaltonetworks.com logitech.local wctc.msft ggsg-us.cisco.com cisco.com fox.local Tech/CyberSecurity
  • 25. AB (A %verb% B) Target Supplier Attacker Target Afraid of (the insider) Relied on & Afraid of Afraid of Supplier Relied on - Afraid of Attacker Interested in Proxy through -
  • 26. Software Supply Chain While better defense mechanism is deployed, threat actor move their target to the weakest point of supply chain More complicated software -> more complicated supply chain We talk a lot about supply chain, so… What’s the supply chain of you daily used software?
  • 27. Stack Overflow Source Code Library Code Text Book/Doc Copy Code compiler Version Control Static Library Linker Executables CI Release Site Update Dispatch Dynamic library Executables Loader Executing In side your program, do you know where is every component come from? Every step here is possible to be compromised
  • 28. Stack Overflow Source Code Library Code Text Book/Doc Copy Code compiler Version Control Static Library Linker Executables CI Release Site Update Dispatch Dynamic library Executables Loader Executing Stack Overflow Considered Harmful?The Impact of Copy&Paste on Android Application Security(2015)
  • 29. Stack Overflow Source Code Library Code Text Book/Doc Copy Code compiler Version Control Static Library Linker Executables CI Release Site Update Dispatch Dynamic library Executables Loader Executing Malicious event-stream backdoor (2019) Ruby strong_password Backdoor (2019)
  • 34. APTs Utilize Supply Chain Attacks • While most organization gradually enhance their security, adversarial try to compromised the weakest point of partner/supply chain first. ASUS Shadow Hammer(2019) Discovered by Kaspersky ASUS Web Storage(2019) We discover this operation in the same time as ESET
  • 35. APTs Utilize Supply Chain Attacks • While most organization gradually enhance their security, adversarial try to compromised the weakest point of partner/supply chain first. SolarWinds Supply Chain Attack (2021)
  • 36. Highlight TTPs • Supply Chain Attack: Large number of enterprises are potential victims • Compromise DevOps: Keep Stealthy in Develop Environment • Sophiscated Malware: Separate the Malware’s Execution Path • Attacking the Cloud Service
  • 37. Attacking the Cloud Service • Lateral movement from on-premises networks to gain unauthorized access to the victim’s Microsoft 365 environment • Golden SAML Attack • Modify Trusted Domains • Hijack Azure AD Applications • Compromise the credentials of on-premises user accounts that are synchronized to Microsoft 365
  • 38. Mitigation • Threat Hunting for Malicious IoCs • FireEye’s Red Team Tool IoCs • SunBurst IoCs • CISA “Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations” • Summary about the IoCs • https://shorturl.at/fxKTV
  • 39. Mitigation • Mandiant Azure AD Investigator • https://github.com/fireeye/Mandiant-Azure-AD-Investigator • CISA “Strengthening Security Configurations to Defend Against Attackers Targeting Cloud Services” • https://github.com/cisagov/Sparrow
  • 40. Lesson Learned • While being compromised is hard to avoid, proactive threat hunting and response to the incident. • Communicate and share with security community • Sophiscated APT attacks • Supply Chain Attack • Compromised DepOp Process • Laverage cloud service attacks • Supply chain security will still be the loophole for enterprises’ security • Using threat intelligence, e.g. PDNS, to help us understand threat actor’s targets • Cloud Services become a new attack vector for LM
  • 41. Q&A