dissection of a Cyber- Espionage attack

More documents

Recommendations

Info

The Attack #RSAC
The attack strategy How they break-in The attack started from a targeted spear-phish campaign against the participants of the 2014 Farnborough Air Show. The attack has targeted 7 officials of Air Force (AM) and 2 official of the Navy (MM) the email domain source was: “militaryexponews[.]com” The attack exploit a Microsoft Word vulnerability (CVE-2015-2424). Only in two cases the attack completes successfully for the attacker. In seven cases, the exploit, despite successfully detonated, was not able to start the infection because the machines lack direct Internet access (proxy blocked connection attempts). The reconstruction of the first stage has been performed after the creation of a proper set of IOCs starting from the infected systems. #RSAC
Page 1 and 2: SESSION ID: CTT-W08 Evolving Threat
Page 3 and 4: Agenda What we discuss today Today
Page 5 and 6: The target: the moat without water
Page 7: The target: the moat without water
Page 11 and 12: Attack Overview: End of First Wave
Page 13 and 14: Attack Overview: End of Second Wave
Page 15 and 16: The attack strategy The infection p
Page 17 and 18: Pwning the core: CVE-2015-1701 AKA
Page 19 and 20: Patient Zero How the victim discove
Page 21 and 22: Patient Zero consequences How the a
Page 23 and 24: What we can bring to the table? #RS
Page 25 and 26: Actionable IoCs What our methodolog
Page 27 and 28: Investigation: first step The Custo
Page 29 and 30: Our investigation Our approach tail
Page 31 and 32: APT 28 Tools APT 28 Tools seen in t
Page 33 and 34: APT 28 Tools CORESHELL ATTRIBUTION
Page 35 and 36: APT 28 Tools EVILTOSS ATTRIBUTION B
Page 37 and 38: APT 28 Tools CHOPSTICK CHOPSTICK i
Page 39 and 40: The attack strategy IOC: C2 list T
Page 41 and 42: Conclusion What I can suggest It i
Page 43 and 44: #RSAC

dissection of a Cyber- Espionage attack

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?