DEF CON 30 - Tomer Bar - OopsSec -The bad, the worst and the ugly of APT’s operations security

Рет қаралды 41,172

Жыл бұрын

Advanced Persistent Threat groups invest in developing their arsenal of exploits and malware to stay below the radar and persist on the target machines for as long as possible. We were curious if the same efforts are invested in the operation security of these campaigns.
We started a journey researching active campaigns from the Middle East to the Far East including the Palestinian Authority, Turkey, and Iran, Russia, China, and North Korea. These campaigns were both state-sponsored, surveillance-targeted attacks and large-scale financially-motivated attacks.
We analyzed every technology used throughout the attack chain: Windows (Go-lang/.Net/Delphi) and Android malware; both on Windows and Linux-based C2 servers.
We found unbelievable mistakes which allow us to discover new advanced TTPs used by attackers, for example: bypassing iCloud two-factor authentication' and crypto wallet and NFT stealing methods. We were able to join the attackers' internal groups, view their chats, bank accounts and crypto wallets. In some cases, we were able to take down the entire campaign.
We will present our latest breakthroughs from our seven-year mind-game against the sophisticated Infy threat actor who successfully ran a 15-year active campaign using the most secured opSec attack chain we've encountered. We will explain how they improved their opSec over the years and how we recently managed to monitor their activity and could even cause a large-scale misinformation counterattack.
We will conclude by explaining how organizations can better defend themselves.

Пікірлер: 39

@DanMan-mh4kj Жыл бұрын

Great presentation, which deserved more time!

@simonstrandgaard5503 Жыл бұрын

Awesome presentation and entertaining. I wish it was twice as long.

@ThomasGabrielsen Жыл бұрын

Agreed!

@huhulili9021 Жыл бұрын

well... technically you could play it at half speed, it would be twice as long...

@naesone2653 5 ай бұрын

my gf also wishes that it was tiwce as long :/

@Ben-is1ng Жыл бұрын

Great work & a very good presentation

@Jango1989 Жыл бұрын

Brilliant talk!

@FlorianWendelborn Жыл бұрын

It’s insane that people as incompetent as these "hackers" are actually somewhat successful.

@petergerdes1094 Жыл бұрын

Not totally convinced they are incompetent. Why bother wasting time with security if you don't need it? I'm not convinced that Iranian police are that active in prosecuting phisers and I suspect it's the kind of place where, if they do go after you, they don't bother with your digital security and just induce a confession. Still, I might want to do a bit more to ensure anonymity in case my malware accidentally hit a bigwig.

@FlorianWendelborn Жыл бұрын

@@petergerdes1094 Well, leaking your entire phone online is certainly incompetence. And letting others into your private chatrooms is stupid even if you’re only worried about competitors finding your exploits and contacts

@SamTheEnglishTeacher Жыл бұрын

Plenty of money to be made outsmarting them - and they're not going to call the cops on you. Have at it if you think you're up to the task. An influx of money will be helpful to cover your energy bills once winter fully arrives.

@Spelter Жыл бұрын

@@SamTheEnglishTeacher Tbh, I was thinking the same. Getting an anonymous SIM from Czech Republic, is not hard, then find them, get into the groups, get some data and take some money, repeat. The cards will be closed, the VPN you use from a live system without leaving traces is somewhere in Europe and police can do nothing. But that would only somebody do, who has no morale.

@SamTheEnglishTeacher Жыл бұрын

@@Spelter question I have is how to find these groups in the first place? Especially at scale?

@garagedoorvideos Жыл бұрын

wow 🔥🔥🔥🔥🔥🔥🔥🔥

@WackoMcGoose Жыл бұрын

37:37 Obligatory "That's the kind of thing an idiot would use as their luggage combination!"

@LostInTheRush Жыл бұрын

So uh, this isn't really APTs, is it now?

@geroffmilan3328 Жыл бұрын

APT != OpSec Kings. The time-to-deliver and operation lifespan are important factors when deciding what to secure. And any red team is almost always shit at playing blue team.

@potatoonastick2239 Жыл бұрын

The P doesn't stand for professional, they just need to be persistently active to count as APT

@gui-my6nr Жыл бұрын

it's open source APT 🤣

@Heffalumpen Жыл бұрын

I agree. They are not advanced, nor persistent (on the one target). They are a threat to home users though, so it's still fun to see them get a taste of their own medicine.

@thewhitefalcon8539 Жыл бұрын

Now they are basic destroyed jokes

@petergerdes1094 Жыл бұрын

At least Iranian phisers are inclusive ;-)

@markblacket8900 Жыл бұрын

Murat can't Atak

@thewhitefalcon8539 Жыл бұрын

You shouldn't say the Gaza strip actor is doing malicious activity. The USA is aiding a holocaust in the Gaza strip, so the actor you are talking about is probably engaging in self-defence.

@ilaisegev8452 Жыл бұрын

Most of the victims were themselves from Gaza according to the talk at 6:09... I don't think that can be considered as self defense...

@thewhitefalcon8539 Жыл бұрын

@@ilaisegev8452 Well that's a shame. They should be hacking the USA instead!

@shlomogreengoy Жыл бұрын

He wears a small hat what did you expect?

@sycration Жыл бұрын

@@shlomogreengoy your name is literally Shlomo Goy, based

@josiahsharkey7520 Жыл бұрын

That isn't really true that the US is doing that it is the unelected fascist deep state that needs to be gotten rid of. The police, glowy alphabet fascists, and pretend federal evil Nazis that didn't learn not to use economic warfare after it caused WW2 are all evil fascist criminals that aren't allowed to exist in this country because they are not elected.