The (Speculative) Future of APTs - Kade Morton The (Speculative) Future of APTs
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
The (Speculative) Future
of APTs
Kade Morton
The (Speculative) Future of APTs
Kade Morton
• Bachelor of Arts Criminology and Criminal Justice
• kademorton@protonmail.com
• Security Consultant
Experience
Employment
• Certification and Accreditation
• Wellington based security firm
• Incident response
• Open source intelligence investigations • Wide range of security services
• Clients in government, telecommunications and financial
The (Speculative) Future of APTs
Why listen to me?
• I wanted to understand the online landscape
• Surveillance seemed key
• Conducted by corporations (advertising) and governments (spying)
• Created Panopticon Project June 2017
• https://github.com/Panopticon-Project
• Two years later I have roughly 170 repos, most on APTs
• Samples of malware, IOCs, technical writeups
• Want to create machine readable information on APTs
TL;DR: I’m a security consultant who hordes information on APTs
The (Speculative) Future of APTs
Agenda
01 What is an APT?
With a real-world example
02 What problems do APTs face?
They are substantial…
03 Where are APTs going?
Mostly automation
The (Speculative) Future of APTs
What is an APT?
With a real-world example
The (Speculative) Future of APTs
Definition
• Advanced Persistent Threat
• Hacking crews generally (not always) state sponsored
• Generally (not always) interested in information or infrastructure, not money
The (Speculative) Future of APTs
Real world example
• Dark Caracal
• Found by EFF and Lookout
• Malware > C&C servers > Apache Stats > server logs > IP addresses accessing admin URLs >
particular telecom > malware tracked wireless networks victims connected to > first wireless
network for dummy data BLD3F6 > found the building
• Due to wide targets believed to be a for hire company
https://www.lookout.com/info/ds-dark-caracal-ty
The (Speculative) Future of APTs
Dark Caracal resources
• Domains
• Websites
• Fake Google login
• Fake Facebook login
• Fake Twitter login
• C&C servers
• Malware
• Remote Access Trojans (RATs)
• Windows, Mac, Linux
• Remote access
• Screenshots, turn camera on, access files, exfiltrate, spawn shells
• Example https://github.com/quasar/QuasarRAT
• Mobile malware
• Trojanised encrypted chat apps
• Work just like the real app, and turn mic on, take screenshots, steal text messages, steal 2FA tokens
• Personas
• Facebook Groups
• Watering hole for articles sharing links to trojanised apps
• Facebook profiles
• Used to message targets, liked Facebook Group
The (Speculative) Future of APTs
How do APTs operate?
• Generally…
• Request for intelligence
• Gather data
• Process, translation and evaluating for
reliability
• Produce an intelligence report
• It can be a bit dry
The (Speculative) Future of APTs
You get a request. Figure out your targets, then get access to collect
• Spear phishing
• Emails posing as activists
• Word doc and pdf attachments, macros install malware from C&C server
• Text messages
• Texts posing as activists
• Links to trojanised messaging apps
• Secureandroid.info
• Facebook messages
• Link to Facebook page > links to trojanised apps
• Send spear phishing documents
• Physical access
• Some first texts “I just got my phone back.”
• Example https://github.com/motherboardgithub/bxaq
• Not covering
Dark Caracal had 81 GBs of exfiltrated data on one server, multiple severs
The (Speculative) Future of APTsWhat problems
do APTs face?
They are substantial…
The (Speculative) Future of APTsI got 99 problems…
• And these are some:
• Targeting / surveillance is laborious
• People
• Getting burned
• Resources
The (Speculative) Future of APTsTargeting / Surveillance is laborious
• Espionage = targeted surveillance
• No oversight to external espionage
but do have to internal surveillance
• There have been some big failures
The (Speculative) Future of APTsPeople
• We can look at external espionage
• Just the main ones recently:
• Edward Snowden leaked information on NSA operations and capabilities
• Chelsea Manning leaked military and diplomatic documents
• David Patraeus, former U.S. General and later head of CIA leaked classified information
to a biographer he was having an affair with
• Reality Winner leaked information on Russian interference in 2016 Presidential elections
• Harold T. Martin stole 50 TB from NSA, may be the source of TheShadowBrokers
• Nghia H. Pho may also be source of TheShadowBrokers
Stewart Baker, general counsel for NSA 1990s: “It’s also discouraging that the NSA apparently
still hasn’t figured out a good way to find unreliable employees who are mishandling some of
their most sensitive stuff. We all thought [Martin] got caught by renewed or heightened
scrutiny, and instead it looks as though he got caught because he was an idiot.”
https://www.politico.com/story/2019/01/09/russia-kaspersky-lab-nsa-cybersecurity-1089131
The (Speculative) Future of APTsGetting Burned
• APTs often build their own tools/malware
• Requires developers, research, time, money
• Code management, can’t use GitHub
• 0 days, research/money
• Tools/malware have to work on some very
old/esoteric systems
• Have to work with patches
• Things need to be backward compatible
• One writeup on a detected tool and you’re back to
square one
How Very APT:
https://www.youtube.com/watch?v=wP2J9aYM6Oo
The (Speculative) Future of APTsResources
• You need money and people
• Develop and maintain tools
• Hackers
• Translators
• Analysts
• People to oversee operations
• Managers for all of these
• Global information security skills shortage
• Private sector pays better than public
How Very APT:
https://www.youtube.com/watch?v=wP2J9aYM6Oo
The (Speculative) Future of APTsWhere are APTs
going?
Mostly automation
The (Speculative) Future of APTsCaveats
• Some of this is theoretical
• Automating espionage is a bad idea
• Someone will try it
• People already are trying it
• We should understand it to defend against it
The (Speculative) Future of APTsI got 99 problems…
• And these aren’t one:
• Targeting / surveillance is laborious –
scale through automation
• People – minimise through automation
• Getting burned – generate tools
through automation
• Resources – minimise through
automation
The (Speculative) Future of APTsBasic
Infrastructure
The (Speculative) Future of APTsAutomating domain registrations
• Domain generation algorithms exist, but these are vulnerable to detection…
• This is simple and contextual to victims!
• CeWL – spiders a given URL, returns word lists
• John the Ripper – mutates word lists
• Use common substitutions or other alphabets
• Everyday.com and Everуday.com are actually two different URLs
• Latin y in Unicode is 121, Cyrillic у in Unicode is 0443
• Registering domains
• Bots can send and respond to emails
• Bots can register new domains, renew domains and certificates or let them expire if they have been
burned
https://docs.microsoft.com/en-us/azure/bot-service/bot-service-channel-connect-email?view=azure-bot-
service-4.0
https://docs.microsoft.com/en-us/microsoftteams/platform/concepts/bots/bot-conversations/bots-
conversations
The (Speculative) Future of APTsAutomating phishing page creation
• Website cloning
• View source
• Copy source
• Change “action=” to script that
captures credentials
• Host both cloned site and credential
script on a webserver
• Social Engineers Toolkit (SET)
automates this
The (Speculative) Future of APTsAutomate C&C server generation
• Many solutions for spinning up servers
on command
• https://www.openstack.org/ is an
open source option
The (Speculative) Future of APTsTying it all together
• Open source tools for:
• Generating wordlists of sites
• Mutating worldlists to create
phishing domains
• Creating phishing pages
• Bots for sending emails
• Spinning up C&C servers
• Integrate this with:
• Domain registration
• Bulletproof hosting
• Certificate vendors
The (Speculative) Future of APTsMalware and
Tools
The (Speculative) Future of APTsAutomating software development
• We are almost there
• January 2017 “AI Software Learns to Make AI
Software”
Progress in artificial intelligence causes some
people to worry that software will take jobs such
as driving trucks away from humans. Now
leading researchers are finding that they can
make software that can learn to do one of the
trickiest parts of their own jobs—the task of
designing machine-learning software. Google
Brain’s researchers describe using 800 high-
powered graphics processors to power software
that came up with designs for image recognition
systems that rivaled the best designed by
humans.
https://www.technologyreview.com/s/603381/ai
-software-learns-to-make-ai-software/
The (Speculative) Future of APTsAutomating software testing
• This is stock standard
• Microsoft Patch Tuesday is
your enemy
• FUZZBUNCH was an offensive
tool, but fuzzing started as a
testing tool
• No reason to think automated
testing isn’t used by APTs
today
• May even be able to get to a
point where AI define test
cases
The (Speculative) Future of APTsAutomating the malware
• Blackouts caused by hackers were sci-fi until 2015
• Ukraine suffered a blackout reportedly caused by
Sandworm/Telebots
• Spear phished power companies with word documents
that ran BlackEnergy > moved laterally > compromised
VPN > remote access to industrial control network > set
up a complete clone network with the same software /
compromised IT helpdesk to remote to control network
> manually switched off circuit breakers > bricked
substation serial to ethernet converters locking
legitimate operators out.
• More than 50 distribution stations knocked out.
• Highly manual
• 2016, CrashOverride, scan network, launch at a preset
time, automatically control circuit breakers without
internet connection
• One transmission station hit, carries more power than
50 distribution stations
• Completely automated
https://www.wired.com/story/russian-hackers-attack-
ukraine/
The (Speculative) Future of APTsGenerating
Content
The (Speculative) Future of APTsAutomating Content
• Humans have been creating propaganda for years
• https://www.buzzfeednews.com/article/maxseddon/documents-show-how-russias-troll-
army-hit-america
• We can now automate troll farms
• August 2019 “JPMorgan Chase has an AI copywriter that writes better ads than humans can”
In tests, JPMorgan Chase found that Persado’s machine-learning tool crafted better ad copy than its
own writers could muster, as measured by the higher click rates—more than double in some case—
on digital ads for Chase cards and mortgages. In one such matchup, an ad written by a human read,
“Access cash from the equity in your home.” The more successful version, from Persado, read, “It’s
true—You can unlock cash from the equity in your home.”
The (Speculative) Future of APTsGenerating
Conversation
The (Speculative) Future of APTsSNAP-R
• Social Network Automated Phishing with Reconnaissance
• Automated spear phishing on Twitter
• This was released in 2016
• Scrapes Twitter profile then tweets at you with a
malicious link
• Uses Markov chains or long short-term memory (LSTM)
• Markov chains uses the probability of a word transitions
to generate text
• Imperfect but language agnostic
• “I” 50% > “like” 50% > cake / “I” 10% > “cake”
• LSTM – artificial recurrent neural network architecture
• Better but takes training and only language specific
• 17% clicks after 2 hours, 30-60% after 2 days
• In 2 hours, human = 129 targets and 49 clicks, SNAP-R =
819 targets and 275 clicks.
The (Speculative) Future of APTsProcessing and
Analysis
The (Speculative) Future of APTsAutomatically processing information
• Medicine also has the problem of sorting through lots of data
“Recruiting the right patients for clinical trials is often a difficult, time-consuming process.
Typically, researchers manually screen EHRs (electronic health records) to find appropriate
study candidates—it can be an inefficient clinical trial recruitment process that yields poor
results in terms of identifying patients who meet the eligibility criteria.”
• July 2019, ACTES
• Extracts structured information such as patient demographics
• Extracts unstructured data from clinical notes
• APTs have no idea what form information will come in
https://www.healthdatamanagement.com/news/ai-helps-find-clinical-trial-candidates-at-
cincinnati-childrens
The (Speculative) Future of APTsAutomatic translation
• The information you gathered probably won’t
be in your language
• Off the shelf products perform translation
right now
• IBM Watson can translate one language to
another
• Supported file types MS Office, Open
Office, PDF, HTML, JSON, TXT & and XML.
https://www.ibm.com/watson/services/languag
e-translator/
The (Speculative) Future of APTsAutomatic report writing
• This now needs to be written up into a
report, of which only the execute
summary will ever be read...
• Washington Post use Heliograf to
write automatically generated
reports based off datasets.
• Examples, Olympic medal wins,
election coverage
• The Associated Press use software
to generate reports on corporate
earnings
• Off the shelf solutions as well
• Need to make the jump to
unstructured datasets
The (Speculative) Future of APTsFurther
thoughts
The (Speculative) Future of APTsSelf healing
• As basic opsec I have a google alert on my own
name
• I know when Google indexes a new
instance of my name
• Create a search engine searching for your
domains, IP addresses, code snippets etc.
• When detects, delete and create a new
one
• In theory could spin up entire new
infrastructure and malware every single
operation
• AV signatures / blacklists are a thing of the
past
• Social media accounts still an issue, can’t
backdate
The (Speculative) Future of APTsCan we do better than brute forcing the targeting problem?
• Maybe
• Crime forecasting
• Trace people’s ties to gang members,
criminal histories, scans social media,
predicts the likelihood of committing
crime
• Palantir sell crime forecasting to law
enforcement and intelligence agencies
• In use now
• However, multiple studies claim
ineffective
https://www.theverge.com/2018/2/27/17054
740/palantir-predictive-policing-tool-new-
orleans-nopd
The (Speculative) Future of APTsSummary
The (Speculative) Future of APTsWe now have…
• The basic requirements of an APT
• Domains
• Bots for answering emails and engaging with targets on social media
• Phishing pages
• C&C servers
• Malware
• Tools (if we even need them…)
• Content for posting to watering holes and advertising malicious links
• Can process data
• Can write reports
All automated.
A lot of this already exists.
The (Speculative) Future of APTsI got 99 problems…
• And these aren’t one:
• Targeting / surveillance is laborious
– scale through automation
• People – minimise through
automation
• Getting burned – generate tools
through automation
• Resources – minimise through
automation
• This is potentially what blue teams
have to fight
The (Speculative) Future of APTsAny questions?
Kade Morton
kademorton@protonmail.com
@cypath
The (Speculative) Future of APTsYou can also read
