SlideShare ist ein Scribd-Unternehmen logo

Evolving Threat Landscape

C
cygnus0ff

RSA 2011 conference

Technologie
1 von 25
Downloaden Sie, um offline zu lesen
The Evolving Threat Landscape Zheng Bu Rahul Kashyap M Af L b McAfee Labs Session ID: HT2-106 Session Classification: Intermediate Insert presenter logo  here on slide master.  See hidden slide 2 for  directions
Agenda g Vulnerabilities and Exploitation V l biliti d E l it ti Targeted Attacks (APTs) Cybercrime Goes Social Q&A Insert presenter logo  here on slide master.  See hidden slide 2 for  2 directions
Vulnerabilities and Exploitation Insert presenter logo  here on slide master.  See hidden slide 2 for  3 directions
2010: Microsoft and Adobe Vulnerabilities Snapshot p Security Patches  Security Patches 300 250 200 Microsoft 150 Adobe 100 50 0 2007 2008 2009 2010 Source: McAfee Labs Insert presenter logo  here on slide master.  See hidden slide 2 for  4 directions
2010: High-Profile Zero-Day Vulnerabilities g y Steady increase in CVE-2010-0249: MS10-002 HTML Object Memory Corruption attacks targeting client Vulnerability Operation Vulnerability—Operation Aurora software CVE-2010-2883: Adobe SING Tag Buffer Overflow Vulnerability Adobe and Microsoft CVE-2010-2884: Adobe Reader, Flash Player Code Execution were popular exploit Vulnerability V l bilit victims. victims CVE-2010-1297: Adobe Flash Memory Corruption Vulnerability CVE-2010-1885: Windows Help and Support Center Vulnerability CVE-2010-1240: PDF/Launch Attack—Zeus CVE-2010-2568: Windows Shortcut Icon Loading Vulnerability— Stuxnet CVE-2010-2729: Print Spooler Service Impersonation Vulnerability—Stuxnet Insert presenter logo  here on slide master.  See hidden slide 2 for  5 directions
Malware Writers Love Adobe Vulnerabilities Productivity Application Vulnerability Based Malware - 2010 MS Office (Word, Excel, PowerPoint) Adobe Reader, Acrobat Source: MacAfee Labs Insert presenter logo  here on slide master.  See hidden slide 2 for  6 directions
Which Adobe App Was Most Exploited in 2010? The Winner Is Reader! Adobe: Unique Malware Detected in the Wild Adobe Flash Adobe PDF Source: McAfee Labs Insert presenter logo  here on slide master.  See hidden slide 2 for  7 directions
Mitigation vs. Exploitation: a Catch-Up Game Stack Overflow Attacks Stack Canary Checks Safe SEH Heap Overflow Attacks Heap Safe Unlink Shellcode Execution Data Execution Prevention DEP/NX Address Space Layout Randomization (ASLR) JIT Spray p y Return Oriented Programming ROP g g Insert presenter logo  here on slide master.  See hidden slide 2 for  8 directions
Case Study: CVE-2010-2883 Adobe SING Tag Buffer Overflow Vulnerability g y “Classic” stack overflow Exploit does not overwrite return address Overwrite pointer in the stack to bypass stack protection t ti Source: McAfee Labs Insert presenter logo  here on slide master.  See hidden slide 2 for  9 directions
Case Study: CVE-2010-2883 Adobe SING Tag Buffer Overflow Vulnerability g y Use U ROP techniques i h i in the shellcode to bypass DEP+ASLR. Special staged shellcode for this DLL Source: McAfee Labs Insert presenter logo  here on slide master.  See hidden slide 2 for  10 directions
DEP+ASLR=Peace of Mind! Exploitation Vulnerability y technique Adobe Products Authplay.dll Code Execution [CVE-2010-3654 ] ROP Shellcode ROP Shellcode Adobe Products Authplay dll Code Execution [CVE-2010-2884] Authplay.dll Adobe Flash Player, Reader, and Acrobat 'authplay.dll‘ [CVE-2010-1297] ROP Shellcode Adobe Reader and Acrobat XFA TIFF Support Code Execution ROP Shellcode Vulnerability [CVE-2010-0188] Adobe Reader 'CoolType.dll' TTF Font Vulnerability [CVE-2010-2883] ROP Shellcode Adobe Reader and Acrobat 'newplayer()' JavaScript Method Vulnerability ROP Shellcode [CVE-2009-4324] Insert presenter logo  here on slide master.  See hidden slide 2 for  11 directions
Stealthy Exploitation y p AKA: Harmonious Exploitation(“和谐漏洞利用”) Qualifications No intrusive reconnaissance required Application and platform awareness Robust exploitation No impact on availability of the target service p y g No impact on availability of the target application Bypassing the security mitigations on the target (GS, DEP, ASLR, etc.) Adaptive to Ad ti t complex network environments, scalable, C&C ready, l t k i t l bl d Network Security Inspection Device evasion Insert presenter logo  here on slide master.  See hidden slide 2 for  12 directions
Stealthy Exploitation: Case Study y p y Exploits that identify Adobe Reader versions Exploits that open a legit l i PDF file on fil successful exploitation Exploits that obfuscate to evade NIPS inspection Insert presenter logo  here on slide master.  See hidden slide 2 for  13 directions
Welcome to the “App Store” of Exploit Kits pp p Insert presenter logo  here on slide master.  See hidden slide 2 for  14 directions
Crimepack p Features include Tracking website stats Regular updated exploits Geo location tracker OS stats Browser stats Test attack before launching Success rate Insert presenter logo  here on slide master.  See hidden slide 2 for  15 directions
Targeted Attacks (Advanced Persistent Threats) ( ) Insert presenter logo  here on slide master.  See hidden slide 2 for  16 directions
Case Study: Operation Aurora y p A coordinated attack targeting a rapidly growing list of companies, including Google, Adobe, Juniper, Symantec, and others Exploits a zero-day vulnerability in Internet Explorer Lures users to malicious websites, installs Trojan malware on systems, uses Trojan to gain remote access Uses remote access to gain entry to corporate systems, steal intellectual property (including source code), and penetrate user accounts Insert presenter logo  here on slide master.  See hidden slide 2 for  17 directions
Operation Aurora: Modus Operandi p p 1 2 3 Attack initiated Attack in progress Attack setup complete User with IE vulnerability Website exploits vulnerability; Malware installed on user’s user s visits website infected with malware (disguised as JPG) system; malware opens back Operation Aurora malware downloaded to user’s system door (using custom protocol acting like SSL) that gives access to sensitive data Insert presenter logo  here on slide master.  See hidden slide 2 for  18 directions
Operation Aurora: Exploit p p Original obfuscated exploit Payload has multiple levels of obfuscation to disguise the payload Payload exploits a zero-day y p y vulnerability in Internet Explorer De-obfuscated exploit The attack uses heap spray and downloads a fake image—an XOR’ed binary. The b kd Th backdoor i now is installed and sends out fake SSL traffic Insert presenter logo  here on slide master.  See hidden slide 2 for  19 directions
Cybercrime Goes Social Insert presenter logo  here on slide master.  See hidden slide 2 for  20 directions
Abusing Social Networks g Fake accounts on sale Accounts can be used to send spam, phishing, fake products/ services, or malicious downloads d l d Prices vary depending on the quality of account Source: McAfee Labs Insert presenter logo  here on slide master.  See hidden slide 2 for  21 directions
“Social” Hacktivism 2010 had several instances of activist i t f ti i t groups launching protests over the Internet DDoS seems to be the favorite vector Lines bet een between cyberwarfare and hacktivism continue to blur Insert presenter logo  Source: McAfee Labs here on slide master.  See hidden slide 2 for  22 directions
Operation Payback p y Insert presenter logo  here on slide master.  See hidden slide 2 for  23 directions
Operation Payback p y The attack tool was a modified, public open-source tool called LOIC Created a “social botnet using HIVE mode social botnet” Attack vector is unsophisticated, but has temporary impact on global enterprises Insert presenter logo  here on slide master.  See hidden slide 2 for  24 directions
Conclusions Client-side attacks are on the rise There is no silver bullet for security, all the available known defenses can be bypassed Stealthy exploitation makes attacks more difficult to be detected APTs leverage all of the latest exploitation techniques and are becoming the most severe threats for businesses Social networks have been leveraged by attackers and hacktivists Do not completely rely on security protection from vendors. Use extreme caution when you surf! Insert presenter logo  here on slide master.  See hidden slide 2 for  25 directions

Empfohlen

Cocoa fundamentalswert
Cocoa fundamentalswertCocoa fundamentalswert
Cocoa fundamentalswertSaygın Topatan
 
Info plistkeyreference
Info plistkeyreferenceInfo plistkeyreference
Info plistkeyreferenceywego
 
Good code-isnt-enough
Good code-isnt-enoughGood code-isnt-enough
Good code-isnt-enoughSkills Matter
 
Client Side Exploits using PDF
Client Side Exploits using PDFClient Side Exploits using PDF
Client Side Exploits using PDFn|u - The Open Security Community
 
Hacking lab
Hacking labHacking lab
Hacking labDigicomp Academy AG
 
[CB20] DeClang: Anti-hacking compiler by Mengyuan Wan
[CB20] DeClang: Anti-hacking compiler by Mengyuan Wan[CB20] DeClang: Anti-hacking compiler by Mengyuan Wan
[CB20] DeClang: Anti-hacking compiler by Mengyuan WanCODE BLUE
 
Hacking’s Gilded Age: How APIs Will Increase Risk And Chaos
Hacking’s Gilded Age: How APIs Will Increase Risk And ChaosHacking’s Gilded Age: How APIs Will Increase Risk And Chaos
Hacking’s Gilded Age: How APIs Will Increase Risk And ChaosCA API Management
 
Introduction to segmentation fault handling
Introduction to segmentation fault handling Introduction to segmentation fault handling
Introduction to segmentation fault handling Larion
 

Empfohlen

Cocoa fundamentalswert
Cocoa fundamentalswertCocoa fundamentalswert
Cocoa fundamentalswertSaygın Topatan
 
Info plistkeyreference
Info plistkeyreferenceInfo plistkeyreference
Info plistkeyreferenceywego
 
Good code-isnt-enough
Good code-isnt-enoughGood code-isnt-enough
Good code-isnt-enoughSkills Matter
 
Client Side Exploits using PDF
Client Side Exploits using PDFClient Side Exploits using PDF
Client Side Exploits using PDFn|u - The Open Security Community
 
Hacking lab
Hacking labHacking lab
Hacking labDigicomp Academy AG
 
[CB20] DeClang: Anti-hacking compiler by Mengyuan Wan
[CB20] DeClang: Anti-hacking compiler by Mengyuan Wan[CB20] DeClang: Anti-hacking compiler by Mengyuan Wan
[CB20] DeClang: Anti-hacking compiler by Mengyuan WanCODE BLUE
 
Hacking’s Gilded Age: How APIs Will Increase Risk And Chaos
Hacking’s Gilded Age: How APIs Will Increase Risk And ChaosHacking’s Gilded Age: How APIs Will Increase Risk And Chaos
Hacking’s Gilded Age: How APIs Will Increase Risk And ChaosCA API Management
 
Introduction to segmentation fault handling
Introduction to segmentation fault handling Introduction to segmentation fault handling
Introduction to segmentation fault handling Larion
 
CEDEC2012 Starling開発
CEDEC2012 Starling開発CEDEC2012 Starling開発
CEDEC2012 Starling開発Andy Hall
 
CEDEC2012 Starling 開発
CEDEC2012 Starling 開発CEDEC2012 Starling 開発
CEDEC2012 Starling 開発Andy Demo
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera SoftwareOWASP
 
Little Known VC++ Debugging Tricks
Little Known VC++ Debugging TricksLittle Known VC++ Debugging Tricks
Little Known VC++ Debugging TricksOfek Shilon
 
Who Needs Thumbs? Reverse Engineering Scramble with Friends v1.1
Who Needs Thumbs? Reverse Engineering Scramble with Friends v1.1Who Needs Thumbs? Reverse Engineering Scramble with Friends v1.1
Who Needs Thumbs? Reverse Engineering Scramble with Friends v1.1Apkudo
 
Java forum Gothenburg Chronon - 2012-02-07 - Martin Sjöblom.key
Java forum Gothenburg Chronon - 2012-02-07 - Martin Sjöblom.keyJava forum Gothenburg Chronon - 2012-02-07 - Martin Sjöblom.key
Java forum Gothenburg Chronon - 2012-02-07 - Martin Sjöblom.keyMartin Sjöblom
 
Dockerizing apps for the Deployment Platform of the Month with OSGi - David B...
Dockerizing apps for the Deployment Platform of the Month with OSGi - David B...Dockerizing apps for the Deployment Platform of the Month with OSGi - David B...
Dockerizing apps for the Deployment Platform of the Month with OSGi - David B...mfrancis
 
Creative Coders March 2013 - Introducing Starling Framework
Creative Coders March 2013 - Introducing Starling FrameworkCreative Coders March 2013 - Introducing Starling Framework
Creative Coders March 2013 - Introducing Starling FrameworkHuijie Wu
 
Flex For Java Architects Ledroff Breizh Jug V Blog Cc
Flex For Java Architects Ledroff Breizh Jug V Blog CcFlex For Java Architects Ledroff Breizh Jug V Blog Cc
Flex For Java Architects Ledroff Breizh Jug V Blog CcFrançois Le Droff
 
solUI Introduction (2019)
solUI Introduction (2019)solUI Introduction (2019)
solUI Introduction (2019)Ramesh Nair
 
nuCloud ICM 2.3.1 Release Notes
nuCloud ICM 2.3.1 Release NotesnuCloud ICM 2.3.1 Release Notes
nuCloud ICM 2.3.1 Release Notesnucloud
 
Introducing MDSD
Introducing MDSDIntroducing MDSD
Introducing MDSDPedro J. Molina
 
Adobe in Technical Communication and Instructional Design
Adobe in Technical Communication and Instructional DesignAdobe in Technical Communication and Instructional Design
Adobe in Technical Communication and Instructional DesignScott Abel
 
Slides: Introducing the new ClusterControl 1.2.10 for MySQL, MongoDB and Post...
Slides: Introducing the new ClusterControl 1.2.10 for MySQL, MongoDB and Post...Slides: Introducing the new ClusterControl 1.2.10 for MySQL, MongoDB and Post...
Slides: Introducing the new ClusterControl 1.2.10 for MySQL, MongoDB and Post...Severalnines
 
Reverse Engineering .NET and Java
Reverse Engineering .NET and JavaReverse Engineering .NET and Java
Reverse Engineering .NET and JavaJoe Kuemerle
 
OWASP SB -Threat modeling 101
OWASP SB -Threat modeling 101OWASP SB -Threat modeling 101
OWASP SB -Threat modeling 101Jozsef Ottucsak
 
Integrating with Adobe Marketing Cloud - Summit 2014
Integrating with Adobe Marketing Cloud - Summit 2014Integrating with Adobe Marketing Cloud - Summit 2014
Integrating with Adobe Marketing Cloud - Summit 2014Paolo Mottadelli
 
Free evaluation report example
Free evaluation report exampleFree evaluation report example
Free evaluation report exampleContent Rules, Inc.
 
Lessons from a recovering runtime application self protection addict
Lessons from a recovering runtime application self protection addictLessons from a recovering runtime application self protection addict
Lessons from a recovering runtime application self protection addictPriyanka Aash
 
Samuel Asher Rivello - PureMVC Hands On Part 1
Samuel Asher Rivello - PureMVC Hands On Part 1Samuel Asher Rivello - PureMVC Hands On Part 1
Samuel Asher Rivello - PureMVC Hands On Part 1360|Conferences
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 

Weitere ähnliche Inhalte

Ähnlich wie Evolving Threat Landscape

CEDEC2012 Starling開発
CEDEC2012 Starling開発CEDEC2012 Starling開発
CEDEC2012 Starling開発Andy Hall
 
CEDEC2012 Starling 開発
CEDEC2012 Starling 開発CEDEC2012 Starling 開発
CEDEC2012 Starling 開発Andy Demo
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera SoftwareOWASP
 
Little Known VC++ Debugging Tricks
Little Known VC++ Debugging TricksLittle Known VC++ Debugging Tricks
Little Known VC++ Debugging TricksOfek Shilon
 
Who Needs Thumbs? Reverse Engineering Scramble with Friends v1.1
Who Needs Thumbs? Reverse Engineering Scramble with Friends v1.1Who Needs Thumbs? Reverse Engineering Scramble with Friends v1.1
Who Needs Thumbs? Reverse Engineering Scramble with Friends v1.1Apkudo
 
Java forum Gothenburg Chronon - 2012-02-07 - Martin Sjöblom.key
Java forum Gothenburg Chronon - 2012-02-07 - Martin Sjöblom.keyJava forum Gothenburg Chronon - 2012-02-07 - Martin Sjöblom.key
Java forum Gothenburg Chronon - 2012-02-07 - Martin Sjöblom.keyMartin Sjöblom
 
Dockerizing apps for the Deployment Platform of the Month with OSGi - David B...
Dockerizing apps for the Deployment Platform of the Month with OSGi - David B...Dockerizing apps for the Deployment Platform of the Month with OSGi - David B...
Dockerizing apps for the Deployment Platform of the Month with OSGi - David B...mfrancis
 
Creative Coders March 2013 - Introducing Starling Framework
Creative Coders March 2013 - Introducing Starling FrameworkCreative Coders March 2013 - Introducing Starling Framework
Creative Coders March 2013 - Introducing Starling FrameworkHuijie Wu
 
Flex For Java Architects Ledroff Breizh Jug V Blog Cc
Flex For Java Architects Ledroff Breizh Jug V Blog CcFlex For Java Architects Ledroff Breizh Jug V Blog Cc
Flex For Java Architects Ledroff Breizh Jug V Blog CcFrançois Le Droff
 
solUI Introduction (2019)
solUI Introduction (2019)solUI Introduction (2019)
solUI Introduction (2019)Ramesh Nair
 
nuCloud ICM 2.3.1 Release Notes
nuCloud ICM 2.3.1 Release NotesnuCloud ICM 2.3.1 Release Notes
nuCloud ICM 2.3.1 Release Notesnucloud
 
Adobe in Technical Communication and Instructional Design
Adobe in Technical Communication and Instructional DesignAdobe in Technical Communication and Instructional Design
Adobe in Technical Communication and Instructional DesignScott Abel
 
Slides: Introducing the new ClusterControl 1.2.10 for MySQL, MongoDB and Post...
Slides: Introducing the new ClusterControl 1.2.10 for MySQL, MongoDB and Post...Slides: Introducing the new ClusterControl 1.2.10 for MySQL, MongoDB and Post...
Slides: Introducing the new ClusterControl 1.2.10 for MySQL, MongoDB and Post...Severalnines
 
Reverse Engineering .NET and Java
Reverse Engineering .NET and JavaReverse Engineering .NET and Java
Reverse Engineering .NET and JavaJoe Kuemerle
 
OWASP SB -Threat modeling 101
OWASP SB -Threat modeling 101OWASP SB -Threat modeling 101
OWASP SB -Threat modeling 101Jozsef Ottucsak
 
Integrating with Adobe Marketing Cloud - Summit 2014
Integrating with Adobe Marketing Cloud - Summit 2014Integrating with Adobe Marketing Cloud - Summit 2014
Integrating with Adobe Marketing Cloud - Summit 2014Paolo Mottadelli
 
Lessons from a recovering runtime application self protection addict
Lessons from a recovering runtime application self protection addictLessons from a recovering runtime application self protection addict
Lessons from a recovering runtime application self protection addictPriyanka Aash
 
Samuel Asher Rivello - PureMVC Hands On Part 1
Samuel Asher Rivello - PureMVC Hands On Part 1Samuel Asher Rivello - PureMVC Hands On Part 1
Samuel Asher Rivello - PureMVC Hands On Part 1360|Conferences
 

Ähnlich wie Evolving Threat Landscape (20)

CEDEC2012 Starling開発
CEDEC2012 Starling開発CEDEC2012 Starling開発
CEDEC2012 Starling開発
 
CEDEC2012 Starling 開発
CEDEC2012 Starling 開発CEDEC2012 Starling 開発
CEDEC2012 Starling 開発
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software
 
Little Known VC++ Debugging Tricks
Little Known VC++ Debugging TricksLittle Known VC++ Debugging Tricks
Little Known VC++ Debugging Tricks
 
Who Needs Thumbs? Reverse Engineering Scramble with Friends v1.1
Who Needs Thumbs? Reverse Engineering Scramble with Friends v1.1Who Needs Thumbs? Reverse Engineering Scramble with Friends v1.1
Who Needs Thumbs? Reverse Engineering Scramble with Friends v1.1
 
Java forum Gothenburg Chronon - 2012-02-07 - Martin Sjöblom.key
Java forum Gothenburg Chronon - 2012-02-07 - Martin Sjöblom.keyJava forum Gothenburg Chronon - 2012-02-07 - Martin Sjöblom.key
Java forum Gothenburg Chronon - 2012-02-07 - Martin Sjöblom.key
 
Dockerizing apps for the Deployment Platform of the Month with OSGi - David B...
Dockerizing apps for the Deployment Platform of the Month with OSGi - David B...Dockerizing apps for the Deployment Platform of the Month with OSGi - David B...
Dockerizing apps for the Deployment Platform of the Month with OSGi - David B...
 
Creative Coders March 2013 - Introducing Starling Framework
Creative Coders March 2013 - Introducing Starling FrameworkCreative Coders March 2013 - Introducing Starling Framework
Creative Coders March 2013 - Introducing Starling Framework
 
Flex For Java Architects Ledroff Breizh Jug V Blog Cc
Flex For Java Architects Ledroff Breizh Jug V Blog CcFlex For Java Architects Ledroff Breizh Jug V Blog Cc
Flex For Java Architects Ledroff Breizh Jug V Blog Cc
 
solUI Introduction (2019)
solUI Introduction (2019)solUI Introduction (2019)
solUI Introduction (2019)
 
nuCloud ICM 2.3.1 Release Notes
nuCloud ICM 2.3.1 Release NotesnuCloud ICM 2.3.1 Release Notes
nuCloud ICM 2.3.1 Release Notes
 
Introducing MDSD
Introducing MDSDIntroducing MDSD
Introducing MDSD
 
Adobe in Technical Communication and Instructional Design
Adobe in Technical Communication and Instructional DesignAdobe in Technical Communication and Instructional Design
Adobe in Technical Communication and Instructional Design
 
Slides: Introducing the new ClusterControl 1.2.10 for MySQL, MongoDB and Post...
Slides: Introducing the new ClusterControl 1.2.10 for MySQL, MongoDB and Post...Slides: Introducing the new ClusterControl 1.2.10 for MySQL, MongoDB and Post...
Slides: Introducing the new ClusterControl 1.2.10 for MySQL, MongoDB and Post...
 
Reverse Engineering .NET and Java
Reverse Engineering .NET and JavaReverse Engineering .NET and Java
Reverse Engineering .NET and Java
 
OWASP SB -Threat modeling 101
OWASP SB -Threat modeling 101OWASP SB -Threat modeling 101
OWASP SB -Threat modeling 101
 
Integrating with Adobe Marketing Cloud - Summit 2014
Integrating with Adobe Marketing Cloud - Summit 2014Integrating with Adobe Marketing Cloud - Summit 2014
Integrating with Adobe Marketing Cloud - Summit 2014
 
Free evaluation report example
Free evaluation report exampleFree evaluation report example
Free evaluation report example
 
Lessons from a recovering runtime application self protection addict
Lessons from a recovering runtime application self protection addictLessons from a recovering runtime application self protection addict
Lessons from a recovering runtime application self protection addict
 
Samuel Asher Rivello - PureMVC Hands On Part 1
Samuel Asher Rivello - PureMVC Hands On Part 1Samuel Asher Rivello - PureMVC Hands On Part 1
Samuel Asher Rivello - PureMVC Hands On Part 1
 

Kürzlich hochgeladen

Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 

Kürzlich hochgeladen (20)

Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 

Evolving Threat Landscape

  • 1. The Evolving Threat Landscape Zheng Bu Rahul Kashyap M Af L b McAfee Labs Session ID: HT2-106 Session Classification: Intermediate Insert presenter logo  here on slide master.  See hidden slide 2 for  directions
  • 2. Agenda g Vulnerabilities and Exploitation V l biliti d E l it ti Targeted Attacks (APTs) Cybercrime Goes Social Q&A Insert presenter logo  here on slide master.  See hidden slide 2 for  2 directions
  • 3. Vulnerabilities and Exploitation Insert presenter logo  here on slide master.  See hidden slide 2 for  3 directions
  • 4. 2010: Microsoft and Adobe Vulnerabilities Snapshot p Security Patches  Security Patches 300 250 200 Microsoft 150 Adobe 100 50 0 2007 2008 2009 2010 Source: McAfee Labs Insert presenter logo  here on slide master.  See hidden slide 2 for  4 directions
  • 5. 2010: High-Profile Zero-Day Vulnerabilities g y Steady increase in CVE-2010-0249: MS10-002 HTML Object Memory Corruption attacks targeting client Vulnerability Operation Vulnerability—Operation Aurora software CVE-2010-2883: Adobe SING Tag Buffer Overflow Vulnerability Adobe and Microsoft CVE-2010-2884: Adobe Reader, Flash Player Code Execution were popular exploit Vulnerability V l bilit victims. victims CVE-2010-1297: Adobe Flash Memory Corruption Vulnerability CVE-2010-1885: Windows Help and Support Center Vulnerability CVE-2010-1240: PDF/Launch Attack—Zeus CVE-2010-2568: Windows Shortcut Icon Loading Vulnerability— Stuxnet CVE-2010-2729: Print Spooler Service Impersonation Vulnerability—Stuxnet Insert presenter logo  here on slide master.  See hidden slide 2 for  5 directions
  • 6. Malware Writers Love Adobe Vulnerabilities Productivity Application Vulnerability Based Malware - 2010 MS Office (Word, Excel, PowerPoint) Adobe Reader, Acrobat Source: MacAfee Labs Insert presenter logo  here on slide master.  See hidden slide 2 for  6 directions
  • 7. Which Adobe App Was Most Exploited in 2010? The Winner Is Reader! Adobe: Unique Malware Detected in the Wild Adobe Flash Adobe PDF Source: McAfee Labs Insert presenter logo  here on slide master.  See hidden slide 2 for  7 directions
  • 8. Mitigation vs. Exploitation: a Catch-Up Game Stack Overflow Attacks Stack Canary Checks Safe SEH Heap Overflow Attacks Heap Safe Unlink Shellcode Execution Data Execution Prevention DEP/NX Address Space Layout Randomization (ASLR) JIT Spray p y Return Oriented Programming ROP g g Insert presenter logo  here on slide master.  See hidden slide 2 for  8 directions
  • 9. Case Study: CVE-2010-2883 Adobe SING Tag Buffer Overflow Vulnerability g y “Classic” stack overflow Exploit does not overwrite return address Overwrite pointer in the stack to bypass stack protection t ti Source: McAfee Labs Insert presenter logo  here on slide master.  See hidden slide 2 for  9 directions
  • 10. Case Study: CVE-2010-2883 Adobe SING Tag Buffer Overflow Vulnerability g y Use U ROP techniques i h i in the shellcode to bypass DEP+ASLR. Special staged shellcode for this DLL Source: McAfee Labs Insert presenter logo  here on slide master.  See hidden slide 2 for  10 directions
  • 11. DEP+ASLR=Peace of Mind! Exploitation Vulnerability y technique Adobe Products Authplay.dll Code Execution [CVE-2010-3654 ] ROP Shellcode ROP Shellcode Adobe Products Authplay dll Code Execution [CVE-2010-2884] Authplay.dll Adobe Flash Player, Reader, and Acrobat 'authplay.dll‘ [CVE-2010-1297] ROP Shellcode Adobe Reader and Acrobat XFA TIFF Support Code Execution ROP Shellcode Vulnerability [CVE-2010-0188] Adobe Reader 'CoolType.dll' TTF Font Vulnerability [CVE-2010-2883] ROP Shellcode Adobe Reader and Acrobat 'newplayer()' JavaScript Method Vulnerability ROP Shellcode [CVE-2009-4324] Insert presenter logo  here on slide master.  See hidden slide 2 for  11 directions
  • 12. Stealthy Exploitation y p AKA: Harmonious Exploitation(“和谐漏洞利用”) Qualifications No intrusive reconnaissance required Application and platform awareness Robust exploitation No impact on availability of the target service p y g No impact on availability of the target application Bypassing the security mitigations on the target (GS, DEP, ASLR, etc.) Adaptive to Ad ti t complex network environments, scalable, C&C ready, l t k i t l bl d Network Security Inspection Device evasion Insert presenter logo  here on slide master.  See hidden slide 2 for  12 directions
  • 13. Stealthy Exploitation: Case Study y p y Exploits that identify Adobe Reader versions Exploits that open a legit l i PDF file on fil successful exploitation Exploits that obfuscate to evade NIPS inspection Insert presenter logo  here on slide master.  See hidden slide 2 for  13 directions
  • 14. Welcome to the “App Store” of Exploit Kits pp p Insert presenter logo  here on slide master.  See hidden slide 2 for  14 directions
  • 15. Crimepack p Features include Tracking website stats Regular updated exploits Geo location tracker OS stats Browser stats Test attack before launching Success rate Insert presenter logo  here on slide master.  See hidden slide 2 for  15 directions
  • 16. Targeted Attacks (Advanced Persistent Threats) ( ) Insert presenter logo  here on slide master.  See hidden slide 2 for  16 directions
  • 17. Case Study: Operation Aurora y p A coordinated attack targeting a rapidly growing list of companies, including Google, Adobe, Juniper, Symantec, and others Exploits a zero-day vulnerability in Internet Explorer Lures users to malicious websites, installs Trojan malware on systems, uses Trojan to gain remote access Uses remote access to gain entry to corporate systems, steal intellectual property (including source code), and penetrate user accounts Insert presenter logo  here on slide master.  See hidden slide 2 for  17 directions
  • 18. Operation Aurora: Modus Operandi p p 1 2 3 Attack initiated Attack in progress Attack setup complete User with IE vulnerability Website exploits vulnerability; Malware installed on user’s user s visits website infected with malware (disguised as JPG) system; malware opens back Operation Aurora malware downloaded to user’s system door (using custom protocol acting like SSL) that gives access to sensitive data Insert presenter logo  here on slide master.  See hidden slide 2 for  18 directions
  • 19. Operation Aurora: Exploit p p Original obfuscated exploit Payload has multiple levels of obfuscation to disguise the payload Payload exploits a zero-day y p y vulnerability in Internet Explorer De-obfuscated exploit The attack uses heap spray and downloads a fake image—an XOR’ed binary. The b kd Th backdoor i now is installed and sends out fake SSL traffic Insert presenter logo  here on slide master.  See hidden slide 2 for  19 directions
  • 20. Cybercrime Goes Social Insert presenter logo  here on slide master.  See hidden slide 2 for  20 directions
  • 21. Abusing Social Networks g Fake accounts on sale Accounts can be used to send spam, phishing, fake products/ services, or malicious downloads d l d Prices vary depending on the quality of account Source: McAfee Labs Insert presenter logo  here on slide master.  See hidden slide 2 for  21 directions
  • 22. “Social” Hacktivism 2010 had several instances of activist i t f ti i t groups launching protests over the Internet DDoS seems to be the favorite vector Lines bet een between cyberwarfare and hacktivism continue to blur Insert presenter logo  Source: McAfee Labs here on slide master.  See hidden slide 2 for  22 directions
  • 23. Operation Payback p y Insert presenter logo  here on slide master.  See hidden slide 2 for  23 directions
  • 24. Operation Payback p y The attack tool was a modified, public open-source tool called LOIC Created a “social botnet using HIVE mode social botnet” Attack vector is unsophisticated, but has temporary impact on global enterprises Insert presenter logo  here on slide master.  See hidden slide 2 for  24 directions
  • 25. Conclusions Client-side attacks are on the rise There is no silver bullet for security, all the available known defenses can be bypassed Stealthy exploitation makes attacks more difficult to be detected APTs leverage all of the latest exploitation techniques and are becoming the most severe threats for businesses Social networks have been leveraged by attackers and hacktivists Do not completely rely on security protection from vendors. Use extreme caution when you surf! Insert presenter logo  here on slide master.  See hidden slide 2 for  25 directions