8. 14 OF APRIL
WikiLeaks publish Vault 7 from Shadow Brokers
Exploit EternalBlue
Backdoor DoublePulsar
9. 23 OF APRIL
Warning: Drop everything and patch all the Windows things now!
DoublePulsar via EternalBlue MS17-010
3% of Internet faced Windows was hacked
18. TECHNIQUES, TACTICS AND PROCEDURES
18
Pentest-style attack
Massive breach post processing
Targets selection and profiling
Black market
Remote access
Insiders
Passwords
Drops
Organized activity
19. The case of the
https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx
20. OOPS, THEY DID IT AGAIN
22
Domain controllers under control since 2013
psexec for lateral movement
Steganography for C2 communications
Checks for (only) Qihoo 360 AV
3 days for ”do it again” after cleanup
• Trusted domain in daughter company
• Overseas branch
• Backdoor VPN channel
21. THEY NETHER GIVE UP
23
You don't have to be a target to be a
victim
Supply chain attack
Multiple C2 channel
Malware-less attacks
Server side implants
Taidoor/ Whitewhile
Poisoned Flight/Elirks
PlugX/ ZeroT
TropicTrooper
22. KATA IMPLEMENTATION STATISTICS
24
78 installations in critical infrastructure
Government
FSI
Media
Utilities
Active targeted attacks
Espionage 55%
Criminal 45%
0,00%
20,00%
40,00%
60,00%
80,00%
100,00%
120,00%
Espionage Criminal Random
35. FROM THE OTHER SIDE OF THE FENCES
https://securelist.com/blog/virus-watch/74150/plugx-malware-a-good-hacker-is-an-apologetic-
hacker/http://blog.ptsecurity.com/2016/12/cobalt-how-criminals-hacked-`atms.html