Thursday 5 October 15:00 - 15:30, Green room
Alexander Adamov (NioGuard Security Lab)
Anders Carlsson (Blekinge Institute of Technology)
Ukraine has unwillingly found itself the battlefield of hacker group(s) with supposedly Russian roots and the anti-virus industry. This is not the first time that Ukraine has attracted the attention of cybersecurity experts. Suffice it to recall in this regard the several waves of cyber attacks against the critical infrastructure of Ukraine using the BlackEnergy [1] and Industroyer [2, 3] industrial malware supposedly created by a Russian hacker group.
This summer, we noticed that a supply-chain attack through the popular in Ukraine M.E.Doc accounting software ended with a splash of the NotPetya ransomware-wiper [4]. During the M.E.Doc campaign, we discovered that attacks were run with the help of several pieces of specially crafted ransomware: XData (AES-NI clone) [5], WannaCry.NET (WannaCry clone) [6], and NotPetya (Petya & Misha & WannaCry clone). It is worth mentioning that the first notable infection through the trojanized M.E.Doc [7] with the XData ransomware happened in the middle of May - more than a month before NotPetya was launched.
Now, we are seeing another ongoing campaign against Ukrainian organizations that follows a similar pattern. First, the attackers hacked the web server of the Ukrainian producer of another piece of accounting software [8], to upload the Chthonic (Zeus-based) backdoor seen in June in the nation-state attack against Ukrainian government institutions [9] and PSCrypt 2, a clone of the GlobeImposter (Globe-based) ransomware [10]. Then, they spear-phished the targets to lure them into downloading and installing one of these options. We are continuing to work with the victims to find out more information about the attack vectors.
In our talk, we'll show the timeline and highlight the patterns behind these attacks, including:
Finally, we'll share our hypotheses as to who is behind the summer attacks in Ukraine.
[2] https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf
[3] https://dragos.com/blog/crashoverride/CrashOverride-01.pdf
[4] https://nioguard.blogspot.com/2017/06/eternalpetya-ransomware-analysis.html
[5] https://nioguard.blogspot.com/2017/06/xdata-ransomware-attacked-users-in.html
[6] https://nioguard.blogspot.com/2017/06/one-more-attack-to-ukraine-via-medoc.html
[7] https://nioguard.blogspot.com/2017/07/comparing-medoc-backdoors-in-176-186.html
[8] https://bartblaze.blogspot.com/2017/08/crystal-finance-millennium-used-to.html
[9] https://nioguard.blogspot.com/2017/06/chthonic-trojan-is-back-in-nation-state.html
Alexander Adamov Alexander Adamov is the founder and CEO of NioGuard Security Lab, which designs open-source sandbox-based solutions and tests security software against targeted attacks and ransomware. As a teacher, he develops and teaches the Advanced Malware Analysis course in universities in Ukraine and Sweden within the EU project called ENGENSEC. Alexander has worked for Kaspersky Lab, Lavasoft, Samsung, Mirantis and Acronis and has spoken at various security conferences and workshops such as Virus Bulletin, Kaspersky Virus Analysts Summit, OpenStack Summit, OWASP, HackIT, and BSides.
|
|
Anders Carlsson Anders Carlsson has 30 years of experience in computer security, network security and digital forensics. He was educated and earned a degree as a Computer Engineer/Lieutenant-Commander specialist in the Submarines of the Royal Swedish Navy, where he worked for 25 years. Since 1999 he has been employed by BTH, Blekinge Institute of Technology, as a senior researcher, where he is responsible for networks, network security, computer security and digital forensic at B.Sc. and M.Sc. levels. He has also been involved in the EU_ISEC project (2007-2013) to develop courses and train law enforcement officers within EUROPOL and BKA (the Federal Police in Germany) in forensics. He was a project manager in BAITSE (Baltic Academic IT-Security Exchange) 2010-2013, a project aimed at exchanging knowledge and harmonizing IT security in academic institutions within Sweden, Latvia, Poland and Ukraine. He continued this work as General Manager for the EU-TEMPUS IV, and founded project ENGENSEC (Educating NexT Generation IT Security Experts) that will end in November 2017. |
Tiberius Axinte (Bitdefender)
This paper provides an in-depth analysis of the macOS version of the APT28 component known as XAgent. We will dissect the…
John Graham-Cumming (Cloudflare)
In February 2017, Cloudflare was revealed to have been leaking private information including HTTP headers, cookies and POST data…
Thiago Marques (Kaspersky Lab)
Fabio Assolini (Kaspersky Lab)
Of all the forms of attack against financial institutions in the world, the ones that are most likely to combine traditional…