Jason Smart & APTs vs the world

[Applause] and I'll explain why in a second but who I am so I'm Jason I work at PWC don't all do us at once um I used to work for the train super instructor at I used to do stuff on the internet for the government um I'll let you work out what that is later I also use work for the crowd track board a very long time ago when uh OverWatch was like three or four people so that dates me um I'm on Crest which is basically just a Intel Community kind of function does fantastic stuff as well I used to be a Russia analyst I used to do real work I used to do the stuff that Tristan and Mountain Dew now I just push papers and talk a lot about ransomware because all I did was ordering things so Q I want to talk about other things in ransomware um so I work in a team of 35 globally our dog is to help clients find all the bad stuff on the Army so we've got some desks they do China based stuff they look russia-based stuff Iran North Korea all the fun kind of things we look about 27 different countries from a thread perspective um I also wanted to look a bit broader than just Australia because normally I get caught in everything about Jason tell me what's tell me what the threat to the Australian organizations are and I just have to say ransomware and then maybe a little bit of OT stuff um and that gets tiring after you've done it 700 times a year so I'm going to walk through some case studies that we've had a look at so we're going to talk a little bit about some Chinese apts and if anybody has been doing this long enough and knows what plug X is I did not want to be speaking about it in 2023 but here we are uh what's all good about that I'll talk a little bit about some uh some cool brushes stuff that we've been seeing um and then I'll finish off with some around a little bit different to some of the other conversations you've had today and this is more just to show and tell um so I'll go from there um dunk into the talk last year about students like animations and transitions so I've just liberally put something just to annoy him a little bit um but look I'm going to start with going weak or red lidge which is Mustang Panda um so they are probably a china-based redactor probably um they do a lot of stuff um they've been pretty active a couple of years ago they were using a dropper tool called 8.10 which basically just builds a nice weaponized uh Word document that you can email to people um what we see them doing now we'll talk for a little bit but 2020 to 2021 they had a really big interest in like like the Vatican and anything to do with religious stuff so southeast Asia Europe pretty heavy targeting with that stuff and what they want to do though is they would use zip archives and then put that into they'll put a word up where it's executable in that um with a nice decoy name something like uh Catholic Church for 80 minutes or something similar to that we see a lot of that kind of stuff and then they would do some classic dll side loading so very different to a hijack orders and loading there's a specific technique they'd use um and that's how they got away with a lot of stuff had some success with that January to March they decided to change things up um they went with zip with an executable uh kind of Novel who owns executables these days uh turns out a lot of people in Southeast Asia do that so what we would typically see here the slightly different here is before it would literally just be plug X they wouldn't even try and obfuscate the fact that there's plug X plug X has been around for like dog years um it's very painful it's very good tool gives you lots of fun stuff to do um but what we saw them do is start to use this thing called a trident motor it's basically just a way of loading all of their stuff because that calls does some Side Learning um pulls out a dll etc usually from the internet um or from the zip file if it's in there um so super easy to do but they tried that for a couple of months they worked for them and then what we typically see after that is a couple of months later um they try something different because what they're saying is people start to blog about their stuff people talk about Mustang Panda or friendlich all the time it's very popular thing on the new Vlogs um so we see them chop and change around so in April March May those class time periods we see them do some stuff with um link clients so they've gone from okay well Maxis weren't working for us anymore because somebody blogged about it so then we start to try and do we'll do link files um that's usually pretty successful uh the link file looks like it's a PDF you open it and off to the races and again always using this trailer motor then uh isos with link files so they would send it ISO attached in an email and used that to do it so another kind of change and Mark of the web comes in and they're now not able to use kind of Word documents and stuff like that so what they start to do is do a little bit different they go with HTML files this is kind of the cool stuff now so they're starting to change away from how they've been lazy before so I consider the first four bits really lazy like if you have to zip it executable and send it to somebody and hope that the victim is going to double click on that and then double click on the XC and run it that's pretty lazy but it's really effective um and so all of this stuff moving forward so the first bit at the beginning is um kind of Gap the community's religious targeting all of this new stuff is against Europe now so they kind of got a task in order from somebody somebody in a particular government's going hey man really super interested in uh in Europe right now um I mean I can't imagine why in January 2022 you start getting past the universe for Europe interesting I mean if you're Foreign Affairs type stuff right um and so you know we see that but yeah Mark Levin comes in HTML with this year still does the same stuff still drops the trade later um so pretty consistent techniques all the way through much more interesting than ransomware because the impact is very different um I think we spend a lot of time talking about the impact of ransomware when you think about it from an Espionage perspective it's all very different it seems like well somebody's stole my documents but hey I've still got all my service workers so it's kind of slightly different in that perspective and one of the things I said I would talk about is kind of ttps detention opportunities for them um so these are like the most common teps that this thread actor uses um like all their stuff is around kind of getting domains and stuff that look really um I guess usable and brought into a little bit detailed what it kind of looks like later um while they do to develop their own malware is pretty much a build up these guys aren't really sophisticated enough to do it themselves they are very good at using something that somebody has told them to use so um we would call this the quartermaster effect essentially there's a guy from James bondiq that sits in a basement in China somewhere and says like hey here are the tools you can go away and use that's pretty much what they do um spear fishing we haven't seen them do much else by Spearfish so all the 365 stuff we talked about before perfect opportunity to find some of this stuff um plug X is quite useful because it has built-in sample observation and a few other bits and pieces it does do some checks for this so it's a trident loader they also do guard routes so what they'll do is they'll profile first sort of when trying it's dropping it down it'll go away and say actually like what am I looking at what is this system because it's a home system is this a test system this is Jason turning on his development laptop for the first time in a year or so and actually having a look at it probably so that's kind of what they're looking for for the guardrails and then post that like accessibility process Discovery and other things plus the China angle covered um let's jump to Russia Jason's favorite subject um we've been looking at this redactor we call it a new kid on the Block because nobody else has seen to be lying about it which is kind of nice and it's pretty pretty basic in terms of how it is but they are very successful um so they are really really interested in government agencies in Ukraine um again surprise and they use a lot of ukr net themed which is like basically a government mail server type thing for the Ukraine government and they make lures like this this is going to be repeated 100 times before the conference you might talk but this page here you'll see lots um when you look at all the data sets for them they have really bad offset though it's almost like they got told they needed to go and get into mailboxes and somebody again gave them a run sheet and then they just never changed it so when they go and register domains and register infrastructure is literally the same infrastructure every single time so it's the same posting provider it is the same subnet you so it's like real trivial to find these guys but they're very successful so we started looking like the domain register SSL certificates and if you put test tests and you ask yourself certificate I am going to find you um because one of the things they did slightly different in this case um but they started using they did this thing where they use the same domain and then just chucked the Target in front of it which is super useful so if you have like a way of searching for domains and you just put in I don't know star.gov.a.star you'll pretty much find a whole bunch of stuff that we're targeting Australia and vice versa it's pretty common to do some of this stuff um but they just went through this programmatic list of just hitting every single administrative District a bunch of these in Kiev a bunch of these are in uh contested areas um some of them are like way close to Poland so it's got a variety of targeting but there's always something interesting happening at those places so we kind of kept an eye on it um we had a look at the fishing page they've been trained as bundle.csfs so you can start to fingerprint them by that so you start to map it to the same SSL certificate to the same register and then you get their other stuff and then you'll notice a trend that your desktop security login so you start looking for that and then your multigo graph is like 100 entities required and you need a big screen to look at it but again all of these are running in the same block same hosting provider and they all have the same Apache servers running so pretty much somebody has a script that goes build me a server um I'll go register these domains then deploy it go I mean templates are good but if you want to get caught they're really easy to find um so we came across a PDF containing one of the domains um again looks pretty similar to what I was training before uh the gist of that translation is essentially uh we found suspicious activity um not that they are the suspicious activity and they're really interested in getting access to your emails if you don't respond and click the link in three days we're going to block your account um not going to happen but when you do do that you come full circle to uh desktop security login again and change password ukr and you start to see the very familiar pages from before so it all looks the same um you can if you've got URL scan you can just bang some of this you find this page ekr.gov.ua and then if you just search for others you'll find their stuff as well so again another really easy trivial way to find it the problem is they might be really easy to find but they are still very successful they still get hits um and we've seen some of the logs for some of these things and people log in all the time people send their credentials so it's still pretty effective I mean most of the time they're just after the emails they don't want any access to servers themselves they just want the data fairly straightforward um we then saw them start to do something slightly different so I think their tasking may have changed they were given some other things to go and look at um so they then started targeting the grief maybe um and then a few other European States but all the same stuff so if you can find this initial page you can then navigate to the login screen and then you can replicate that and find more of them they literally just picked up the same infrastructure the same setup the same configs and then went now we're going to go Target Greece so pretty straightforward how they've been doing some of their stuff right cool five minutes easy fishing techniques uh sorry commentating pays fishing finally enough and then JavaScript and some malicious things the JavaScript is more about profiling the end systems kind of make sure that you're actually who you say you are sometimes but it's not super effective all right last one for the day uh yellow mix and muddy water um I think the US government came out and said for the ministry of the Interior Moss something like that Iranian government um they do some fun stuff but they also have really bad opsec as well one of those things that they do is they forget to actually hide their open directories um the other part of the open directory is fun is that if you can find them they upload their raw intelligence reports they are writing about the target to that open directory so you can get some very fun intelligence reports if you speak fuzzy um what they typically tend to do though these guys they use remote Administration tools um which they have the credentials for um typically you can buy them on the dark web for like 10 bucks if you wanted to and that's kind of how they get access to their targets or they've sorry Spearfish them and got the credits from there um they also use some commercial stuff as well um their ttps change after people blog about them or their reports are published on them so it's kind of they are paying attention they kind of do know who we are they are looking at it so I'm fairly unexpective um when we find their open directories though it's pretty much just open source tooling for days um so anything Precision Turtle tools the events stuff like that and they'll run them on highs as well and so yeah that's kind of what a Ryan's up to for some of their stuff they do do some bespoke stuff but it's not fairly fairly detailed and like in the screenshot you can see they've basically got a bunch of Open Source tools that they'll try and use as they go so these guys are usually pretty successful as well um which is true you don't have to be super sophisticated to be successful and some techniques for them um pretty straightforward I always create done b e logging that kind of stuff the key login is how they write their reports they're basically just deploy a key logger waiting for a bunch of keystrokes to happen and then you'll see them start to draft their Word document with their report in it um so that's not fun and that is it that is your I don't want to talk about ransomware we went to everything that is APC in the Bible impressions [Applause] so what steps do you normally take for attributing an attack through and other than political report yeah most of our attribution you'll see blue Dev nine or a to come up which one it is at the moment we do that we don't really have a lot of solid attribution we think it's probably somewhere in that region and we just need to focus on a more similar to manian's punk the way they go do that when we're trying to do attribution though um like we're not the government we're not going to go through attribution and try and work it out um occasionally we get really lucky and like people stupid stuff like with their GPS coordinates were there or like they're going to check the weather on a server that kind of stuff from our perspective like we just try and make sure we've got enough stuff to create a group and say yeah this is what we're looking at and then if we start to see similarities over time then we'll group it together but attribution's hard and I'll leave that to the government at the back uh yes and no um yes we have seen a bit of it hasn't been successful probably not like hopefully most people have just blocked it and that was kind of like our advice when it started to happen um but yeah not so much via apts a lot of like commodity crime stuff certainly using that like your ransomer Affiliates and a few other bits and pieces but yeah yeah we're targeting Australia or just in general just in general so we found a fun group that we're pretty sure it's like a Bosnian threat actor which was fun um obviously like really locally interested in like our menu and a few other places like that that's kind of like the the niche like we've got a the 27 you start to get to the tail end and you're like that's real Niche we probably won't look at that too much but it's interesting nonetheless um I think the one thing we're not very good at talking about from an Australian targeting perspective is like we do get hit quite a bit by like AP takes but we tend to talk a lot about brands in my life Medicare Optics all that kind of sorry medibank Optics all that kind of stuff in the media but nobody ever wants to talk about the fact that we've had one report in like a year from acsa like bold typhoon after that nothing it's kind of like well there's more going on we should probably talk about that a little bit more that's my rant on attribution [Music] uh so from like a ransomware perspective have we seen people like ransomware their Cloud backups and stuff yeah that was fairly frequently but it's because people don't have segregation in place they're not thinking about well you know that cloud storage those Cloud buckets can they get to that kind of stuff so we have Cena but it's usually pretty detectable I'm going to stop there because I can see the next gen ready to go find for a bit cool I think it might be the last question yep the least lazy you're going to get a super biased artifacts because it's May and it's going to be Russia so there's a couple of Russia from Russian thread actors that are like super super sophisticated um and we don't hear a lot about them it's like 29 Taylor those those kind of two groups they are like very very good at what they do and non-lazy at all like they may like they very rarely make object mistakes when they do stuff yes and no so I think the well-funded ones obviously have better tool Lane better capacity they can do things like higher contractors to build their stuff which provides like a layer of obfuscation um I will say though um if you don't have to spend a lot of money to be successful why would you if you can do that in other places um that's typically what we would say so you know there's obviously like very highly satisfactured like you know like Tao for example right like off with the fairies doing crazy stuff that's really well funded and then you've got folks like um some of the Chinese sets that basically do the same stuff they've been doing for 10 years because it still works so why invest money in that thanks