Scan. Break in. Persist. Repeat.

Presented at BSides Austin 2016, April 1, 2016, 9:30 a.m. (60 minutes).

Around the last quarter of 2015, we noticed some slight change stemming from a previously reported malicious site. As expected, traffic on the original site has decreased but similar malicious content were seemingly being served by another site. Such change is a characteristic: it's like jogging around the usual path you take - you start from somewhere and end up in the same destination, with a slight change in your route. Mapping out ‘Operation Black Atlas' was done similarly - we saw that it was PoS malware being served, and it's almost definitely certain that it's going to end up in a payment processing terminal somewhere. Investigations ran for several weeks, and we were able to uncover how they got in to begin with, and what they had used. When we had enough information, the article was written. After several weeks of monitoring, we now see that the threat actors are at it again - albeit making a slight detour. And it raised questions: What did or did not change? Why do they still persist? and why are they still active? Did we not share enough information? This talk would discuss how most likely the malicious activities were carried out, a short discussion why it works, and why it still works even after exposing them.

Presenters:

  • Jay Yaneza
    Applications Developer, System/Network/Database Administrator, specializing in the deployment, configuration and troubleshooting of various Trend Micro products. Particularly interested in projects that involve tools development and in-depth solution formulation that involve the computer network and hybrid systems. Worked in a variety of database systems and operating systems over the years. Always interested in the open-source side of the computer industry.
  • Erika Mendoza

Links: