Targeted attacks through ISPs

Presented at VB2019, Oct. 3, 2019, noon (30 minutes)

In 2019, we witnessed a rise in the number of cases of targeted malware infections spread via ISPs and service providers. Even when users resort to safe and recommended practices, they are still vulnerable to these more cunning attacks. In this talk, we will discuss the techniques currently in use for these targeted infections and how they abuse user trust on multiple levels. One of the cases we'll discuss leverages custom malware designed to compromise TLS-encrypted communications used in the HTTPS protocol. Via a combination of installing digital certificates on the target's browsers and manipulating the TLS handshake to their own schema, the malware operators are able to distinguish the target's traffic, even after NAT routing, and decrypt it. To mark and distinguish the target's traffic the developers come up with their own technically ingenious mechanisms - by patching the system's PRNG functions. Moreover, ISPs aren't the only service providers being abused for targeted attacks! We will discuss new research into how a national data centre in Asia was used as a similar infection vector. The attackers compromised the data centre where the local government's online services are hosted. Once inside, they not only gained access to multiple government services at once, they were also able to add malicious scripts to government websites to use them for watering hole attacks for further targeted infections. These cunning attacks by truly resourceful attackers highlight that the recommended safe practices for common users are simply not enough. Even when users are cautious enough to resort to official websites, rely on encrypted traffic, and are careful about where they download their programs, they are still falling prey to these dastardly attackers. Where should we place our trust now?

Presenters:

• Denis Legezo - Kaspersky Lab
  Denis Legezo Denis Legezo works as a senior security researcher within Kaspersky's Global Research and Analysis Team (GReAT) and specializes in targeted attacks research. He earned his degree in cybernetics and applied mathematics from Moscow State University in 2002. His diploma topic was directly related to information security. Then he started his career as a programmer in different public and commercial companies. Before joining Kaspersky at the beginning of 2014, he worked as a technical expert for a Russian IT company. He has presented his targeted malware research at RSA Conference, SAS, Virus Bulletin and MBLT Dev.

Links:

• https://www.virusbulletin.com/conference/vb2019/abstracts/targeted-attacks-through-isps
• https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-Legezo.pdf

Similar Presentations:

• 32C3 (2015) / #GOIBlocks - Technical observations about recent internet censorship in India
• DEF CON 18 (2010) / Your ISP and the Government: Best Friends Forever.
• Texas Cyber Summit 2019 / BT-1050 Shining a Light on Shadow IT in the Cloud