19. Honeypot Findings
• Highest volume of attacks occurred in
Europe
• Attacks against Microsoft DS
accounted for over 51% of the overall
attack vectors
• Database services have been a
consistent target
• 14% of the malware loaded on the
Honeypots was considered
undetectable by AV
• Underscores the importance of a
defense in depth strategy for the need
to secure your enterprise and cloud
infrastructure
20. Samples of Malware detected
If an attacker were using the collected malware to launch an attack against an
individual or an enterprise it would be theoretically run in this order.
1.Ping Sweep
2.Port Reconnaissance
3.Exploit a Vulnerability
4.Check for Shares or Networked Drives
5.Load Malware
6.Load Worm
7.Load Remote Access Trojan for full Control
25. Tracking and Predicting the Next Move
• He is a guy from a European country/ (Russia)
• His handle or nick is madd3
• Using ICQ 416417 as a tool of communication (illegal
transaction)
• A simple /whois command to the nick provided us with
good information
• 85.17.139.13 (Leaseweb)
• ircname : John Smith
• channels : #chatroom
• server : irc.private-life.biz [Life Server]
• Check this out user has another room. #attackroom4
• We can confirm that Athena version 2.3.5 is being use
to attack other sites.
• 2,300 infected Users
• Cracked Software is available in forums
• As of today 1 BTC to $618.00 or £361.66
27. Stay Informed of the Latest Vulnerabilities
• Websites to follow
- http://www.securityfocus.com
- http://www.exploit-db.com
- http://seclists.org/fulldisclosure/
- http://www.securitybloggersnetwork.com/
- http://nvd.nist.gov/
- http://cve.mitre.org/
- https://www.alertlogic.com/weekly-threat-report/
28. To Follow our Research
• Twitter:
- @AlertLogic
- @StephenCoty
• Blog:
- https://www.alertlogic.com/resources/blog
• Cloud Security Report
- https://www.alertlogic.com/resources/cloud-security-report/
• Zero Day Magazine
- http://www.alertlogic.com/zerodaymagazine/
29. How Did We Do?
• What did you think of the presentation?
• Please take our brief survey to let us know how we did.
- Survey link: http://bit.ly/1B1fZwn
We appreciate and value your feedback
In 2014, it became abundantly clear that threat intelligence would provide the decisive advantage when protecting your network
Financial crime malware changed the threat landscape, point-of- sale malware became increasingly prevalent, and China-based adversaries continued to proliferate in the targeted intrusion space
Conficker-A – a worm that infects other computers across a network by exploiting a vulnerability in the Windows Server service (SVCHOST.EXE).
Confic-O –Is a Rogue antivirus program which has been designed to try and steal your personal information and trick you into buying the fake upgrade to the virus
Agent-UOB – is a malicious malware application that deletes important files and compromises your computer system or network. The malware does not use network resources to spread, but can spread through a network by attaching itself to other computer worms virus
Mal/PWSJJ – A keylogger program that can capture all user keystrokes
Troj/Dload-IK - Is a Trojan horse that attempts to steal confidential information from the compromised computer. It may also download configuration files and updates from the Internet
In early Dec 2014, two independent security reports identified a new Point of Sale (PoS) Malware that has RAM scraping and Tor capabilities for sale in cybercriminal forums.12 LusyPoS is currently being advertised for $2,000 and $2,200. Analysis of LusyPo
39 different malicious actors are profiled in this report.