Equation Group : Advanced Secretive Computer Espionage Group

The Equation Group is a highly advanced secretive computer espionage group, suspected by security expert Claudio Guarnieri and unnamed former intelligence operatives of being tied to the United States National Security Agency (NSA). Because of the group's predilection for strong encryption methods in their operations, the name Equation Group was chosen by Kaspersky Lab, which discovered this operation and also documented 500 malware infections by the group's tools in at least 42 countries.This presentation gives an over view in brief based on the Kaspersky Report.

CARBANAK : BANK ROBBERY LIKE NEVER BEFORE

1.  As recent as a week back Carbanak, an APT-style campaign targeting financial institutions has been claimed to have been discovered by the Russian/UK Cyber Crime company Kaspersky Lab who said that it had been used to steal money from banks.The malware was said to have been introduced to its targets via phishing emails and is said to have stolen over 500 million dollars, or 1BN dollars in other reports, not only from the banks but from more than a thousand private customers.The criminals were able to manipulate their access to the respective banking networks in order to steal the money in a variety of ways. In some instances, ATMs were instructed to dispense cash without having to locally interact with the terminal. Money mules would collect the money and transfer it over the SWIFT network to the criminals’ accounts.The presentation brings out the executive summary of Modus Operandi of the Malware as analysed by Kaspersky.

 

2.   Carbanak is a backdoor used by the attackers to compromise the victim's machine once the exploit, either in the spear phishing email or exploit kit, successfully executes its payload.Carbanak copies itself into %system32%\com with the name svchost.exe with the file attributes: system, hidden and read-only. The original file created by the exploit payload is then deleted.

How to detect CARBANAK

One of the best methods for detecting Carbanak is to look for .bin files in the
folder:

..\All users\%AppData%\Mozilla\

The malware saves files in this location that will later be sent to the C2 server when an internet connection is detected.BAT script for detecting infections(Source : here) is given as follows :

@echo off
for /f %%a in ('hostname') do set "name=%%a" echo %name%
del /f %name%.log 2> nul
if exist "c:\Documents and settings\All users\application data\
mozilla\*.bin" echo "BIN detected" >> %name%.log
if exist %SYSTEMROOT%\System32\com\svchost.exe echo "COM
detected" >> %name%.log
if exist "c:\ProgramData\mozilla\*.bin" echo "BIN2 detected"
>> %name%.log
if exist %SYSTEMROOT%\paexec* echo "Paexec detected"
>> %name%.log
if exist %SYSTEMROOT%\Syswow64\com\svchost.exe echo "COM64
detected" >> %name%.log
SC QUERY state= all | find "SERVICE_NAME" | findstr "Sys$"
if q%ERRORLEVEL% == q0 SC QUERY state= all | find
"SERVICE_NAME" | findstr "Sys$" >> %name%.log
if not exist %name%.log echo Ok > %name%.log xcopy /y %name%.log
"\\\logVirus

Operation Cleaver : IRAN a greater Cyber Threat then US/China????

1.    There has been a series of decisive and significant reveals in past few weeks in the field of Cyber Security. REGIN, APT28, Wirelurker and now comes another important report by the name of Operation Cleaver. The report is available here.Some time about a year back in September 2013,the ping pong blame of cyber attacks between Iran-US were made public vide US carrying out proven credentials of IRAN being part of attack in their Navy room. A screen shot of a report then is seen below :

 2.    Now, a US cyber security firm Cylance says it has evidence to prove that the same team has infiltrated not just the Navy, but also various top companies across the globe within the past two years. This report sheds light on the efforts of a coordinated and determined group working to undermine the security of at least 50 companies across 15 industries in 16 countries.

3.  Iran till date has never been considered quite as much of a serious cyber threat to the US as China and Russia have been in recent years. This could prove to be a mistake vide proofs given in this report.The report indicates that state sponsored cyber groups in Iran can be just as severe or even way ahead in terms of offered danger to few countries. Few key points of interest are mentioned below :

-  Victims include companies in the oil and gas sector, the energy industry, airports and the transportation sector, government and defence, and the telecommunications and technology industries.

-   Report believes all the revelations are just the tip of the ice berg and damage extends much ahead of contours identified.

-   About 10 of the victims are based in the US and include a major airline, an energy company, a medical university, and an automobile manufacturer.

-   Many of the other firms targeted by the group are based in Middle Eastern countries like Kuwait, the United Arab Emirates, Saudi Arabia, and Qatar. Cylance also found a significant number of victims in Canada, Germany, England, France, India, Israel, Pakistan, and Turkey.

-  Unlike their Russian and Chinese counterparts, which tend to grab IP and financial data where they can, the Iranian group has mostly avoided stealing such data.

-  The group is scoping networks and conducting reconnaissance as if in preparation for a major assault at some point in the future.

-   Technical capabilities of the Operation Cleaver team rapidly evolve faster than any previously observed Iranian effort.

- 

APT 28 :Cyber Espionage and the Russian Government?

Russia may be behind a long-standing, careful campaign designed to steal sensitive data relating to governments, militaries and security firms worldwide.This presentation based on a report made public by FireEye (report here)brings an over view of their opinion.....uploaded here just for general info to understand how its all happening in the dynamic and vibrant world of CYBER ..!!!!

Shadows in the Cloud : Cyber Espionage

Uploaded a Presentation on this recently been my fav article to read on Scribd.....

Shadows in the Cloud