Paul Rascagnères 🗣 | David Maynor 🗣
Abstract (click to view)
The 27th of June 2017, a new wormable malware variant has surfaced. Talos is identifying this new malware variant as Nyetya. The sample leverages EternalBlue, EternalRomance, WMI, and PsExec for lateral movement inside an affected network. The presentation will be divided in two parts:
the first part will describe Nyetya: how it works, the integrated exploits, Doublepulsar modifications, the “encryption” of the infected systems… This part will be focused on the analysis of the malware (reverse engineering)
the second part will describe the incident response performed by Cisco Advanced Services Incident Response in Ukraine focused on M.E.Doc software. This part will contains the techniques used by the attackers to massively compromised M.E.Doc users. A timeline will be exposed and detailed
Paul Rascagnères 🗣 | Sébastien Larinier 🗣 | Alexandra Toussaint 🗣
Abstract (click to view)
During an incident, CERT Sekoia investigated fraudulent money transfers. These transfers were made from a French firm account to other bank accounts based in different places in Europe. The fraud has been valued at 800 000 euros.
Initially, the bank of the French firm indicted an accountant officer of this firm for making these transfers. The transaction were made with 2FA authentication process.
CERT Sekoia has demonstrated that the accountant officer’s computer was compromised and his computer was certainly used to perform these transfers.
The compromising occurred in two stages:
- First, when Dridex arrived on the computer
- Secondly, Dridex was used to download another malware (RAT).
Paul Rascagnères 🗣
Abstract (click to view)
Earlier this year Mandiant published a report about a hacking group called APT1. Paul’s presentation focuses on his own in-depth analysis of this group, based on the information provided by Mandiant. Paul discovered numerous C&C (Command & Control) servers located in China running the same software that is highlighted in the Mandiant report. He managed to penetrate the infrastructure using vulnerabilities identified in the C&C server. Paul’s research provides a rare insight into activities and methodologies used by these attackers. This presentation will identify the infrastructure, tools, and malware used by the group to perform unscheduled backups of company data and intellectual property.