Shout-out to whoever went to Black Hat and had North Korean malware on their PC The folks tasked with defending the Black Hat conference network see a lot of weird, sometimes hostile activity, and this year it included malware linked to Kim Jong-un's agents. In their second year of helping protect the infosec event's Network Operations Center (NOC), IronNet's team said it flagged 31 malicious alerts and …
Well, I'm not of the profession, but I think if I was a malware creator I would definitely configure my tools to lay low and stay silent at and around events like Black Hat. After all its the place they're most likely to get discovered, analyzed and dissected, and you'd certainly prefer your precious tools remain under the radar and thus operational for as long as possible, isn't it?
Sounds to me like trying to pick pockets during a police charity.
> test the effectiveness of a new piece of malware
The proof of the pudding is in the eating, and the effectiveness of malware is in the money it makes you when you use it.
The only reason to taunt researchers with it would be bragging rights, and I think we're past that childish behavior nowadays: Now it's all about profitability, and that dictates you keep your money maker as far from those researchers as possible, for as long as possible. I'd assume. *shrug*
No, the point would not be to taunt the BH participants. The point would be to infect the BH-goers' machines and have the infection go unnoticed. If it was noticed, the malware-writers know they've failed, and go back to the drawing board to make the next, more-effective version.
The reason for them not simply unleashing their v1.0 version on their target is that if they fail, the target is alerted, and would prepare for version 2.0, making the malware writers' job harder.
This all presumes the malware writers are targeting their malware at specific organizations, vs doing just a "spray and pray" attempt to infect as many random PCs they can.
> The point would be to infect the BH-goers' machines and have the infection go unnoticed.
What for? You've spent an awful lot of time and brain on something, and instead of using it to make a profit, you simply go on a gratuitous ego trip? Nah, 20 years ago maybe, but nowadays hackers are professionals thinking about their bottom line, and they don't really need to bulletproof their tools, after all their prey is totally clueless people. If you swim around the sharks you can effortlessly eat as many sardines as you want.
As for the people targeting people/organizations higher on the food chain, they have even more reason to not reveal their tricks before the final showdown.
I guess you hard-code the time that the conferences will happen and find the IP blocks used by hotels or conference locations likely to host them (if not already announced), and then you just check your host's address and clock against that list. I don't really think most malware authors are going to go to that effort when they would probably be better able to hide by finding a less identifiable C&C method. If you'd still like to try it, try putting your machines into a hotel in Las Vegas and mess with your clock so it always shows a time in mid August.
Equifax - bad actors exfiltrating data for months (or years) before anyone noticed!
SolarWinds - where developers had never heard about the so called "Ken Thompson Hack"!!
So.....I'm always curious when the "good guys" say things like "We also did not see as much malicious activity ... as we expected this year."
I suspect it's a different set of 'good guys' with different approaches and priorities. The Black Hat folks are operating at a technology level, whereas most corporate data breaches are down to process failure. If one studies the Equifax breach (the last big one) it shows that the fundamental problem was not technical - it was an almost complete absence of management and monitoring of processes. The expired certificate in the intrusion detection system (that rendered it inoperative for many months) was due to a failure to renew it - a simple administrative procedure that just hadn't been done. The failure to identify the vulnerable instance of Apache Struts was directly due to absence of a service inventory and failure to maintain a critical contact list current. Equally, it took at least a month of 'management meetings' for the vulnerability to be at last taken seriously, despite a timely CERT notification of a critical hazard. This is all management failure and nothing to do with the technical side of the problem at all. If Equifax had been able to identify the vulnerable system and had applied the patch immediately the breach would never have occurred, but as it was they just couldn't see that they had a problem until too late.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
