OopsSec - The bad, the worst and the ugly of APT’s operations security

Advanced Persistent Threat groups invest in developing their arsenal of exploits and malware to stay below the radar of their victims' security controls and persist on the target machines for as long as possible. We were curious if the same efforts are invested in the operation security of these campaigns. We started a journey researching active campaigns from the Middle East to the Far East including the Palestinian Authority, Turkey, and Iran, Russia, China, and North Korea. These campaigns were both state-sponsored, surveillance-targeted attacks and large-scale financially-motivated attacks. We looked at almost every technology used and every step taken throughout the attack chain: Windows (Go-lang/.Net/Delphi) and Android malware; both on Windows and Linux-based C2 servers. We found a multitude of unbelievable critical mistakes which open a unique window to understand new advanced TTPs used by attackers. In many cases, we were able to join the attackers’ internal groups and view their chats, emails, and even bank accounts and crypto wallets. We understood their business models and were surprised to see the scale of sensitive data sharing, such as entire citizen databases, passports, SSN, etc. In some cases, we were able to take down the entire campaign. We will present our latest breakthroughs from our seven-year mind-game against the sophisticated Infy threat actor who successfully ran a 15-year active campaign using the most secured opSec attack chain we've encountered. We will explain how they improved their opSec over the years and how we recently managed to monitor their activity in real-time and how we recently even achieved an advanced new version of Infy malware which was not known until now. We will demonstrate oopSec mistakes done by new threat attackers that have not been introduced yet in public. In addition, We will update on all threat actors' reactions to our recent publication including changing infrastructure, terminating sensitive victims and threat actors which totally made changes but still continue to be vulnerable. main points - Attackers are humans, they are not necessarily experts in operations security. We will go over 8 threat actors case studies and explain the mistakes made and how valuable it may be for CISO’s and blue/red teams. 2 demo sessions focused on the ability to take advantage of different oopsSec mistakes Covers new attack techniques: iCloud 2-factor authentication bypass and NFT/crypto wallet attacks. This is a comprehensive research, which focuses on the operations security level of multiple APT actors including both state-sponsored surveillance targeted attacks and large scale financial motivated attacks. We will present our latest breakthrough against the Infy threat actor who has been running a 15-year active campaign using the most secure opSec attack chain we've encountered. The original talk was presented at Defcon 2022 and got very positive feedbacks (some even said it was the best talk), the audience was fully involved and I believe it should be relevant to Security Fest audience as well. we updated the case studies and will demonstrate new oopSec mistakes. We will explain the threat actors' reactions to our publication including actors that still continue to be vulnerable.

Presented at Security Fest 2023.

About Tomer Bar

Tomer Bar is a hands-on security researcher with 20 years of unique experience in leading cyber security froups. In the past, he ran research groups for the Israeli government and then led the endpoint malware research for Palo Alto Networks. Currently, he leads SafeBreach Labs as the director of security research. His main interests are Windows vulnerability research, reverse engineering, and nation state APT research. Among his discoveries are the PrintDemon vulnerabilities in the Windows Spooler mechanism which were a candidate for the best privilege escalation of 2021 Pwnie awards and several research studies on Iranian APT campaigns. He is a contributor to the MITRE ATT&CK® framework. He presented his researches at BlackHat 2020, Defcon 2020, 2021, 2022 and Sector, Recon and HackCon conferences.