Command and Control in the Fifth Domain
This paper presents the findings of an extensive investigation into command and control infrastructure used by an Advanced Persistent Threat. Findings include technical details of malicious software, and associated command and control protocols. These findings are drawn upon to identify modus operandi and demonstrate links between a number of major targeted attacks including the recent Sykipot attacks, the July 2011 SK Communications hack, the March 2011 RSA breach, and the series of coordinated cyber attacks dubbed NightDragon.
SK Hack by an Advanced Persistent Threat
This document summarises the July 2011 intrusion into SK Communications which culminated in the theft of the personal information of up to 35 million people. It describes the use of a trojaned software update to gain access to the target network, in effect turning a security practice into a vulnerability. It also describes the use of a legitimate company to host tools used in the intrusion. Links between this intrusion and other malicious activity are identified and valuable insights are provided for network defenders. Technical details of malicious software and infrastructure are also provided.
Advanced Persistent Threats: A Decade in Review
This document defines the term Advanced Persistent Threat (APT) in the context of cyber threats and cyber attack. It presents a timeline and summary of prominent cyber attacks likely attributable to APTs over the past decade. Commonalities are identified and assessed in the context of the current cyber threat environment. Trends are used to predict future APT targeting. APT attack methodology is discussed, and, in conclusion, a set of security practices and policies are provided that could help many organisations increase their resilience to APT attack.
Threat Advisory: Atlassian Crowd (CVE-2013-3925)
This advisory examines a critical vulnerability in Atlassian Crowd - a software package marketed as a turnkey solution for enterprise scale single sign-on and secure user authentication. The vulnerability is remotely accessible, does not require authentication, and is easily exploited. Recommendations for securing affected systems are provided and special mention is made of an unpatched weakness in the product that could be classified as a symmetric backdoor.
C5 SIGMA takes network packet capture data as input and produces a structured relational database that can be used for analysis and reporting using SQL queries.
GNU General Public License
We invite you to submit research suggestions and feedback using our online form.