Targeted attacks through ISPs

Thursday 3 October 12:00 - 12:30, Green room

Denis Legezo (Kaspersky Lab)

In 2019, we witnessed a rise in the number of cases of targeted malware infections spread via ISPs and service providers. Even when users resort to safe and recommended practices, they are still vulnerable to these more cunning attacks. In this talk, we will discuss the techniques currently in use for these targeted infections and how they abuse user trust on multiple levels.

One of the cases we’ll discuss leverages custom malware designed to compromise TLS-encrypted communications used in the HTTPS protocol. Via a combination of installing digital certificates on the target’s browsers and manipulating the TLS handshake to their own schema, the malware operators are able to distinguish the target’s traffic, even after NAT routing, and decrypt it. To mark and distinguish the target’s traffic the developers come up with their own technically ingenious mechanisms – by patching the system’s PRNG functions.
We will also discuss the operations of another prolific actor, StrongPity. One of the most fascinating aspects of StrongPity’s operations is the spread of malware via HTTP 307 redirections at the ISP level. The victims are just going about their normal browsing, trying to download popular software from the official website, when they are silently redirected to a version that has been trojanized by the malware operators.

Moreover, ISPs aren’t the only service providers being abused for targeted attacks! We will discuss new research into how a national data centre in Asia was used as a similar infection vector. The attackers compromised the data centre where the local government’s online services are hosted. Once inside, they not only gained access to multiple government services at once, they were also able to add malicious scripts to government websites to use them for watering hole attacks for further targeted infections.

These cunning attacks by truly resourceful attackers highlight that the recommended safe practices for common users are simply not enough. Even when users are cautious enough to resort to official websites, rely on encrypted traffic, and are careful about where they download their programs, they are still falling prey to these dastardly attackers. Where should we place our trust now?




Denis Legezo

Denis Legezo works as a senior security researcher within Kaspersky's Global Research and Analysis Team (GReAT) and specializes in targeted attacks research. He earned his degree in cybernetics and applied mathematics from Moscow State University in 2002. His diploma topic was directly related to information security. Then he started his career as a programmer in different public and commercial companies. Before joining Kaspersky at the beginning of 2014, he worked as a technical expert for a Russian IT company. He has presented his targeted malware research at RSA Conference, SAS, Virus Bulletin and MBLT Dev.

   Download slides    Watch video

Back to VB2019 Programme page

Other VB2019 papers

Chinese cyber espionage and the Belt & Road Initiative

Thomas Thomasen (Deloitte)
Loucif Kharouni (Deloitte)

Thwarting Emotet email conversation thread hijacking with clustering

Pierre-Luc Vaudry (ZEROSPAM Security)
Olivier Coutu (ZEROSPAM Security)

VB2019 opening address

Martijn Grooten (Virus Bulletin)

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.