Cyber Security

Case Study
&
Incident
Response
PRESENTER
Mohammad Ariful Islam
Information Security Specialist
BGD e-GOV CIRT
Bangladesh Computer Council
ICT Division

Major Certification
Offensive Security Certified Professional (OSCP)
Red Hat Certified Architect (RHCA)
Certified Ethical Hacker (C|EH)
Certified Red Team Professional (CRTP)
CONTENTS
• Basic cyber security terms
• Case study: GODFATHER banking malware
• Information gathering techniques
• Incident management
• Incident analysis (Case # Ransomware infection)

Image Credit: blog.se.com

WHAT IS CYBERSECURITY?
Cybersecurity is the art of protecting
networks, devices, and data from
unauthorized access or criminal use and
the practice of ensuring confidentiality,
integrity, and availability of information.

Image Credit: blog.se.com

RISKS TO HAVING POOR CYBERSECURITY
• An attacker breaking into your system
and altering files.
• Malware erasing your entire system.

Image Credit: pngtree

 RISKS TO HAVING POOR CYBERSECURITY

Link: https://www.banglatribune.com/country/chitagong/832895/ফ োন-হোরিয়ে-গ্রোহক-জোনয়েন-ব্োাংয়ক-িোখো-১২-েোখ-টোকো

Image Credit: pngtree

 RISKS TO HAVING POOR CYBERSECURITY

১২ লাখ ৮৩ হাজার টোকো

১৫ লাখ ৩০ হাজার ৫৩০ টোকো

৩০ হাজার টোকো

Link: https://www.prothomalo.com/bangladesh/crime/qlcwdf9o3b

Image Credit: pngtree

DEFEND AGAINST CYBERATTACK
The first step in protecting yourself is to
recognize the risks. Defending yourself against
cyberattacks starts with understanding the risks
associated with cyber activity, what some of the
basic cybersecurity terms mean, and what you
can do to protect yourself.

Image Credit: dreamstime.com

ASSET
Any data, device, or other
component of the environment that
supports information-related
activities is an asset.

Image Credit: Freepik

VULNERABILITY
Vulnerability is defined as a flaw or
a weakness inside the asset that
could be used to gain unauthorized
access to it.

Image Credit: Freepik

THREAT
A threat represents a possible danger
to the computer system. A successful
exploitation of vulnerability is a threat.

Image Credit: 123rf.com

EXPLOIT
An exploit is a code that takes
advantage of vulnerability in an asset
to cause unintended or
unanticipated behavior in a target
system, which would allow an attacker
to gain access to data
or information.

Image Credit: cybersecurity-help.cz

RISK
Risk = Threat x Vulnerabilities x Impact

Image Credit: Freepik

BANKING MALWARE
BANKING MALWARE
A banking Malware/Trojan
represents a malicious computer
program that tries to obtain
access to confidential information
which is stored or processed
through online banking systems.

Image Credit: Kaspersky.com

TOP 10 MOBILE BANKING MALWARE 2023
Stolen Data
1171 Exfiltrated to
Known USA
Variants Turkey Offered as
57
Countries Spain MaaS
Canada
237 France
Banking Apps Germany
Targeted UK
Italy
Image Credit: Zimperium
Poland
TOP 10 MOBILE BANKING MALWARE 2023

Image Credit: Zimperium

BANKING MALWARE: GODFATHER
An Android banking malware named
'Godfather' has been targeting users in
57 countries, attempting to steal account
credentials for over 400 online banking
sites and cryptocurrency exchanges.

Image Credit: shutterstock

BANKING MALWARE: GODFATHER
DETECTION
• First discovered in March 2021 by
ThreatFabric.
• Later The Godfather trojan was
discovered by Group-IB analysts, who
believe it is the successor of Anubis, a
once widely-used banking trojan.

Image Credit: shutterstock

BANKING MALWARE: GODFATHER
WORKING METHOD
The malware generates login screens
overlaid on top of the banking and crypto
exchange apps' login forms when victims
attempt to log in to the site, tricking the
user into entering their credentials on
well-crafted HTML phishing pages.

Image Credit: istockphoto.com

BANKING MALWARE: GODFATHER
Fake Login Screen

Image Credit: group-ib.com

BANKING MALWARE: GODFATHER
DISTRIBUTION METHOD

10M
Downloads
MYT Müzik

Image Credit: bcbiofuel.org

BANKING MALWARE: GODFATHER
DISTRIBUTION METHOD

500+
Downloads

Image Credit: bleepingcomputer.com

BANKING MALWARE: GODFATHER
IOC
App Name: MYT Müzik
Package Name: com.expressvpn.vpn
SHA256 Hash:
138551cd967622832f8a816ea1697a5d08ee66c379d32d8a6bd7fca9fdeaecc4

Image Credit: nsfocusglobal.com

BANKING MALWARE: GODFATHER
VIRUSTOTAL ANALYSIS
BANKING MALWARE: GODFATHER
BANKING MALWARE: GODFATHER
MALWARE ABILITIES

Request access to
Android Accessibility
Service

Image Credit: bleepingcomputer.com

BANKING MALWARE: GODFATHER
MALWARE ABILITIES

Image Credit: uob.com.sg, dhakabankltd.com

BANKING MALWARE: GODFATHER
MALWARE ABILITIES

Image Credit: uplabs.com

BANKING MALWARE: GODFATHER
MALWARE ABILITIES

Image Credit: flaticon.com, pinterest.com

BANKING MALWARE: GODFATHER
MALWARE ABILITIES

Image Credit: vectorstock.com, ting.blog

BANKING MALWARE: GODFATHER
MALWARE ABILITIES

Image Credit: alamy.com, abhiandorid.com

BANKING MALWARE: GODFATHER
MALWARE ABILITIES

Image Credit: google.com, liquideweb.com, producingparadise.com

BANKING MALWARE: GODFATHER
MALWARE ABILITIES

Image Credit: nerdschalk.com, lavanyamohan.hashnode.dev

BANKING MALWARE: GODFATHER
MALWARE ABILITIES

Image Credit: pngtree, ar.inspiredpencil.com

BANKING MALWARE: GODFATHER
MALWARE ABILITIES

Image Credit: freepik.com, fb.com

BANKING MALWARE: GODFATHER
MALWARE ABILITIES

Image Credit: medium.com, pinterest.com

BANKING MALWARE: GODFATHER
MALWARE ABILITIES

Image Credit: shutterstock.com, swhosting.com

BANKING MALWARE
STAYING SAFE
To protect against those threats:
• Avoid downloading APKs from outside
Google Play.
• Install from only Android's official app
store.
• Carefully read user reviews and
perform a background check on the
app's developer/publisher.

Image Credit: 123rf.com

BANKING MALWARE
STAYING SAFE
• Pay close attention to the requested
permissions.
• Never grant access to the
'Accessibility Services' unless you are
sure about it.
• If an app requests to download an update
from an external source upon first launch,
it should be treated with suspicion and
avoided if possible.
Image Credit: 123rf.com
SECURITY INCIDENT
A security incident is a single or series of events that
may indicate the breach of an organization’s system's
security policy in order to affect its confidentiality,
integrity or availability.

Image Credit: dreamstime.com

INCIDENT MANAGEMENT

Image Credit: sketchbubble.com

INCIDENT MANAGEMENT
Preparation
• People
• Tools
• Training
• Management training
• Policies
• Procedures
• Communication plan
• Jump bag
Image Credit: sketchbubble.com
INCIDENT MANAGEMENT
Identification
• Unusual files
• Unusual process
• Passive monitoring
• Primary IR handler
• Analyze logs
• Odd schedule tasks
• Awareness
• Unusual security events
Image Credit: sketchbubble.com
INCIDENT MANAGEMENT
Containment
• Assign primary IR team
• Stop bleeding
• Change credential
• Deploy temporary fixes
• Kill backdoors
• Communication
• Memory capture
• Forensic images
Image Credit: sketchbubble.com
INCIDENT MANAGEMENT
Eradication
• Identify root cause
• Apply patches
• Remove malware
• Harden security controls
• Additional FW/IDS filters
• Rescan network
• Wipe/Format/Rebuild system

Image Credit: sketchbubble.com

INCIDENT MANAGEMENT
Recovery
• System restoration
• Data recover/restore
• Service Resumption
• Continuous Monitoring

Image Credit: sketchbubble.com

INCIDENT MANAGEMENT
Lessons Learned
• Post-Incident review
• Document findings
• Successes and challenges
• Communication effectiveness
• Response Time analysis
• Training/skill gaps
• Documentation Review
• Policy and procedure review
Image Credit: sketchbubble.com
INCIDENT MANAGEMENT
Why do we need?
• Minimize downtime
• Mitigate business impact
• Identify root causes
• Customer satisfaction
• Continuous Improvement

Image Credit: freepik.com

INCIDENT MANAGEMENT
Measure effectiveness
• Mean Time to Detect (MTTD)
• Mean Time to Resolve (MTTR)
• Incident Response Time
• Incident Escalation Rate
• Repeat Incidents

Image Credit: manageengine.com

INCIDENT CLASSIFICATION
Classification Type Description
Abusive Spam Or 'Unsolicited Bulk Email', this means that the
Content recipient has not granted verifiable permission for the
message to be sent and that the message is sent as
part of a larger collection of messages, all having a
functionally comparable content.
Harmful Speech Discreditation or discrimination of somebody, e.g.
cyberstalking, racism or threats against one or more
individuals.
Child Porn/Sexual/Violent Child pornography, glorification of violence, etc.
Content
INCIDENT CLASSIFICATION
Classification Type Description
Malicious Infected System System infected with malware, e.g. PC, smartphone or
Code server infected with a rootkit.
C2 Server Command-and-control server contacted by malware on
infected systems.
Malware Distribution URI used for malware distribution, e.g. a download URL
included in fake invoice malware spam.
Malware Configuration URI hosting a malware configuration file, e.g. web
injects for a banking trojan.
INCIDENT CLASSIFICATION
Classification Type Description
Information Scanning Attacks that send requests to a system to discover
Gathering weaknesses. This also includes testing processes to
gather information on hosts, services and accounts.
Examples: fingerd, DNS querying, ICMP, SMTP (EXPN,
RCPT, ...), port scanning.
Sniffing Observing and recording of network traffic
(wiretapping).
Social engineering Gathering information from a human being (e.g. lies,
tricks, bribes, or threats).
INCIDENT CLASSIFICATION
Classification Type Description
Intrusion Exploiting known An attempt to compromise a system or to disrupt any
Attempts vulnerabilities service by exploiting vulnerabilities with a standardised
identifier such as CVE name (e.g. buffer overflow,
backdoor, cross site scripting, etc.)
Login attempts Multiple login attempts (Guessing / cracking of
passwords, brute force).
New attack signature An attack using an unknown exploit.
INCIDENT CLASSIFICATION
Classification Type Description
Intrusions Privileged account Compromise of a system where the attacker gained
compromise administrative privileges.
Unprivileged account Compromise of a system using an unprivileged
compromise (user/service) account.
Application compromise Compromise of an application by exploiting (un)known
software vulnerabilities, e.g. SQL injection.
Burglary Physical intrusion, e.g. into corporate building or data
center.
INCIDENT CLASSIFICATION
Classification Type Description
Availability DoS Denial of Service attack, e.g. sending specially crafted
requests to a web application which causes the
application to crash or slow down.
DDoS Distributed Denial of Service attack, e.g. SYN-Flood or
UDP-based reflection/amplification attacks
Misconfiguration Software misconfiguration resulting in service
availability issues.
Sabotage Physical sabotage, e.g cutting wires or malicious arson.
Outage Outage caused e.g. by air condition failure or natural
disaster.
INCIDENT CLASSIFICATION
Classification Type Description
Information Unauthorised access to Unauthorized access to information, e.g. by abusing
Content information stolen login credentials for a system or application,
Security intercepting traffic or gaining access to physical
documents.
Unauthorised modification Unauthorised modification of information, e.g. by an
of information attacker abusing stolen login credentials for a system
or application or a ransomware encrypting data.
Data Loss Loss of data, e.g. caused by hard disk failure or physical
theft.
INCIDENT CLASSIFICATION
Classification Type Description
Fraud Unauthorized use of Using resources for unauthorized purposes including
resources profit-making ventures, e.g. the use of e-mail to
participate in illegal profit chain letters or pyramid
schemes.
Copyright Offering or Installing copies of unlicensed commercial
software or other copyright protected materials
(Warez).
Masquerade Type of attack in which one entity illegitimately
impersonates the identity of another in order to
benefit from it.
Phishing Masquerading as another entity in order to persuade
the user to reveal private credentials.
INCIDENT CLASSIFICATION
Classification Type Description
Vulnerable Weak crypto Publicly accessible services offering weak crypto, e.g.
web servers susceptible to POODLE/FREAK attacks.
DDoS amplifier Publicly accessible services that can be abused for
conducting DDoS reflection/amplification attacks, e.g.
DNS open-resolvers or NTP servers with monlist
enabled.
Potentially unwanted Potentially unwanted publicly accessible services, e.g.
accessible services Telnet, RDP or VNC.
Information disclosure Publicly accessible services potentially disclosing
sensitive information, e.g. SNMP or Redis.
Vulnerable system A system which is vulnerable to certain attacks.
Example: misconfigured client proxy settings (example:
WPAD), outdated operating system version, etc.
INCIDENT CLASSIFICATION
Classification Type Description
Other Other Other incident that does not fall into any class above.