1、About UsThreat researcher at Palo Alto Networks,focusing on threat hunting,malware analysis,and tracking nation state APTs.Lior RochbergerPrincipal Threat ResearcherThreat researcher at Palo Alto Networks.Focuses on threat hunting,malware research,and threat intelligence.Tom FaktermanSenior Threat R
2、esearcherAgendaGlobal Trend:Abusing Legitimate Services Case Studies:How APTs Abuse Legitimate ServicesDefending and Hunting Next-Gen C2Key TakeawaysPayloadsCommands executionReconnaissanceData staging for exfiltrationLateral movementScheduled taskServicesSuspicious IPsRare connections/portsSuspicio
3、us domainBlocked trafficAs Technology Evolves-94%of enterprises use cloud services78%of organizations adopted AI/ML toolsOver 40%of enterprise networks allow unrestricted communication to cloud providers99%of companies use at least one SaaS applicationSo Do The ThreatsAs Technology Evolves-So Do The
4、 ThreatsTraditional C2Attacker-controlled servers:Custom serversDedicated infrastructureCompromised websitesDomain generation algorithmsNext-Gen C2Abusing trusted services your business already uses:Cloud servicesPublic content-sharing platformsSocial media and forumsAI/ML platformsChallenges For De
5、fendersHard to blockHard to detectHard to attributeAbuse of Social MediaTwitter(x)FacebookInstagramRedditYouTubeTumblrAbuse of Social Media-Twitter Twitter memesBERBOMTHUM(.NET malware)2018MemesC2Abuse of Social Media-Twitter Memeshttps:/ regex to extract the most recent uploaded image1.Downloads th
6、e Twitter pageAbuse of Twitter Memes-Steganography*“ICC_Profile”section=defines specific color space of the imageAbuse of Social Media-Facebook PostsFacebookpostsMolerats Middle East espionage campaign2020DropBook(Python backdoor)C2https:/ CodeReads Facebook post#1Post#1-Dropbox TokenDropBookDropbox