Hello, welcome to the Friday, July 8, 2016 edition of the Sansonet Storm Center's Stormcast.

My name is Johannes Ulrich, and I am recording from Jacksonville, Florida.

Symmetria today came out with interesting report documenting details of a targeted attack that they detected recently.

Typically these attacks are called advanced persistent threat attacks.

The funny part here is that the attack was actually not really that advanced when you look at the tools used.

When it comes to these attacks, really where they distinguish themselves is the reconnaissance

being done in order to target the victims.

As part of the reconnaissance usually a customized malware document is created, like in this

case a PDF that claimed to deal with some of China's influence in the South China Sea.

However, the rest of the attack was pretty much copy paste and a lot of open source tools like

Metasploid and could probably be done by anybody who has taken some kind of intermediate pen testing class.

Now, Symmetria took an interesting approach in detecting this particular attack.

They're in the business of deploying decoys.

Now, this is not really a honeypot, really more a little bit like a honey token.

So what they did in this case is

that they left documents on systems that pointed to an rdp server that is available

well that rdp server turned out to be the actual honeypot so after the attacker broke into the

victim system and then pillaged documents on that

system, they discovered this RDP server and then tried to log into it, which led to their

discovery.

Overall, this took about three days.

Three days.

...