BruCON – Adventures in the programming jungle

(My) BruCON 2018 Notes

9 October, 2018Adrian Citu

Here are my quick notes from the BruCON 2018 conference. All the slides of the conference can be found here.

$SignaturesAreDead = “Long Live RESILIENT Signatures” wide ascii nocase (by Daniel Matthew)

Background

Signatures and indicators: what is a good signature ? A good signature depends of the context but the main properties are:

More resilient than rigid (resist evasion and normal changes).
More methodology-based than specific (capture methods or techniques).
More proactive than reactive (identifies new technologies )

Process

Define detection
- what. where, when to find.
Assemble a sample set
- collected sample set.
- generated sample set.
- try to enumerate the entire problem set.
Test existing detection/s
- Test existing detection capabilities for any free wins.
- Adjust priorities of existing applicable existing detections.
Generate data
- logs.
- binary metadata.
Write detection
- start broad and tune after.
Test and tune

Process Walk-through for binaries

It applies the previous process to binaries.Malware binaries changes very often. In this case can’t rely on anti-viruses.

Process Walk-through for regsvr32.exe

It applies the previous process to the regsvr32.exe. It shows that is rather difficult to detect the regsvr32 arguments or process name
because there are multiple possibilities for the parameters for ex: /s or -s /u or -s or /us or -us.

Approaches that payed off to detect the execution of regsvr32.:

Handle obfuscation separately.
Handle renamed .exe/.dll separately

Takeaways

Know what you are detecting today and HOW you are detecting it.
Capture result of hunts as new detections.

All Your Cloud Are Belong To Us – Hunting Compromise in Azure (by Nate Warfield)

Traditional network (old days)	Cloud Network
server restriction was restricted	every vm exposed to internet
many layers of ACLs + segmentation	VM’s deployed with predefined firewall
dedicated deployment teams	anyone with access can expose bad things
well-defined patch cadence	patch management decentralized

NoSQL problem

NoSQL solutions were never intended for internet exposure
BUT (naturally) peoples exposed them to internet.

Hunting NoSql Compromise in Azure

Port scans are slow and each NoSQL solution runs on different ports.

The author used shodan:

rich metadata for each IP
DB names are indexed
JSON export allows for automated hunting

The code was added to shodan in dec 2017 but requires shodan enterprise api access.

Network Security Group

Network Security Group is the VM firewall.

Configurable during deployment (optional)
46% of images expose ports by default
96% expose more than management

Your Iaas security is your responsibility
Pass and Saas are shared responsibility

Patches handled by Microsoft:
- sas 100% transparent for you
- paas requires configuration

Cloud marketplaces are supply chains

supply chain attacks are increasingly common.
cloud marketplaces are the next targets
minimal validation of 3rs party images
- 3rd party iaas imaged are old
- average azure age 140 days
- average AWS Age: 717 days

2018 year of the cryptominer

cryptomining is the new ransomware
open s3 buckets are attacked
any vulnerable system is a target

Disrupting the Kill Chain (by Vineet Bhatia)

What is this talk about:

how to make the adversaries intrusion cost prohibitive.
how to monitor and secure Windows 10 environments.
how to recover from an intrusion.

Computer scientists at Lockheed-Martin corporation described a new “intrusion kill chain” framework; see KillChain.

PRE-ATT&CK: Adversarial Tactics, Techniques & Common Knowledge for Left-of-Exploit is a curated knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversary’s lifecycle and the platforms they are known to target.

PRE-ATT&CK consists of 15 tactics and 151 techniques.

ATT&CK: Adversarial Tactics, Techniques, and Common Knowledge for Enterprise is an adversary model and framework for describing the actions an adversary may take to compromise and operate within an enterprise network. The model can be used to better characterize and describe post-compromise adversary behavior.

Summary of the adversary behavior:

know when they are coming, use PRE-ATT&CK
see them when they operate on your infrastructure, use ATT&CK.
map their activities, use the “kill chain”.

Don’t jump directly to attacker remediation; If an adversary perceives you as hostile (e.g.: hacking back), they will react differently.

How to make intrusions cost prohibitive:

reduce attack surface area.
detect early and remediate swiftly.
deceive, disrupt and deteriorate.

The rest of the talk was about the windows10 security:

Hunting Android Malware: A novel runtime technique for identifying malicious applications (by Christopher Leroy)

Malware is a constant threat to the Android ecosystem. How to protect from the malware:

have to look to the APK file/s:
- statically
- or in a sandbox
looking for:
- (code) signatures
- hashes
- permissions reputations

What are the shortcomings of the current detection techniques:

static analysis is hard and it only can reveal a subset of the functionality.
bypass the AV products is easy.
cannot do forensics on realtime.

Idea: look to the application heap because the Android apps make us of objects. But the novelty is that should instrument the code before the execution:

objects exist on the heap so they are accessible.
trace calls and monitor the behavior.
great way to gain insight into applications

The authors presented his own framework called UITKYK. Uitkyk is a framework that allows you to identify Android malware according to the instantiated objects on the heap for a specific Android process.

The framework is also integrates with Frida framework which is a “dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers”.

Exploits in Wetware (by Robert Sell)

This was also a talk about social engineering. From my point of view it does not bring new things comparing to the talk “Social engineering for penetration testers” from previous day.

Dissecting Of Non-Malicious Artifacts: One IP At A Time (by Ido Naor and Dani Goland)

The talk was about how can find very valuable information that is uploaded (accidentally or not) on different public cloud services.

(My) BruCON 2018 Notes (Retro Day)

4 October, 2018Adrian Citu

Here are my quick notes from the BruCON 2018 conference.This first day was called “Retro Day” because it contained the best (as chosen by peoples) previous talks. All the slides of the conference can be found here.

Advanced WiFi Attacks using Commodity Hardware (by Mathy Vanhoef)

Wifi devices assume that each device is behaving fairy,share the bandwidth with the other devices for example.

With special hardware it is possible to modify this behavior ; It is possible to do:

continous jamming; channel unusable.
selective jamming; block specific packets.

Implementing of selfish behavior using cheap devices

Steps to send a frame:
frame1 + SIFS + AIFSN + backoff + frame2

SIFS : represents the time to let the hardware process the frame.
Backoff : random amount of time, used to avoid collisions.

Implement the selfish behavior (this was done by modifying the firmware):

disable Backoff.
reduce AIFSN.

Countermeasures to this problem:

DOMINO defense system detects selfish devices

What if are multiple selfish stations ?
in theory : in collision both frames are lost but in reality due to the “capture effect” in a collision the frame with best signal and lowest
bit-rate is decoded (similar to FM radio).

Continuous jamming

how it works:

instant transmit:disable carrier sense
no interruptions : queue infinite packets

This will
– only first package visible in monitor mode
– other devices are silcenced

What is the impact in practice:
We can jam any device that use the 2.4 and 5 GHz band, not only wifi, but other devices like security cameras.

Selective jammer

Decides based on the header whether the jam the frame
so it should:

detect and decode the header.
abort receiving current frame.
inject dummy packet

The hard part is the first step. This is done by monitoring the (RAM) memory written by the radio chip.

Impact of the attacks on higher layers

Breaking WPA2; this is a shorter version of :KRACKing WPA2 in Practice Using Key Reinstallation Attacks.

Hacking driverless vehicles (by Zoz)

Drivelless vehicles advantages:

energy efficiency
time efficiency

Main roadblocks:
– shared infrastructure (have to share road/s with card driven by humans)
– acceptance (safety robustness).

Classical failures:

RQ-3 DarkStar – self flying drone; it crashed due to cracks into the runway.
sandstorm ; self driving car contest: in this case the mismatch between GPS info and other sensor.

Autonomous vehicle logic structure:

Mission task planners
|
Navigation
|
Collision avoidance
|
Control lops

Sensors used by driveless vehicles:

active vs passive sensors
common sensors:
- gps
- lidar
- cameras
- wave radar
- digiwheel encoderes

Sensor attacks

2 kinds:

denial
spoofing – craft false data

GPS:

denial – jamming
spoofing – fake GPS satellite signals

LIDAR

denial:
- active overpowering
- preventing returning signal
spoofing
- can fake road markings invisible to humans
- can make solid looking objects

Digital compass:

extremely difficult to interfere with acoustic attacks.
gyroscope vibrates and has a resonance frequency.

Levelling Up Security @ Riot Games (by Mark Hillick)

The talk was structured in 2 parts; what RiotGames do/did to enhance security in 2015 and what they are doing to enhance security in 2018

2015

introduced the idea of security champion.
introduced the RFC (Review For Commens) document = Technical Design.
- not an approval process it’s more about receiving advice
- becomes a standards through adoption.
- introduction of bug bounty program.

2018

security team had doubled in size.
sec-ops team and read team are working together.
put in place an anti-cheating strategy:
- prevention
- detection
- deterence

Top8 vulnerabilities:

improper authentication.
open redirect.
information disclosure.
business error.

Challenges around secrets:

detected an api key from AWS in a commit.
how to fix it.
- provide temporary AWS API token
- remove the usage of long-lived AWS Api keys.

Social engineering for penetration testers (by Sharon Conheady)

Definition: efforts to influence popular attitudes and social behavior.

Main take away (for 2018); the social engineering (a.k.a SE) is used more and more and actually the techniques it didn’t change too much.

what has changed since 2009 ?
nothing

example of social enginnering through history:

What had changed since 2009 (when the same talk has been given):

the scale of the attacks.
sophistication
more targeted
ethical SE is mostly phishing.

Why social engineering (still) works:

peoples want to help.
greed
tendency to trust
complacency
peoples do not like confrontations.

Stages of an attack

target identification
reconnaissance
- passive information gathering
- physical reconnaissance
- google map
- where are the security guards
sample scenarios
- tailgate
going in for the attack
- use your scenario to get in
- prove you were there
- have an exit strategy
write the report
tell the story

The 99c heart surgeon dilemma (by Stefan Friedli)

The presentation was about pen test bad examples and how to make the things better.

It starts with examples of bad pen test:

Unclear impact metrics.
Accidentally pasting other customer names.
Reported false positives.

How to make the things better:

Avoid security companies offering bad services. How:
- Ask about procedures, standards.
- Ask to talk to the testers
- Check for community participation
- Look at sample deliverables
How to fix Penetration Testing:
- Involve more people.
- Have more conversations.
- Don’t stop at the report

(My) BruCON 2017 Notes (2)

6 October, 2017Adrian Citu

Here are my quick notes from the BruCON 2017 conference. All the slides can be found here.

How hackers changed the security industry and how we need to keep changing it

Back in the ’90 the hacker community was looked with suspicion by the software industry because the hackers were finding security problems and the software publishers had no process to handle this findings.

Back in the 90’s the only reference in order to create a secure system was the “Orange book“; but the orange book it’s all about security features, no word about bugs or vulnerabilities.

CERT – internet community had no means to fight against malware that’s why CERT was created. But the hacker community do not participate to CERT anymore because there was no traceability of the issues reported, so the Bugtraq was created.

Hackers created the concept of pen-test and the first (hacking) tools :

crack
satan (first network scanner)
netcat
NFT (first IDS)

The idea of securing the system by trying to break them was initially not very well welcomed by the industry.

In 2000 companies starts to hire hackers.
2002 – Microsoft Trustworthy computing – all the process of this initiative have been influenced by hackers

2003 (modern security era)

pen test became a requirement
companies create bug bounty programs

The idea that the security is an external process that is applied at the end is broken.
The security must be embedded in each part of the SDLC.

See no evil, hear no evil: Hacking invisibly and silently with light and sound

The talk was about how the sound and light can be used to remotely extract information and was articulated around 3 parts:

jumping air-gaps
- air-gap = computer isolated from the network; the goal is to make jump the air gap between the computer and the network in order to get exfiltrate data from the network.
- ways of exfiltrate data from the network
  - screen luminosity; used to sent commands to an infected laptop, or used for data exfiltration.
  - near-ultrasonic sounds; same goals as the previous one
  - spectregram – embed images in sound files.
- mitigation for jumping air-gaps
  - screen filters
  - disable luminosity sensors
  - disable microphones/speakers
surveillance and anti-surveillance
- laser microphone – quite easy and cheap to make
- sniffing and cloning the IR (infra-red) signals; used for bypassing the IR Motion detectors
funny things (done by the presentr)
- Delayed Auditory Feedback (speech jamming) – the presenter build a software version.
- Demotivating malware analysts – create aspectregram and add it to a program that somebody will try to reverse it.
- ultrasonic attack against drones

This is kind of mind-map of the talk:

XFLTReaT: a new dimension in tunnelling

This talk have 2 goals; the fists one is about building tunnels and the second goal is to present the XFLTReaT framework. Apparently the framework is very modular and very easy extensible.

XFLTReaT

tunneling framework
plug and play
modular
you do not have to take care by yourself about:
- set up routing
- handle multiple users
- encryption

Client-Server approach; The client have a check functionality to find out which protocol is not filtered on the network.

(My) Brucon 2017 notes (1)

5 October, 2017Adrian Citu

Here are my quick notes from the BruCON 2017 conference. All the slides can be found here.

Detecting malware when it is encrypted – machine learning for network https analysis

The goal is to find a way to detect malware using htps without decrypting the traffic.

Context:

1/2 of the world wide Internet traffic is encrypted
10%-40% of all malware traffic is encrypted
the encryption interferes with the efficacy of classical detection techniques

Some solutions to the problems:

TLS inspection; basically is the reverse proxy which is in the middle between the server and the client
- advantage – can use the classical detection method
- drawback – proxy server is expensive.
- drawback – computationally demanding
try to find with no HTTPS decryption

Detect malware with no HTTPS decryption

Dataset used:

ctu-13 dataset
mcfp dataset
own normal dataset – public ; accessing 3 days of the sites from Alexa 1000

Used the pro ids product to capture different logs:

connection.log/s
ssl.log/s
x509.log/s

All this logs will be aggregated in order to create ssl aggregations and then generate a ssl-connect-units (each ssl-connect-unit represents a SSL connection). Each ssl-connect-unit have a source IP, destination IP, destination port, protocol and other 40 features (properties) like number of packages, number of bytes, number of different certificates, ratio of established and not established states .

A data set was created from all this ssl-connection-units and machine learning algorithms have been used against this dataset.

(ML) Algorithms used

XGBoost (Extreme Gradient Boosting)
Random forest
Neural network
svm

After using all this ML algorithms the features that have been identified as the most important ones to detect malware traffic:

certificate length of validity
inbound and outbound packets
number of domains in certificate
ssl/tls version
periodicity

Knock Knock… Who’s there? admin admin and get in! An overview of the CMS brute-forcing malware landscape.

The talk was about malware brute force attacks of WordPress web sites which is the most used CMS product.

historical overview of the brute-force malware

2009 – first distributed brute force attack against WordPress
2013 – firstDisco also isntalled backdoors in the system
2014 – Mayhem
2015 – Aetra
2015 – CMS Catcher
2015- Troldeshkey
2017 – Stantinko

deep dive of SATHURBOT malware

modular botnet , 4 modules:

backdoor module
crawling module
brute force module

Evading Microsoft ATA for Active Directory Domination

Microsoft ATA

Microsoft Advanced Threat Analytics
a product that detects attacks by reading traffic
how is deployed; an ATA gateway that intercepts the traffic

Threats detected by ATA:

recon
compromised credentials
lateral movement
domain dominance

Evading ATA :

not poking the DC (Domain Controller) is the key
If you can’t bypass it then ovoid it by minimal talk with the DC

Atacking ATA deployment:

ATA console can be identified with basic banner grabbing.

Secure channels: Building real world crypto systems

What are secure channels – goal is to guarantee the confidentiality and integrity of data travelling over untrusted network.

objectives of a secure channel:

confidentiality
integrity establishment
authenticity

Constructing a secure channel:

need a way to exchange keys; keys establishment protocol
need a key derivation phase

Secure channel protocol design phases :

channel establishment
key establishment
secure data transfer
finish the protocol

How to build efficient security awareness programs

Some quotes from the talk:

Security problems are arising where more than one security technology are overlapping.
Stop trying to fix human behavior with tech only;maybe that are other ways to fix that.
Security isn’t always a business problem, but it’s always a human problem.
Tools to fix the human factor in security:
- Fear
- Incentives
- Habits
  - trigger
  - routine
  - reward
  - repeat

Open Source Security Orchestration

Context:

multiple cloud severs, all using same Fail2ban jail.
How can make the different servers communicate.

In security operations most of the workflows are manual despite of multitude of solutions.
Different scenarios on which the automation could help a lot:

firewall role propagation scenario
drop propagation scenario
prevent known threats scenario
capture threat activity scenario

How to do the orchestration: using Adaptive Network Protocol (ANP)

developed so that nodes can share event information with each other
needed an ANP agent installed on each node.

(My) BruCON 2016 notes (3)

28 October, 2016Adrian Citu

Here are my quick notes from the BruCON 2016 conference. All the slides can be found here.

NO EASY BREACH:Challenges and Lessons Learned from an Epic Investigation

The attack started with a phishing email; the attack compromised more that 2 000 systems, 50 000 emails.

How the attack took place:

1. fast-paced attacher

10-25 systems infected every day.
the attacker steal information every day.

response

develop indicators to aid triage.
focus on : lateral movements, pivoting, recon, new tools or back-doors.
streamlined documentation.

lessons learned

be fast and flexible.

2. stealthy attacks

used anti-forensics techniques to hide endpoint and network activity.
altered communication scheme + strong crypto.
mass activity to obscure the real target.
data theft using only legitimate us-based services – gmail, google drives, one drive.

response

maximize the utility of trace forensics artifacts.
some attacker behavior recovered from sdelete.
took time and patience to filter out the network noise.
deployed additional open-source tech

lessons learned

improve visibility and don’t stop looking.
map attacker activity ti potential data sources.
network times provides reliable chronology.

3. rapidly evolving tactics

seven unique persistence mechanism.
seven distinct back-door families.
minimal re-use of meta-data commonly tracked and shared as indicator.

response

fought to keep network visibility on all malware families.
spent time analyzing system with unknown activity.
create indicators for every stage of attack life-cycle.
develop flexible & resilient indicators

lessons learned

enhance and test your best indicators even when they’re working.

4. advanced attack techniques

attacker leveraged PowerShell.
used Windows Management Instrumentation.
attacker used Kerberos tickets attacks which made tracking lateral movement difficult.

response

searched for WMI persistence.
identified evidence of attacker code in WMI repository.
parsed out embedded scripts and malware.
updated the environment to power shell 3.0 and enabled logging.
turned attacker power shell usage from a threat to a benefit by logging and iocs to made findings attacker activity much easier.
worked around Kerberos attacks: looked for remote Kerberos logons around the time of attacker activity.

Hacking KPN: Lessons from the trenches

The presentation was about 3 different vulnerabilities discovered by the kpn read team.

vulnerability linked to the Java de-serialisation vulnerability.
1. the kpn team did a java deserialization burp plug-in fork
Citrix Netscaler
1. Netscaler login vulnerabiilty
reverse-engineering cryptography from binary

New Adventures in Active Defense, Offensive Countermeasures and Hacking Back

The idea was that the security industry are doing the same things over and over again, very often as a defender we build very static walls. So the presenter propose to an “active defense”:

Active defense is not about :

hacking back
about one technical solution
revenge

Active defense is about:

have a range of solutions.

All the proposed solutions and demos are part of the advanced defense harbinger distribution which is a Linux distribution based on Ubuntu LTS that it comes with many tools aimed at active defense pre-installed and configured. Some demos of the following components: