New release : CTI Report - Pharmaceutical and drug manufacturing 

                 Download now

BruCON 0x09

October 16, 2017

BruCON 0x09

Introduction

Intrinsec was present this year for the 9th edition of BruCON, a security conference based in Ghent, Belgium, and taking place over 2 days (October 5-6, 2017).

In addition to a large number of presentations and workshops on the topic of security and ICS (Industrial Control Systems), an entire floor was dedicated to retro-gaming :

In this article, we wanted to detail the conferences and workshops that made the biggest impression on us, the entirety of the supports The conference is accessible on the official website, as well as the videos available on YouTube.

Thanks again to everyone who helped make this event a success.

The First Cyber Short – Lessons learned on the way to Wall Street

Introduction

Justine Bone, security researcher and CEO of MedSEC, presented an innovative and controversial market cybersecurity solution during this keynote address. (market-based cybersecurity) whose main idea is to focus on product safety and not company safety.

Cybersecurity: A spotty history

As Justine points out, although significant efforts are being made by IT departments to improve security, paranoia and a lack of trust persist among customers and businesses outside the IT sector. However, as security incidents become more frequent and publicized, users are starting to ask questions and take an interest in the issue. Finally, the financial impact is beginning to be felt, particularly on the stock prices of affected companies, and is having a lasting effect.

Hackers are inventors and risk takers

Justine then presented her observations regarding the cybersecurity industry, which, according to her, mostly follows a predetermined line of thinking. (directional thinking), which security researchers follow without question. However, this approach is no longer effective. On the one hand, defense has historically proven its ineffectiveness, and on the other hand, attack is becoming less motivated and increasingly expensive.

The security industry needs to demonstrate innovation, which can be represented by the following formula:

Innovation = creativity + value

The fallout of «responsible» disclosure

The principle of «responsible disclosure», Initially introduced by Microsoft in the early 2000s, it was subsequently presented and criticized.
Indeed, large companies have implemented restrictive conditions and defined a context allowing them to completely control the vulnerability reporting process, thus reducing its impact and scope, as well as the revenue generated by security researchers. With the arrival of bug bounties, this principle has been renamed «Coordinated disclosure» without changing how it works.

Meet the customers: investors

The idea here is to focus on "activist" investors, who may be traders, bankers, lawyers, or even security experts, and whose main activity is to take a detailed interest in the company in order to understand its strengths and weaknesses.
Highlighted by Justine, the «"short sellers"» These "activists" are among those who seek to sell shares of the targeted company that they don't own (shares that have been loaned to them, for example) before the share price falls, and then buy back these shares once prices have bottomed out. The maneuver is risky (as a share price can rise indefinitely, as can the potential loss by definition), and legal since it doesn't rely on internal company information (insider trading), but very lucrative, as Justine Bone points out.

Cybersecurity as contributing research

She then detailed the steps to follow and the pitfalls to avoid when starting out in this field.
Initially, the POC (Proof of Concept) Identifying a vulnerability is not enough. It is necessary to generate exploits that are repeatable and reliable.
Furthermore, not all vulnerabilities are equal: hardware-related vulnerabilities are preferred to firmware-related vulnerabilities and finally to software-related vulnerabilities.

Non-technical aspects

Everything will be done to discredit the research results, and particular attention will be paid to the history of the researcher who disclosed the security flaw.
Communication is a critical aspect here: it is necessary to document and demonstrate the functioning of the vulnerability in a clear and concise manner in order to avoid any distortion on the part of the targeted company.

Finally, even if all precautions have been taken, the exchange may not go through, as lawyers may block the process or the company may be unable to fix the vulnerability (very common for vulnerabilities of this type). «"hardware"»).

Conclusion

Finally, Justine Bone concluded her presentation, emphasizing that the «"cyber short"» is the innovation our market needs, and could be an alternative solution to the classics «"responsible"» And «Coordinated disclosure».

Source

Detecting malware even when it is encrypted – Machine Learning for network HTTPS analysis


František Střasák – Sebastian Garcia

Introduction

Today, half of all global web traffic is encrypted, and a third (10 % to 40 %) of the traffic generated by malware is also encrypted.
The problem with encryption is that it interferes with the effectiveness of traditional malware detection techniques.
One of the classic solutions is to perform HTTPS inspection in order to decrypt the traffic and analyze it before re-encrypting it. (Man-In-the-Middle). In this case, we can therefore use the classic analysis tools, but this solution poses several problems:

  • a high cost (machine resources, need to put processes in place); ;
  • existence of a risk to the confidentiality of exchanges.

Another solution is not to decrypt the traffic and to rely solely on the characteristics of the encrypted traffic.

The purpose of the research work

Research was therefore conducted by František Střasák to detect HTTPS traffic generated by malware with a low false positive rate and a high detection rate.

Definition of the dataset

To do this, four subsets of data composed of traffic from malware and legitimate applications were used:

  • CTU-13 dataset – public (composed of legitimate and malicious traffic)
  • MCFP dataset – public (composed of legitimate and malicious traffic)
  • Own normal dataset – public (composed of legitimate traffic related to 3 days of access to classic sites belonging to the Alexa top 100)
  • Normal CTU dataset – almost public (composed of legitimate traffic generated by 22 individuals from the FEE CTU department)

Method and tool

The researchers started with pcap files and analyzed them using the tool Bro in order to generate the following log files:

  • conn.log: TCP/UDP/ICMP connections
  • ssl.log: handshakeSSL/TLS, certificate path, encryption algorithms…
  • x509.log: information relating to the x509 certificate (serial number, common name, (validity…)

File analysis

Since the log files are interconnected, it is possible to implement a reference and numbering system as illustrated by the diagram below:

By relying on various metrics and constants, it is possible to calculate different ratios and relationships between SSL connections (connection durations, time between connections, differences in durations, etc.), as well as on information relating to certificates (average certificate path lengths, standard deviation of certificate path lengths, ratio between the "« common name »(CN) and DNS entries).

Machine learning algorithms

A dataset was created from all these SSL connection units (ssl-connect-units), and the learning algorithms (machine learning) The following were used against this dataset:

  • XGBoost
  • Random forest
  • Neural network
  • SVM

Experiments

The first step was to divide the dataset into N subsets, each containing only one example of data from malware. For each subset, the following actions were performed:

  • subset splitting into test data and training data; ;
  • cross-validation with training data; ;
  • training on training data and testing on test data; ;

Following the various tests, it was possible to measure the following results:

  • Experiment 1 (normal distribution / malware: 50% / 50% for training and testing)
    • XDGBoost -> Accuracy of 92%
    • Random Forest -> Accuracy of 90%
  • Experiment 2 (normal distribution / malware: 40% / 60% for training, 3% / 97% for testing)
    • XDGBoost -> Accuracy 92.45 %
    • Random Forest -> Accuracy 95.65

A large number of experiments were conducted to find the right parameters and determine those impacting the detection rate:

  • certificate validity period
  • certificate validity
  • connection duration
  • number of domains in the certificate
  • the version of SSL/TLS used
  • the periodicity of connections

Conclusion

In concluding his presentation, František Střasák indicated that many criteria still needed to be analyzed and that the false positive rates were still too high. However, the outcome of this research could make it possible to detect malware activity without ever decrypting the traffic and therefore without compromising the confidentiality or integrity of the communications.

Sources

Knock Knock…Who’s there? Admin admin and get in! – An overview of the CMS brute forcing malware landscape

Introduction

Anna Shirrokova, a cognitive threat analyst at Cisco, presented in three parts the malware targeting CMSs using brute-force attacks:

  1. History of the campaigns
  2. Analysis of how malware works
  3. Detection methods

History of the campaigns

The research conducted allows us to trace the following chronology:

  • 2009: First observation of a distributed brute-force attack; ;
  • 2013 : FortDisco carried out brute-force attacks on WordPress CMS and also enabled redirection as well as the use of’exploit kits (Blackhole, Styx…) ;
  • 2014 : Mayhem, contained 6 brute force modules (FTP, CMS).
  • 2015 : Aethra targeted companies based in Italy exposing WordPress administration interfaces using default credentials. LizardSec scanned to create a botnet.
  • 2015 : Troldesh operated like ransomware and then, once the data was encrypted, carried out brute-force attacks on various CMSs; ;
  • 2017 : Staninko behaved like a adware and contained a brute force module.

Anna then explained that these malware programs included brute-force modules because these are easy to set up, automatable, and very effective.

Analysis of Sathurbot

A detailed presentation of modular malware Sathurbot was then carried out.

It includes the following modules:

  • backdoor
  • downloader
  • web crawler
  • brute force

The identified infection vector is the downloading of an executable for accessing torrent-type download files.

Once implanted, Sathurbot retrieves the list of sites to target via searches on search engines like Google, Bing, or Yandex.
A listing of WordPress is then created from the previous list by attempting to access the "wp-login.php" page.
A brute-force attack via the PHP script "xmlrpc.php" is then carried out in order to attempt multiple authentication attempts in a single request.

An analysis of communications with the servers CNC A subsequent investigation was conducted to recover the various domain names used during the different campaigns.

Detection

Several techniques can be used to detect this type of malware:

  • Using an IDS: this is not the best solution, as it generates many false positives; ;
  • Implementation of a SIEM: this solution makes it possible, for example, to identify machines that connect to a multitude of different sites in a short period of time.
  • Behavioral analysis

Conclusion

Anna concluded by saying that this type of malware was generally easy to detect, but that CMSs were still victims of this type of attack even though the methodologies used were the same within the different malware.

Sources

Evading Microsoft ATA for Active Directory Domination

Nikhil Mittal | https://github.com/samratashok

Introduction

Nikhil Mittal presented Microsoft's platform to us., ATA (Advanced Threat Analytics), allowing the detection of attacks by analyzing Windows traffic and events.

Detections – What ATA detects

ATA is usually placed in mirroring domain controllers (DCs) and is capable of detecting several artifacts during the following attack phases:

  • Acknowledgement
    • SMB session enumeration
    • List of accounts
    • Enumeration of domain controllers
  • Compromised credentials
    • brute force attack
  • Lateral movement
    • Pass-the-hash
    • Pass-the-ticket
    • Overpass-the-hash
  • Domain takeover
    • Golden Tickets
    • Malicious replication requests (DCsync)

Bypassing ATA

Reconnaissance phase

After presenting the different types of detection, Nikhil showed us how to circumvent them. One of the first logical points is to perform the reconnaissance phases internally in an intelligent way. In particular, during the enumeration phase, if the data center (DC) is not directly queried, the associated activity will not be detected by ATA.

Below is an example of commands PowerView For session recovery:

Get-NetComputer or GetNetSession -ComputerName

The same applies to the UserHunter tool:

Invoke-UserHunter-ComputerFile

Overpass-the-hash

To avoid any detection during lateral movement using the so-called technique «"Overpass-the-hash"», You simply need to specify the AES keys retrieved from memory and used by the Kerberos protocol:

Invoke-Mimikatz -Command '"sekurlsa::pth /user: /domain: /aes256: /ntlm:ntlm /aes128: "'

Golden Ticket

Once the previous technique is successful, it is possible to create tickets for domain administrators. The next step is therefore to generate a Golden Ticket.
By default, this manipulation of Kerberos tickets is detected because of the process of downgrade applied to encryption.
Again, if we use the AES algorithm type hashes (aes256 and aes128), ATA no longer detects this attack:

Invoke-Mimikatz -Command '"kerberos::golden /User: /domain: /sid: /aes256: /id:500 /groups:513 /ptt"''

However, version 1.8 of ATA detects tickets with a very long lifespan.

All that is needed is to create Golden Tickets with a limited lifespan each time it is needed. It should not be forgotten that it is the recovered condensate that represents persistence on the compromised domain here, and not the Golden Ticket generated.
Quick reminder: it is recommended not to forget to clear the tickets from memory when the mission is finished.

Avoid ATA

If ATA cannot be bypassed, the best course of action is simply to avoid it. Many attacks do not require communication with the data center and therefore do not allow for the execution of a full compromise scenario. However, these examples are sufficient to illustrate significant risks for the audited client.
Currently, ATA does not detect the execution of commands via PSRemoting, DCOM or even DLL hijacking.
Attacks of the type Silver Ticket (no communications with the DC) or Kerberoast are also not detected at the moment, because communications with the DC are legitimate and non-existent or relatively restricted.

Limitations

ATA has several limitations, beyond simply detecting and not detecting attacks. For example, encrypted traffic (LDAPS, IPsec ESP) cannot be analyzed, nor can new, undocumented attack techniques, as ATA requires a specific signature for future detection. If an attack doesn't have any technical distinguishing features, ATA will not detect it.

Attack on ATA facilities

Up to version 1.8, HTTP banner analysis could detect ATA installations. Since version 1.8, it is also possible to detect ATA via the generated SSL certificate. (Subject: ATACenter).

Furthermore, all users or groups added to the local admin panel of the server hosting ATA have admin rights on the ATA console. This is especially serious given that ATA is designed to detect lateral movement!

Finally, a database mongoDB When in use, it listens on the local interface and is accessible without authentication. However, no alerts are raised when accessing it. A simple solution to hide all alerts in the interface is to modify the parameter «IsVisible» à «"false"» on the collection «Suspicious Activities» in the database.

It should not be forgotten that ATA is only a component, not intended to replace classic good administration practices (limiting the number of domain admins, only using them to connect to DCs, etc.)

How to protect ATA

To protect ATA, it is recommended not to host it on a server belonging to the domain it monitors. Database protection will likely be implemented in a future version.

Conclusion

In general, for an attacker, several best practices can be adopted to avoid ATA:

  • Do not try to become a Domain Admin at all costs without understanding the client's IT infrastructure and any protections in place; ;
  • Minimize communication with domain controllers. For example, there is no need to generate a Golden Ticket or to use a Skeleton key if this action does not illustrate any additional risks for the client; ;
  • Stay focused on the mission objective. If ATA cannot be bypassed, it's best to avoid confronting it.

Sources

How to Build Efficient Security Awareness Programs (that don't suck)


Contact : https://keybase.io/sapran | Mindmap http://xmind.net/m/raQ4

Introduction

In this presentation, Volodymyr Styran outlined his awareness-raising method based on the idea that employees need to be empowered.

Tools for raising awareness

Fear

Fear is key to humanity's survival; it allows us to face threats. However, we need to be told what to fear. Its judicious use helps us learn from new situations, and regular reminders are necessary to develop healthy habits.

Motivations (incentives)

In the professional environment, employee motivation is based on the following characteristics:

  • Competitive spirit: being ahead of the others
  • Sense of belonging: being recognized as a member of a group in order to transform the employee into «Corporate Awareness Evangelist»

Habits

The following points are necessary in order to establish the habits to follow:

  • Trigger
  • Routine
  • Reward
  • Repeat 🙂

An illustration of this thought pattern might be the following: if I am bored, I will eat a cookie, my sugar level increases and therefore I feel better.

Building an attack

Finally, Volodymyr Styran concluded his presentation by detailing the techniques for building an effective attack:

Type of attack + Principle of influence + Security context = Panic

Sources

How hackers changed the security industry

Introduction

Weld Pond, CEO of Veracode, shared his experience of over 20 years in the community of Hackers and the field of computer security.

Historical

Before hackers, developers were perfect, implementations were perfect, administrators were perfect, users were perfect.

In this perfect world, all security incidents went through the CERT, the only entity responsible for contacting the supplier to report a bug or vulnerability in a product. Created in response to the worm «"Morris"», exploiting two known vulnerabilities in sendmail, He wasn't sharing any information with the outside world. So the hackers organized themselves to gather resources.

Security conferences, such as the DefCON born in the early 90s, they then appeared to share resources and meet other hackers in the community.

Penetration testing then became more common, followed by programs bug bounty Public platforms emerged thanks to companies like Facebook and Google.

Weld Pond finally points out that today, states are impersonating criminal hackers, which proves that hackers have now become... «"insiders"».

Conclusion

Weld concluded his presentation by stating that, in his view, all stakeholders should have a basic understanding of security, and that this should not be a separate process but rather integrated into internal development processes. We need to upskill employees in security to make them "evangelists" capable of identifying when something is wrong and reacting accordingly.

He finally addressed the new generation, asking them to continue to make noise and challenge the status quo so that this dynamic launched in the 90s continues on its momentum.

Sources

See no evil, hear no evil – Hacking invisibly and silently with light and sound

Introduction

This presentation by Matt Wixey, a security consultant at PwC UK, focused on how sound and light can be used to send commands or exfiltrate information remotely, and was structured around three main parts:

      • Part 1: Jumping air-gaps
      • Part 2: Surveillance and counter-surveillance
      • Part 3: Bantz

Part 1: Jumping air gaps

One of the first technologies presented by Matt is technology LiFi enabling data transmission via light emission. To bypass a air gap, All current research assumes the initial compromise of one of the machines of the type air gaps or physical access to them. Other solutions have also been explored, such as heat, acoustics, or radio frequencies, to exfiltrate data. Matt's proposed compromise scheme is as follows: create malware capable of executing commands through the API of the ALS (Ambient Light Sensor) This is usually present on mobile phones. The remaining problem is data exfiltration.

One idea is to use a laser to send commands via a QR code The image is displayed very quickly and captured by the attacker's camera to exfiltrate the data. Another idea is to use the target machine's sound card to extract data via ultrasound (18-19 kHz), inaudible to most people, and to use the microphone to receive commands. Finally, it is also possible to insert images into an audio signal, which can then be mixed with another audio file.

To protect against this type of attack, it is recommended to remove or disable the’ALS and to use screen filters.

Part 2: Surveillance and counter-surveillance

Several POC (Proof of Concept) were presented by Matt in order to carry out surveillance of people.
One scenario involves monitoring a conversation taking place in a closed room with a window providing access to the outside. A laser microphone can then be used, pointed towards the window, to capture the infrared waves generated by vibrations on the glass, convert them into electrical current to identify voltage differences, and thus reconstruct the audio signal.

 

 

Another demonstration was the use of a RTL-SDR in order to sniff, analyze, and clone infrared signals to remotely disable motion detectors. Matt then presented his PoC baptized «"Drone to clone to pwn"», This, as its name suggests, is a drone on which the entire deactivation device has been installed. Since drones do not generate enough infrared waves (heat emission), they are not detected.

Part 3: Bantz

Finally, Matt offers us a brief overview of the "disturbing" uses of technology.
Of all the systems presented, we will retain:

  • the software of «"Speech jamming"» making our words sound out of sync, making the simple act of speaking very difficult; ;
  • «"Kill More Gillmore"» allowing the television to be switched off when the series is being broadcast Gillmore girls ;
  • the colander converted into a helmet covered with transmitters to disrupt the altitude sensors of drones.

Sources:

XFLTReaT: a new dimension in tunneling

Balaza Bucsay presented his tool to us/framework open source of tunneling. The tool is modular, multi-client, and object-oriented. It has a functionality of «"check"» allowing you to check the different possible exfiltration channels on a given network with a single command. Multiple protocols are already supported: TCP, UDP, ICMP, DNS, etc.
In reality, the tool uses two communication channels for each tunnel:

Sources

DYODE: Do Your Own Diode

Arnaud Soullié presented the DYODE project, on which he has been working for over a year. The goal is to develop a low-cost network diode. A network diode is a component that transmits data in one direction. This type of component is primarily used for data retrieval from... ICS (Industrial Control System) and can cost around €15,000 for solutions from Thales Or Waterfall. Experience shows that the network ICS is almost always connected to the network CORP or to the Internet, hence the interest in this type of component, but many use cases do not justify the investment, hence the idea of a solution DIY (Do It Yourself).
The solution uses two copper-to-optical converters as well as two Raspberry Pi as counters to allow TCP to pass through a one-way connection. The transfer relies on a custom Python solution based on UDP sockets.

Features developed:

  • file transfer
  • Modbus
  • screen sharing (based on the file transfer function)

The first solution cost around €380. To reduce the cost and reach the target of €200, several changes were considered or implemented. The Ethernet-to-fiber optic converters were replaced by a serial connection and an optocoupler (€2). The Raspberry Pi3 could also be replaced by Raspberry Pi Zero. In the end, the cost was reduced to €80.

The entire project is open source: code and hardware (PCB, (3D plan for the case)

Arnaud Soullié also pointed out that data may also need to be sent back down from the corporate network to the network ICS In some cases, the network diode is therefore not a «"silver bullet"».

Limitations of the solution

  • Performance
    • still relatively slow
    • High latency (especially on file transfers)
  • Vulnerable to type attacks «"Side channels"»
    • Attacks of the type TEMPEST were not taken into account in the project
    • However, it is possible to reduce EM leaks with a Faraday cage
  • Strengthening of the gateway
    • THE gateways (Raspberry Pi) have not been reinforced at the moment.

Roadmap of the project

  • integrity check on Modbus ;
  • implementation of a Heartbeat ;
  • improved integrity control over file transfers; ;
  • development of support for other protocols (SMTP, FTP, Syslog, CIFS, etc.)

GitHub project: http://github.com/wavestone-cdt/dyode

Sources:

Contact