CoRIIN 2019
CERT Intrinsec was present at the 5th edition of the Conference on Incident Response and Digital Forensics (CoRIIN). This year's speakers shared their research and experiences on issues related to incident response and digital forensics. Here is a summary of the 9 presentations from this edition of CoRIIN:
The rise of destructive malware
Thomas Roccia (@fr0gger_)
Thomas Roccia, a security researcher at McAfee Labs (Advanced Threat Research), presented us with an overview of the different types of destructive malware, their classification and the motivations of their authors.
The speaker began his presentation with videos of rocket launcher and nuclear power plant explosions, then moved on to the history of destructive malware, starting with the Rabbit Virus (fork bomb) which was observed in 1974, the wiper Shamoon and the first Safety Instrument Systems (SIS) malware Triton in 2012, up to those we recently observed in 2018 such as Olympic Destroyer, Shamoon V3 or VPNFilter).
An interesting classification of these malware programs has been proposed. This classification consists of 5 main categories: destructive botnets; disruptors; pseudo-ransomware; wipers; and physical destroyers.
The speaker gave us examples of advanced techniques used by these malware programs to spread, cause maximum damage, and distract incident response teams.
Two relevant examples were discussed: The ransomware that disguised the Taiwan Bank Impact attack, which kept incident response teams busy responding to a ransomware attack while the attackers continued to control the machines and made large transfers that reached 60M $. The second example is that of ransomware (or even better, pseudo-ransomware). NotPetya who encrypted the data, demanded a ransom, but in no case provided the decryption key.
Thomas Roccia also revealed to us the motivations of these malicious actors, which can be financial, ideological, competitive, or other motivations.
Finally, the speaker answers two questions in his presentation: What can we do to defend ourselves? And what should we expect in the future?
The protection against these destructive attacks is conventional and relies on:
- Segment the network;
- Identify and harden the network nodes used in lateral movement;
- Prioritize patch management;
- Create backups;
- Prepare an incident response plan.
Looking ahead, these malware programs will become increasingly prevalent and will favor supply chain infection vectors. Prepare for more powerful DDoS attacks and sophisticated attacks targeting critical environments, with domino effects and significant human impact.
Goblin Panda: China in Southeast Asia
Sébastien Larinier (@sebdraven)
Sébastien Larinier, a security researcher, presented his research on a Chinese malicious actor named Goblin Panda. The speaker explains how he ended up pursuing Chinese actors and how he managed to attribute his findings to known Chinese APT groups thanks to "Code Reuse", common infrastructures and especially the similarities of TTPs.
We will not go into the details of the attackers' infrastructure revealed by Sébastien since the presentation is tagged TLP:AMBER.
Investigation into AmCache
Blanche Lagny (@moustik01)
Blanche Lagny from the ANSSI's digital investigations office presented her research on the Artifact. AmCache. This work, which lasted approximately one year, verified the claims and results of existing tools (Amcache Parser, the plugin amcache of RegRipper or others) and especially to delve deeper into these results.
This artifact, "AmCache", was originally designed by Microsoft to ensure application compatibility between different versions of Windows, but it has become a key element for investigators to prove the execution of binaries.
The speaker pointed out that the functioning of AmCache depends on the versions of the "ae*.dll" libraries, and that this artifact can change its results when switching from one version of Windows to another because of the different versions of the libraries embedded with the OS.
Blanche also stated that this artifact may not log the execution of binaries in certain cases (execution from external media or a network share, execution from directories). C:\Users\ Downloads And C:\Users\ Documents) but logs the binaries executed in the subdirectories of the latter two.
For more details on the research conducted on this subject, Blanche Lagny shares with us a research article detailing her various observations and analyses.
Resources :
https://www.ssi.gouv.fr/publication/analyse-de-lamcache/
Memcached, or when your backbone goes crazy
Sébastien Mériot (@smeriot)
Sébastien Mériot, the head of OVH's CSIRT, tells us about their experience with one of the biggest incident responses imaginable: OVH's ASN was targeted by a 1.35 Tbps DDoS attack; other outgoing DDoS attacks from their own infrastructure bypassed their protection systems; etc.
The speaker presented OVH's 4 different missions in this incident response: Protecting their customers; protecting their customers' internet; protecting themselves (yes, because OVH also has an IT department like any other company) and finally doing Threat Intelligence to find the source of attacks and anticipate those that are being prepared.
Sébastien introduced us to the protocol Memcached, and how it has been used in denial-of-service amplification attacks. Memcached, in its implementation, binds UDP port 11211 on the public network interface without any authentication or control. The protocol in question has an amplification factor that can range from x5000 to x40500 (by sending multiple requests in a single UDP packet). It is currently impossible to compare its amplification factor with those of other protocols such as DNS, with a factor of up to x54, or NTP, with a factor of x500.
The results of OVH's investigations were presented with some surprising information: their clients, after a few awareness campaigns, were quite responsive and resolved the issue on their end (three-quarters of the servers exposing Memcached were fixed). The attack was clearly planned in advance, as OVH found a ZIP file injected into the Memcached server containing a GIF and encrypted with a password (OVH was unable to crack this password). According to them, this was a pre-configuration to increase the attack's effectiveness. Finally, Sébastien demonstrated the value of Cyber Threat Intelligence in threat intelligence and how he unmasked the perpetrator of this attack, who was particularly interested in amplification attacks.
Electromagnetic aggression and forensics
José Lopes Esteves (@lopessecurity)
José Lopes Esteves, an expert at the ANSSI's Wireless Technology Security Laboratory, presented their research on electromagnetic attacks. The speaker divided his presentation into three parts:
The definition of electromagnetic aggression: this refers to malicious signals or noise. The types of propagation of these signals (radiated, conducted, through space, etc.). And finally, their impact on information systems (destruction of electronic components, degradation of RF links, etc.).
The speaker demonstrated the evolution of these threats and how ANSSI is preparing to protect itself against them. Two detection methods were presented:
- Monitoring the electromagnetic spectrum This involves using ruggedized, dedicated equipment to monitor and detect signals, trigger alerts via thresholds, and record signals in case of alerts. The limitations of this method have been discussed, and are reflected in the cost and the coverage of the effect or impact detection.
- Analysis of the effects Its principle is based on software impact. This method will be carried out by deploying agents on each electronic system in the monitored area. The limitations of this method lie in the specificity of each target system, the characterization of multiparameter effects, and the possibility of disrupting this self-monitoring with attacker signals.
Finally, the speaker revealed their perspectives in this research work, particularly in the exploitation of logged effects which will make it possible to create hidden communication channels (using Morse code for example) and anti-drone warfare by using electromagnetic signals to write in drone logs in order to control them or keep evidence of their locations.
AWS EC2 Forensics 101
Frédéric Baguelin (@udgover)
Frédéric Beguelin from CERT-SG, returns in his presentation to the problem of investigations in Cloud environments, with a focus on AWS and in particular the EC2 service.
The speaker explains how Amazon manages storage, the differences and relationships between Snapshots and Volumes (EBS), and disk encryption management with AWS Key Management Service (KMS).
Frédéric has compiled a list of forensic analysis tools in AWS; several existing tools are available ( AWS IR and ThreatResponse's Margaritashotgun; Diffy from Netflix; etc.), however, none of the latter offer features for acquiring (Imaging) and distributing onto a physical disk.
The answer to this problem is not obvious, since it is necessary to take into account AWS issues related to geographical areas, access rights and permissions as well as access to encryption keys.
A Acquisition workflow was proposed by Frédéric and consists of creating a Snapshot of the target volume, creating a volume from this Snapshot and attaching it to an acquisition instance, using SSH And Screen To connect to the instance, create and acquire the disk with Ewfacquire and finally download the image.
Resources :
https://github.com/toniblyx/my-arsenal-of-aws-security-tools
The story of Greendale
Thomas Chopitea (@tomchop_)
Thomas Chopitea from Google told us the story of Greendale, a polytechnic university that implemented the entire DFIR suite used by Google teams for incident response.
The speaker demonstrated the use of DFTimewolf, A CLI utility designed to orchestrate and automate other incident response tools. In short, five open-source incident response and digital forensics tools used daily by Google's incident response teams were presented:
- GRR : Google Rapid Response, a cross-platform agent that allows data (files and artifacts) to be collected from hosts.
- Log2timeline / Plaso : A tool to extract timestamps and generate a Timeline by aggregating them.
- Timesketch: A Plaso multi-user, multi-case and multi-timeline timeline visualization tool, enabling collaborative timeline analysis.
- Turbinia : A cloud-based (Google Cloud) forensic analysis automation framework.
- DFTimewolf : A CLI utility for creating recipes, launching tasks and orchestrating the various tools mentioned above.
Thomas Chopitea invites you to contribute to the development of these open source tools (Apache 2.0 license).
Resources :
https://github.com/log2timeline/plaso
https://github.com/google/timesketch
https://github.com/google/turbinia
https://github.com/log2timeline/dftimewolf
Digital investigation of the Active Directory directory with replication metadata
Leonard Savina (@ldap389)
Léonard Savina presented the ANSSI research conducted on Active Directory replication metadata. The AD directory is one of the most important targets for attackers, allowing them to persist discreetly using legitimate accounts.
The speaker presented two demonstrations of real attacks on an Active Directory environment and how we can detect them by exploiting replication metadata:
- Mimikatz DCSync and deployment via GPO;
- Mimikatz DCShadow.
A tool, ADTimeline, was developed on occasion in PowerShell in order to query replication metadata and create a timeline of events from it.
Leonard concludes his presentation with the contribution of this metadata to the logging and analysis of Windows security logs and emphasizes that this metadata can be falsified by the attacker.
Resources :
https://github.com/ANSSI-FR/ADTimeline
Lessons learned from an iOS investigation
Paul Rascagnes (@r00tbsd)
Paul Rascagnères from Cisco Talos explained how to succeed in an iOS incident response or digital forensics investigation, starting from scratch. He first presented the iOS architecture: a UNIX system divided into different layers (User-Land; public frameworks: WebKit, AppKit, etc.; private frameworks: Cloud Services, etc.). The biggest problem an analyst might encounter during an iOS investigation is the security implemented by Apple. Access to the root user (UID: 0) and the file system is impossible, and applications are sandboxed (no interaction between applications).
The question is: do we need to jailbreak a system to perform iOS forensic analysis?
The theoretical answer is "no," but "yes" in practice. It's important to know that it's impossible to retrieve a malicious application (.ipa) from an iOS device, let alone dump the RAM or disk without jailbreaking the device. Three solutions have been presented:
- Jailbreaking the terminal for outdated terminals (using Electra for example on iOS versions 11.2 to 11.3.1);
- For up-to-date devices: "Freeze" the phone and wait for a jailbreak to come out or use specialized service providers (Cellebrite);
- Send the phone back to Apple and ask them to extract the application.
Several tools for analyzing malicious applications were presented, including the classic disassembler. IDA Pro and his colleague Hopper both of which support Objective-C and compiled Swift code. Paul then demonstrated the use of FRIDA, a dynamic instrumentation tool and its module for performing memory dumps entitled Fridump3. Other traditional tools can be used to intercept HTTPS requests, such as Burp.
The speaker finally revealed the techniques used to deploy malware on iOS, which involve using trusted certificates, installing developer certificates, or ad-hoc certificates that can only be installed on targeted phones with their UIDs. Other deployment techniques observed by Talos include the use of
Mobile device managers (MDMs) (especially open-source MDMs) and the deployment of applications from them. However, MDMs require several user interactions before installation, which can be easily circumvented with social engineering.
Finally, three of the techniques used by iOS malware were detailed:
- Library injection (.dylib);
- Web interception by manipulating WebKit;
- The use of a custom keyboard.
Resources :
