This year again, Intrinsec was present this past Friday, March 24th, for the 10th edition of the Insomni'hack conference organized by SCRT.

Several presentations were held in 3 different rooms and the corresponding schedule was as follows:

Bridging the gap between ICS (IoT?) and corporate IT security

Stefan Lüders, CISO of the European Organization for Nuclear Research (CERN), presented us with these problems encountered in defending the CERN ecosystem.

In such a heterogeneous system, the BYOD issue becomes particularly relevant. Beyond the complexity of implementing update patches, conducting security tests is even more challenging on sensitive systems like those monitoring nuclear reactors, where any disruption is unacceptable.

While we wait for the official video, an earlier version of this presentation is available here:
https://www.blackhat.com/docs/us-14/materials/us-14-Luders-Why-Control-System-Cyber-Security-Sucks.pdf

DevOops Redux

This conference was presented by Ken Johnson (@cktricky) and Chris Gates (@Carnal0wnage), focused on the importance of security for developers' machines and the various tools that are often poorly understood. According to Ken, a development machine is generally a goldmine for an attacker since it contains API keys, passwords for accessing sensitive services, and possibly SSH keys for authentication to pre-production or production servers.

The primary goal of this presentation was to raise awareness among the audience about three areas: developer awareness, protection of development servers, and deployment management services. Chris and Ken therefore presented several tools, such as Slack auditor, gitrob, TruffleHog or GitMonitor, allowing the exploitation of the human factor (forgetting configuration files) and the recovery of this type of sensitive information.
Regarding the protection of development servers, various tools were mentioned, such as’Osquery allowing you to query its operating system, Doorman or BlockBlock, configured to warn when software wants to persist on the system and request confirmation from the user. SIEM-type solutions were then presented: ELK, StreamAlert or Splunk.

Finally, for the last part of the presentation, Ken and Chris focused on the tools used by the integration chain, presenting configuration flaws often encountered with Jenkins, Redis, Docker or AWS services.

The presentation slides are available on SlideShare at the following address:
https://www.slideshare.net/chrisgates/devoops-attacks-and-defenses-for-devops-toolchains

Modern recognition phase on APT – protection layer

Paul Rascagnères presented five case studies of the reconnaissance phase carried out by "modern" attackers before infecting the target. In all cases, the attack vector was an Office document containing a malicious macro. Analysis of the various techniques used by the attackers revealed a generic process broken down into four steps:

• Step 1: Execution of the first load (here the Office document macro) which performs a scan of the execution environment
• Step 2: Sending the analysis results to the attacker
• Step 3: Validation of the environment by the attacker; he ensures that the execution does not take place in a sandbox-type analysis environment, based on the information received.
• Step 4: Deposit of the final payload (RAT, c&c agent, etc.), if the environment meets the attacker's expectations.

This study highlights the importance that attackers place on their compromise and exploitation tools.

Finally, a question was asked at the end of the presentation:
«"What if we tricked all programs into thinking they were running in a sandbox?"»
Paul replied that in all the cases studied, the attacker would not have sent his final payload.

A new Source of trouble – Remote exploitation of the Valve Source game engine

Amat Cama focused his study on the game engines used by the publisher Valve.

He then described what are known as "Game engines," which provide access to the APIs used by video games. These offer several generic functionalities that accelerate video game development.

Amat therefore decided to target the Valve game engine since it is one of the most used and therefore allows impacting as many "games" as possible.

During his demonstration, he created a malicious server to exploit a vulnerability allowing control of the machines of players connected to it.

CTF

This year, over 450 people competed in this memorable CTF. In addition to the usual forensics, system, and web exploitation challenges, a special challenge was developed using Unity in the form of a 3D FPS (First-Person Shooter) game. To succeed, players had to cheat to access certain areas of the game and thus capture the flags.

Another new feature of this edition was the "Escape Room" challenge, in which participants had to assemble a QR code puzzle, pick padlocks, and log into a computer using a barcode scanner, all as quickly as possible. Intrinsec finished in first place in this challenge, completing it in 5 minutes and 6 seconds.

And once again it is "Dragon Sector" that takes first place with a total of 97400 points by completing a challenge at the very last minute.

All write-ups can be viewed via the following link:
https://ctftime.org/event/383/tasks/

We would like to thank SCRT for organizing this event and for their hospitality.