ATTOR is a previously unreported espionage platform used in targeted attacks, focusing on diplomatic missions and governmental institutions. Its most interesting features are a complex modular architecture, elaborate network communication and a unique plugin to fingerprint GSM devices.
Highly targeted, with only a few dozen victims affected, ATTOR specifically searches for TrueCrypt-protected hard drives and the processes of specific VPN applications. This suggests the attackers have a special interest in privacy-conscious users. ATTOR is also apparently focused on Russian targets.
The malware's core – its dispatcher – serves as a management unit for additional plugins, and provides an interface for the plugins to call Windows API and cryptographic functions indirectly.
Plugins themselves are heavily synchronized, with network communication alone being spread across four different components, each implementing a different layer, allowing ATTOR to communicate with its FTP C&C server residing in an onion domain. A customized TOR is used for communication, and the overall setup makes it impossible to analyze the communication unless all pieces of the puzzle have been collected.
The capabilities of ATTOR rely on the plugins, which allow the attackers to customize the platform per victim. The most notable plugin is able to detect connected GSM/GPRS modems or mobile devices; this allows ATTOR to speak to them directly using the AT command set, in order to collect sensitive information such as the IMEI, IMSI or MSISDN numbers, possibly identifying both the device and its subscriber.
In this presentation we will dissect this espionage platform, focusing on its GSM fingerprinting capability. We will look into the affected devices and explore further implications of misusing AT commands. We will document the platform architecture, especially the network communication workflow. We will also discuss the campaign, and its focus on high-profile and privacy-conscious users.
Back to Schedule >>
The mere existence of fuzzers is not breaking news, as they’ve been around for more than two decades. The big news is that fuzzers have grown up. They’ve become more capable, more accessible, and overall more mature.
This talk describes a new approach for coverage-guided grammar fuzzing the Windows kernel, and enhancements to the known approaches for fuzzing Windows applications.
Our research picks ups where our last one ended (where we squeezed WinAFL to get 50 CVEs in 50 days from Adobe), making our way from userspace to ring0.
We utilized a state-of-the-art Linux syscall fuzzer (Syzkaller) to hunt for bugs in the Windows kernel. We did this by targeting the Windows Subsystem for Linux (WSL) and then going straight to win32k, resulting in a handful of vulnerabilities.
We’ll share our experiences from the trenches of fuzzing Windows, triaging the bugs from the vulnerabilities, and being acknowledged in the MSRC Top 100 (all bounty payments are donated).
Back to Schedule >>
The attack surface exposed by proprietary layer 2 protocols is rarely explored by the research community, and it contains hidden bugs that have severe implications to the security of the devices that use them, as well as the network they belong to. We discovered 5 such zero-day vulnerabilities in a proprietary layer-2 protocol used by a wide variety of enterprise devices. This protocol, unfortunately, is enabled by default on all affected products, and on all ports of each product, widening the potential attack surface.
The first threat posed by the discovered vulnerabilities affects multiple brands of enterprise-grade switches and routers. From an attacker's perspective - these network appliances are a valuable asset, as they withhold access to all network segments, and are located in a prime position for traffic exfiltration. By leveraging the vulnerabilities, an unauthenticated attacker can gain full control over the network appliance and move laterally between the VLANs served by it, effectively breaking network segmentation completely.
The second attack scenario affects multiple brands of IP phones and IP cameras, numbering in the tens of millions in use by users and organizations worldwide. An attacker could use the discovered vulnerabilities to simultaneously take over all phones and cameras in a network, by sending a specially crafted broadcast packet throughout the network. Once in control of these devices, an attacker can listen in on calls and view the video feeds, creating the ultimate spying tool.
In our talk, we will demo both attack scenarios, demonstrating the full implications of pwning an organization's enterprise switch, and the frightening potential a single packet can have in taking over enterprise-grade phones and cameras.
Back to Schedule >>
One of the most common types of vulnerabilities fixed in the last year or so in Microsoft Windows was insecure files access. These types of vulnerabilities represent a range of issues, where a privileged component such as a system service access files with no correct use of impersonation. Using different types of file system links, these bugs can be abused to escalate privileges.
I discovered many vulnerabilities of this type in Windows Error Reporting (WER) suite. WER is a flexible event-based feedback infrastructure designed to gather information about hardware and software problems that Windows can detect, report the information to Microsoft, and provide users with any available solution. However, the way WER is designed is prone to insecure files access issues. The vulnerabilities I discovered are assigned CVE-2019-1374, CVE-2019-1319, CVE-2019-1342, CVE-2019-1037, CVE-2019-0863.
In this talk I will give an overview of how WER works. Next, I’ll discuss these types of bugs and the common methods to exploit them. Lastly, I’ll go into the details of some of the vulnerabilities I discovered.
Back to Schedule >>The complexity of JavaScript and Web APIs has led to an increase in vulnerabilities found in modern web browsers. Many of these vulnerabilities are relatively easy to exploit and lead to full code execution within the browser process. To combat this, browser vendors have worked to secure their platforms through sandboxing. With a sandbox, exploits can only hijack control of the renderer process (the process which displays the webpage) and are not able to interact with the rest of the system to install malware or execute other payloads. An advanced attacker may try to find holes in the sandbox to gain access to the full system, but this requires finding more bugs and spending more engineering efforts.
However, if we forgo the sandbox escape, there is still interesting functionality the renderer process is allowed to access. This talk will examine the functionality available to a compromised renderer process and see how it can be abused to compromise browser users. We will also look at how this could be used on up-to-date browsers though "patch - gapping". Finally, we will see how there is a changing landscape in recent years and what strides taken towards a more isolated renderer processes.
Back to Schedule >>
Nation-state censorship is one of the greatest threats to free and open communication. For years, censors have engaged in an arms race with researchers and practitioners, resulting in myriad techniques for evading censorship, as well as counter-measures to stop them. Unfortunately, censors have long had the advantage, because evading censorship has required researchers to first measure and understand how censors operate before they can intuit methods of evading them. In this talk, we will present a drastic departure from the previously manual evade/detect cycle. we will introduce Geneva, a novel genetic algorithm we developed that automatically discovers how to manipulate packet streams to evade censors.
We deployed Geneva around the world live against real-world censors in China, India, and Kazakhstan. Geneva discovered dozens of novel strategies, including many that exploit what appear to be bugs in nation-state censors. We will also present the first known strategies for evading censorship strictly from the server: without requiring any deployment of censorship evasion configuration, software, or hardware within the censoring regime at all, Geneva has learned strategies can subvert nation-state censorship at the server on behalf of clients. Geneva represents an important first step towards automating censorship evasion through the application of AI. We will end the talk discussing how these results may shape the future of the censorship arms race.
Back to Schedule >>DPAPI has been already discussed, but how does it work? Internally?
How can you use or abuse it to get credentials, more and more credentials?
In this presentation I will describe and demo, step by step, many ways to decrypt credentials protected by DPAPI with mimikatz, for your pleasure!
Back to Schedule >>This talk will provide a unique view into the massive challenges tackled in securing the Windows operating system for over a billion users and the Microsoft Cloud and Intelligent Edge. We will cover the unique approach to fuzzing, static analysis, and penetration testing leveraged by the Windows vulnerability research team. Along the way, will provide a look at how we have evolved the traditional security development lifecycle process into a more agile process that integrates threat intelligence, community relationships, and risk analysis techniques to focus security review efforts in the place it matters most. Oh yeah… there will also be vulns… lots of cool vulns…
Back to Schedule >>
In just one year – from December 2018 to December 2019 – we found five zero-day exploits in the wild that were targeting users of Windows OS. Our findings helped our industry partners find even more zero-day exploits. In this presentation, we’ll share the details behind the most interesting exploits that we found last year including the most recent zero-day for Google Chrome. Finding new exploits is a very challenging task, but we’d like to motivate everyone to join our hunt for zero-days in the wild.
In this presentation, we will share the following:
1) An in-depth analysis of the most interesting vulnerabilities and exploits used by attackers and found during a year-long period (from December 2018 to December 2019).
2) The interesting techniques that were used by attackers to remain undetected and protect zero-days from burning.
3) Our thoughts on changes in the current threat landscape and discovery of zero-day exploits.
As .NET has taken over as the preferred platform for development on Windows, many attackers have chosen to take advantage of its features for post-exploitation tradecraft. Legitimate APIs can be leveraged for nearly every imaginable task, managed code can be loaded and executed from memory with extraordinary ease, and scalable monitoring for suspicious usage of .NET APIs is a problem yet to be solved. However, offensive .NET tools are still hindered by a fundamental weakness: the inability to leverage unmanaged code (such as the Win32/NT APIs) safe from observation by EDR. Managed code must eventually invoke unmanaged code in order to interface with the operating system. It is here that the attacker may be caught in the hooks of any system keen on watching for fundamentally malicious behavior. To expose the depth of tradecraft still unexplored in .NET and highlight the fragility of many existing detections, we will detail the tools we have built for evading these hooks.
All of our efforts have been integrated into SharpSploit, a .NET post-exploitation library written in C# that aims to highlight the attack surface of .NET and make the use of offensive .NET easier for red teamers. Over the past few months we have added numerous new tools and techniques for loading and executing unmanaged code safely from .NET. Unmanaged APIs may be safely accessed and modules loaded either from memory or from disk in the new DInvoke API, a dynamic replacement for .NET's PInvoke API. It also includes manual mapping, a generic syscall wrapper, a new technique we call Module Overloading, and more. Additionally, we have added a modular process injection API that allows tool developers to build their own injection technique. Simply select an allocation and injection primitive, pass in any options, and execute the result with your preferred payload. This exposes all possible design decisions to the user, and allows for easy adaptation when existing tools fail.
In our talk we will focus on explaining the fundamental tradecraft behind these new developments, the challenges and requirements associated with them, and how they can be adapted to suit your needs. Additionally, we will discuss how SharpSploit can be combined with other open-source projects to be integrated into a red team's tooling. As much as possible, we will also discuss how to counter and detect the techniques that we have developed. Finally, we will explain the community-focused development of these projects and how you too can contribute to advance open-source .NET tradecraft
Back to Schedule >>
syzkaller is an open-source, coverage-guided, structure-aware kernel fuzzer with strong accent on automation, currently supported for 7 operating systems. In this talk, Dmitry will describe history and motivation behind the project; outline main guiding principles for the project and challenges of kernel fuzzing as compared to more developed user-space fuzzing (coverage flakiness, test isolation, enormous inputs space). Dmitry will then talk about the main design decisions that enabled overcoming the challenges, including interface description language, syzkaller program notation and interpretation, code coverage support. The talk will continue with unexpected (at the time) results, thousands of bugs uncovered by syzkaller in the Linux kernel and automation required to handle the stream of bugs. The final part of the talk is dedicated to potential future improvements and touches on syzkaller/Windows/WSL integration.
Back to Schedule >>In the recent years, we have analyzed some of the most significant cyberattacks in history. In this presentation we'll go over the most interesting tactics, techniques, and procedures of the adversaries behind them. Specifically, we'll analyze the TTPs of Sednit (a.k.a APT28), the group reportedly responsible for the Democratic National Committee hack that affected the US 2016 elections. The most notable addition to their arsenal is a UEFI rootkit to achieve persistence on victimized systems. Dubbed Lojax, it is the first UEFI rootkit found in the wild. We'll analyze how it works and share the story of its discovery. The second group that we'll focus on is Telebots (a.k.a Sandworm), the group behind the first malware-driven electricity blackouts (BlackEnergy and Industroyer) and the most damaging cyberattack ever (NotPetya). We'll recap these infamous attacks, but also discuss their more recent activities. The discussed TTPs will be mapped to the MITRE ATT&CK taxonomy and we will share some lessons learned from analyzing these attacks, useful in strengthening the security posture of your organization.
Back to Schedule >>
Checkm8 is an unfixable vulnerability present in hundreds of millions of iPhones, in SecureROM - a critical component in Apple's Secure Boot model. The vulnerability allows security researchers and jailbreakers alike to take full control over the application processor's execution.
This talk will detail how we built an iOS jailbreak from the ground up - quite literally - by using a use-after-free bug in Apple's SecureROM. This is key component which is designed to bring up the application processor during boot, and also exposes a firmware update interface over USB called DFU.
By abusing this vulnerability it is possible to unlock full control of the application processor, and enable debugging functionalities such as JTAG, helping security researchers look for other security vulnerabilities in Apple devices more effectively.
In this talk we will explain the root cause of the vulnerability and the techniques used for exploiting it. We will also discuss some of the hurdles we encountered while trying to turn this bug into a reliable jailbreak, and talk about the progress we made so far and our plans for the future of the project.
The PlayStation Vita is the successor to the PlayStation Portable (PSP) and has been one of the most secure handheld game consoles on the market. In addition to the main ARM processor, the PS Vita has a MIPS processor for PSP compatibility. The backwards compatibility feature increases the attack surface with a High-level emulation (HLE) feature that uses RPC to access the hardware devices. This talk describes the process of studying the PSP firmware, PSP emulator and PS Vita kernel; discovering and exploiting six unique vulnerabilities; and chaining them together to enable an escape from the MIPS userland to the ARM kernel.
Back to Schedule >>
Every day the internet is scanned & probed by a quarter of a million IP addresses - some of this traffic is benign,
but most (around 60%) is malicious. High-profile names like Mirai and EternalBlue receive most of the media
attention, but they're in the "Devil you know" category. What I find more fascinating are the ports and services
which are inexplicably "interesting" and the networks looking for them.
In this talk, I'll dive into:
The tools I use to monitor automated scans
Patterns I've observed over the last 18 months
Which networks are the most aggressive and their targets of choice
How organizations can leverage my hunting tactics to better defend & respond to threats in their own
environments
This is important because even today, in 2020, significant vectors for compromise are poor network security hygiene,
patching, access control and weak or nonexistent authentication. While zero-day exploits receive most of the media
attention, most networks are compromised through completely avoidable security mistakes.
I'll demonstrate the strategies I use to fingerprint and identify at-risk VMs in Azure which have proven effective
when
hunting risk against an attack surface of 2.8 million internet-exposed IP addresses. The same methodologies can be
applied by anyone with an internet footprint and are a critical part of responding to new vulnerabilities, attack
campaigns and finding compromised hosts in your environment. The techniques are environment-agnostic, effective
across
all cloud providers and don't require anything more than accounts with a few OSINT providers.
When 0-day exploits are used in the wild, vendors and the security community often focus on the specific vulnerability used in that exploit. While it's important and necessary to get that singular vulnerability patched, there are often more vulnerabilities like it that the actor has also found. This talk presents case studies into the variant analysis done on recent 0-day exploits that were used in the wild. The talk will discuss the variety of variant analysis techniques used in the different cases and both the positive and negative results yielded. By completing variant analysis each time a new 0-day is found, we can ensure that we're making it as hard and as expensive as possible to use 0-days in the wild.
Back to Schedule >>