Attacking Modern Environments Series: Attack Vectors on Terraform Environments Inbox
by: Mazin Ahmed

Ever come across an environment in an engagement that uses Terraform for IAAC (infrastructure-as- code) management?Almost every modern company does now.

In this talk, I will be sharing techniques and attack vectors to exploit and compromise Terraform environments in engagements, as well as patterns that I have seen that achieve successful infrastructure takeover against companies. I will be also covering detection and prevention methods for each attack vector discussed in my talk.

This is part of my work-in-progress research in cloud security and attacking modern environments.

Burnout: The Security Risk
by: Chloé Messdaghi

Did you notice a shift in your mental health and/or your colleagues? Burnout was at an all time last year due to the surreal 2020. As we approach the end of the pandemic, we recognize how critical mental health plays when accomplishing goals and productivity output. This talk dives into the factors that lead to burnout among security professionals, the clear line between burnout and failure to retain team members, and how to invest in your team to make sure your team is able to thrive during stressful times.

Buzzard : Crafting your post exploitation framework against odds
by: Aravindha Hariharan and Subhajeet (ElementalX)

Quality & Innovation over quantity. Post-exploitation is a crucial part of red-team assessment as the other phases can be carried out passively but not post-exploitation. Also one of the very important aspect of this entire process of this maintaining access to the compromised host should be leveraged with keeping stealth in mind starting from performing enumeration to leveraging administrator level privileges and lateral movement, as modern day sophisticated EDRs and SIEM solutions and other detection engineering based software aim on staying ahead detecting these malicious implants & beacons. However in this game of cat & mouse the conventional part of red teaming also involves discovering bypass techniques for all the security mechanisms deployed. Once the red teamer gains an initial foothold into the host, he can implants an adversary in the host to achieve persistence. The adversary is capable of staying dormant and performing operations in stealth. It is capable of operating without internet access and can send data or receive commands when connected to the internet. This happens via the command and control server of the red teamer. It is crucial that the command and control server is secure and fast to reduce latency and improvise data transmission. Above all, the server must be easy to deploy and maintain and must be user-friendly, in a few instances the red teamer might have to pivot the data through another internal system that is connected to the internet. During such conditions, the C&C server must stay as it is crucial that the C&C server stays light, fast too Buzzard which is built by two undergrad students has been developed to operate under such intense circumstances, easy to deploy, with both command line and web interface giving the user the freedom to choose the beacons and implants of his own choices, as buzzard aims to provide implants programmed using C, Python, Rust, Go. Although some of the implants & beacons are built upon languages which are not "write once & run everywhere" we aim to build small additional beacons which helps to get all necessary feasible environment which helps other beacons for easy execution.

Buzzard is a hybrid architecture that is put together into a docker container. We have a web interface where the attacker interacts to manipulate tasks according to the requirements. The Web front-end is made up of HTML, CSS, and Jquery, it serves through Node JS which acts as a middleware between REST API and the front-end. The API follows the principle of CRUD(Create Read Update Delete) which is a function like a stateless API and connects to a MongoDB database to store and retrieve information about the tasks. The API also serves the beacons directory for sharing the scripts which interact through the implant. We have a dedicated module that is defined to create tunnel sessions.During each session creation a unique URL is created and some beacons are depended on it, which is dynamic modified to the respective files. When the server is stopped, it will be rewritten back to default. We have a separate module that creates a channel for WebSocket connection for updating real-time notification about the task as well it is used to update the target page for online status. The Monitor module is a multi-thread module to run in the background to check the status of the target machine and update the profile page whether the respective target machine is online or offline by sending an ICMP packet to the target and checks for the status of the machine.

Buzzard currently supports 9 post-exploitation modules and more to be added. Regarding providing a multi-platform support, the implants are only capable on running in Windows & Linux machines . Therefore buzzard is a flexible, easy to deploy, monitor and user friendly C2 server with a support providing the user a choice to choose it's favorite programming language for beacon making it easy for him to debug them . The main goal still remains to make the beacons more persistent and making it more user-friendly & applying anti-reverse engineering traits making it a bit tougher for the defender to analyze these beacons.

Click Here For Free TV! Chaining Bugs to Takeover Wind Vision Accounts
by: Leonidas Tsaousis

Wind Vision is a streaming service offered by a top Greek telecommunication vendor. With over 40.000 active subscribers, a user can just download the Android application and watch TV from anywhere ...And so could a malicious third party, by exploiting a series of vulnerabilities to go from one wrong click by the user - to complete takeover of their account. This talk will present the findings of independent research conducted in 2020 that led to the discovery of several bugs which, although posing low-impact individually, they could result in a much greater attack when chained together.

We will dive deep into the analysis of the vulnerabilities, discussing the common mobile development pitfalls and the psychology behind confusing prompts. Attendees will also have the chance to install the demo Proof of Concept malware application that was developed (it's safe, I promise) to see for themselves how the full chain worked. Mobile developers in the audience will gain insight into how to prevent such attacks, to create apps that are fun, but also keep their users' watchlists safe from targeted malware. Finally, we will close up with a review of the disclosure process, the aftermath of resolution, and other lessons learned that will hopefully set aspiring researchers on the right path to find vulnerabilities in products they use day-by-day.

The vulnerabilities were released in a technical advisory:

And the in-depth analysis was presented in a follow-up technical blog post:

Crafting your own combat hardware
by: Luis Angel Ramírez Mendoza (@larm182luis) and Mauro Eldritch (@mauroeldritch)

In this talk, we would like to present two of our newest Hardware Hacking experiments. Our Armory consists of all sorts of weaponized domestic hardware (BadUSB power banks, USB speakers, keyboards, and more) and infiltration devices, which are available as open-source projects. In this new visit to our Armory, we would like to showcase our newest tools: DIY Movement Sensors with integrated cameras for Physical Hacking and WiFi Deauther Charges. The sensors can be deployed while doing physical penetration testings or red teaming exercises, and are connected to the attacker's smartphone to give early warnings about any movement detected on the covered zone. The Electronic Charges are portable throwable devices, covered in a special adhesive coating which allows them to stick to ceilings or other surfaces. Upon being activated, a countdown starts and when it reaches zero, the device will start to run a pre-selected routine which can consist of WiFi deauthing floods, to bruteforcing, or even simply led-light flashing and making noise to attract attention. Demo videos will be shown during the presentation.

Main topics are Hardware Hacking and Hardware Programming.

Discovering C&C in Malicious PDF with obfuscation, encoding and other techniques
by: Filipi Pires

Demonstrate different kind of structures in the binaries as a PDF(header/ body/cross-reference table/trailer), explaining how each session works within a binary, what are the techniques used such as packers, obfuscation with JavaScript (PDF) and more, explaining too about some anti-disassembly techniques, demonstrating as a is the action of these malware’s and where it would be possible to “include” a malicious code. By the end of this “talk” it will be clear to everyone, differences in binaries structures, how can the researcher should conduct each of these kind of analyzes, besides of course, it should seek more basic knowledge, with file structures, software architecture and programming language.

Fuzzing: Revisiting Software Security
by: Nafiez

Software exploitation has been done for many years and the research keeps continuing, resulting in different types of attacks that have been approached to prove the issue in the software itself are breakable. Back in the early days of software exploitation, vendors kept denying vulnerability exists in their products and some took years to fix the problem. Until then, full disclosure was introduced to the public and everyone doing the same research keeps posting the exploits on the Internet and being abused either in a good or bad way.

Vulnerability research is one of the methods of securing a software that usually involves complex processes, such as reverse engineering, fuzzing, secure code auditing, developing proof-of-concept or could be a full chain exploit. These days, we can see many resources that could help in this process, including tools that can be used for fuzzing or even libraries to speed up exploit development. The speed of mitigations developed by giant tech vendors such as Microsoft has brought some attention to researchers and reduced many attack surfaces. With this, the cost of vulnerability research has slightly changed.

Disclosing vulnerability to a vendor could be a pain process, months of conversation over email, either with updates or no progress at all. In our talk, we will be discussing research that has been done on different types of software, including our approach and analysis. We will discuss the vulnerability we found and the exploitation strategy. To add some fun facts, we will talk about how we approach one of the Malaysia government agencies on coordinating vulnerability disclosure about software security.

Gathering Cyber Threat Intelligence from the Cybercriminal Underground
by: Eric Reyata

CTI focuses on data collection and information analysis so we can gain an insight about threats against our organization. An often overlooked, but very important source of intelligence is the Criminal Underground.

In this talk, we will discuss how to produce and deliver relevant, accurate, and timely curated information from the CU so that your organization can learn how to protect itself from a potential threat. We'll also look into data breaches, ransomware leak sites and criminal marketplaces to have a better understanding of the underground economy.

Hack the Planet! Desecuritise Cyberspace
by: Emil Tan

I'm in cybersecurity. You're in cybersecurity, or interested in cybersecurity. But, what are we securing? Are we getting better at it? In this talk, I'll deconstruct the concept of (cyber)security and discuss why and how hackers — you and I — should desecuritise cyberspace and hack the planet instead.

Keeping Up With Modern Automotive Exploitation
by: Kamel Ghali

It is common knowledge that vehicles are becoming more connected to the world around them with each passing year. Transportation itself is undergoing a connectivity revolution, with cars, trucks, trains, and even boats being synchronized into the increasingly IoT-influenced world. Appropriately, the global automotive industry and international legislative bodies have begun to prioritize the inclusion of cybersecurity measures into vehicles – passing regulations and industry standards to guide the future of connected transportation.

Despite these strides in awareness of the need for security in vehicles, we still see numerous instances of vehicles being remotely compromised every year. This research is almost always done in a benevolent, white-hat setting (thankfully) but recent disclosures in automotive security have highlighted the importance of security processes in the automotive and greater transportation security industry. This presentation aggregates the most significant vehicle security research presented in the past few years, draws valuable lessons from analysis of the types of attacks used and technologies targeted, and explores ways in which similar attacks can be prevented in the future by adhering to developing industry standards and global legislation.

Malware Hunting - Using python as attack weapon
by: Filipi Pires

The purpose of this presentation is to use python scripts to perform some tests of efficiency and detection in various endpoint solutions, during our demonstration we`ll show a defensive security analysis with an offensive mind performing an execution some python scripts responsible for downloading some malware in Lab environment. The first objective will be to simulate targeted attacks using a python script to obtain a panoramic view of the resilience presented by the solution, with regard to the efficiency in its detection by signatures, NGAV and Machine Learning, running this script, the idea is to download these artifacts directly on the victim's machine. The second objective is to run more than one python script with daily malware, made available by MalwaresBazaar upon request via API access, downloanding daily batches of malwares .

With the final product, the front responsible for the product will have an instrument capable of guiding a mitigation and / or correction process, as well as optimized improvement, based on the criticality of the risks.

OAuth Authentication Bypass
by: Sheikh Rizan

OAuth is an open standard for access delegation, commonly used as a way for Internet users to grant websites or applications access to their information on other websites but without giving them the passwords. We often see websites with “Sign in with Facebook” option. This facility provides convenience to the users that do not wish to sign up using the traditional username and password option. However, there exist a small number of websites that have poorly implemented OAuth allowing an attacker to bypass the authentication and impersonate another user to gain access to websites’ protected resources. This technique is known in the Bug Bounty community and is regarded as an authentication bypass or an account take-over. While there are various write-ups with regards to OAuth authentication bypass, this technique is not widely covered. We would like to present the technical details of the vulnerability we had found.

During this talk, we will present technical findings pertaining how this exploit works. We will show screenshots of traffic intercepted in Burpsuite and which parameters are tempered by the attacker to gain an account take-over. When successful, an attacker will be able to impersonate another user and will be able to access the protected resource on the Resource server. The incorrect implementation of OAuth to authenticate users could lead to unauthorized access containing sensitive PII user data. This vulnerability is trivial to exploit and identify, a well-trained web penetration tester should be able to spot this vulnerability during a black box test and make recommendations to rectify the problem. It is important to summarize that the fault is not within the Authorization Server (Google, FB or Twitter) but rather due to the failure of the Resource Server to properly validate certain parameter. It is imperative that the Resource server never trust any user supplied parameters.

Phishing & Education: Applying security principles during the pandemic
by: IJ Puzon

Based on a true story, it details the analysis of an email phishing attempt against an ordinary Filipino, an understanding of why the threat of phishing is common and the application of security principles by an educational institution during the pandemic.

Securing Process Control Data Transmission to the Blockchain Network
by: Lloyd Kenneth Tugbo and Arian Hills

Integrating Blockchain into Industrial Control Systems (ICS) offers several benefits, but securing its data is a significant issue. This concern slowed the development of this technology in the ICS Industry, preventing it from achieving the level of disruption seen in other industries such as electronic gaming and finance. While encryption is a secure technique in and of itself, it is insufficient to address the data privacy issue inherent in data transmission to the blockchain, rendering it unsuitable for use in the industrial sector where process control data is critical. End-to-end encryption is seen as a solution for L3 to the Blockchain network; however, the optimal end-to-end implementation from the Purdue model's L0/L1 to L3 remains a study topic. This paper will examine existing technologies that can be chained to enable simple and secure transfer of plant data from L0/L1 to Internet Blockchain networks.

To integrate Blockchain in ICS, we considered embedding a blockchain inside a plant network; however, this approach is appropriate for a different use case. The second option is to build a framework around existing technologies. We begin by identifying the main issue that requires attention, which is securing the data transmission. The issue we identified is with data transfer from the Purdue Model's L0/L1 to the Blockchain network and the study examined a variety of potential solutions to this issue. End to End encryption was chosen as the primary method of connecting L3 to Blockchain, either through the use of pre-existing E2EE messaging protocols such as Matrix or through the development of a new E2EE protocol that meets the blockchain and ICS integration criteria in the L3 to Blockchain network chain. These E2EE solutions are limited to L3 to Blockchain networks, which means that there are still issues with E2EE for devices in L0/L1 networks up to Level 2.5 of the Purdue Model, for which we introduced the concept of developing E2EE protocols for embedded devices such as the E4, which is still in its early stage of development and thus not widely used by device manufacturers. Additionally, we recommend the FDI Technology end-to-end solution, which securely connects plant devices to business layers through the use of digital signature technology in the plant devices and secure data transfer via the OPC UA messaging protocol, which is used in the L2.5/3 layer. Although this technique does not utilize end-to-end encryption, we can guarantee that it is not tampered with during transmission due to the digital signature and timestamping features. A sample architecture was presented in which two technologies were integrated. To begin, we'll use Matrix as an E2EE solution for safe data transfer from L3 to Blockchain, followed by FDI technology for securely transmitting data from L0/L1 to L3 network to complete the end-to-end solution.

Skrull Like A King: From File Unlink to Persistence
by: Sheng-Hao Ma

The king is dead, long live the king! There is a well-known feature by which anti-virus or EDR can capture ambiguous or suspicious program files and send them back to security response center for researcher analysis. For malware designers, playing cat and mouse with security solutions in the post exploitation stage while hiding their backdoors from malware detection and forensics is a crucial mental challenge.

Many methods used in the wild by hackers against researchers have already been discussed, for example using a COM hijack to obscure their malware, deploying a kernel hook-based rootkit, bypassing signature-based scanning, and others besides. There's still no method robust enough to counter these techniques, as researchers often cannot totally understand how the malware works internally even if it's caught and analyzed.

Imagine a situation: malware acquires DRM protection, and thereby naturally damages itself when copied from the infected machine. Is it possible? How would it happen? In short, security vendors should be prepared to handle this situation within the Maginot line of their own defenses.

In this talk, we are going to share a breakthrough discovery obscured from even the most through researchers, which can be weaponized and used in the wild with wide applications. We'll show how it links up three different vulnerabilities, and is then weaponized to form three different methods of abuse. At the end of our talk, we'll live demo three proof-of-concepts, share our source code, and propose several mitigation plans for security vendors.

1. Well-Known Methods of Post-Exploitation (~3min)
- Techniques for Hiding Malware: COM Hijacking, Rootkits and More
- Anti-Debuggers, Sandboxes, Virtual Machines, and Custom Packers
- Masquerade Methods: Hollowing, Doppelganging, and Herpaderping
- Defects in current techniques

2. NTFS Abuse Features in Windows (~13min)
- Alternate Data Streams (ADS)
- How Windows Locks Exe Files of a Running Process
- Abusing ADS to Unlink the Exe File of a Process
- (Demo) Remove The Exe File from a Running Process (Like a Fileless Attack)
- (Demo) Woohoo! We're signed by Microsoft ;)

3. Win32 Application Loader Features (~10min)
- Application Loader Task to Fix Up PE Image in Dynamic
- Import Table & Win32 ABI by Function Ordinals from the Compiler
- (Demo) Designing Malware DRM: Homogenize Backdoors' Import Table with a Victim's ABI

4. Conclusion (~4min)
- Doppelganging vs. Herpaderping vs. Skrull
- Patch Suggestions & Mitigation for Security Vendors
- Closing Remarks

The Curious case of knowing the unknown
by: Vandana Verma Sehgal

Modernisation the applications is the need of the hour. However, we still see the vulnerabilities that keep creeping in. When the loopholes in applications (such as legacy, desktop, web, mobile, micro services) are exploited, it can give threat actors visibility and access to the organisation’s data.

As per one of the research 96.8% code on the internet is OpenSource. When Open Source is eating up the whole internet. It becomes imperative to know the aspects of the open source’s usage, if the open source libraries are not used properly or updated on time, open source can make the applications severely vulnerable. With the talk, we will find the hidden treasures with open source projects and will try and see how we can find them before someone else finds it.

The Kill Chain: Future of Cyber in Defense
by: Harshit Agrawal

Modern military forces rely heavily on a variety of complex, high technology, electronic offensive, and defensive capabilities. A well-timed Tweet, an errant Facebook group, or a seemingly harmless WhatsApp forward holds the potency to be even more dangerous than artillery fire and airstrikes. This session aims to reflect the opportunity for attendees to learn about emerging technologies, threats, and practices that will shape the future of warfare and cyberspace operations.

The main topics are Information Warfare, Cyber Reconnaissance, Internet of Battlefield Things. This session will introduce attendees to the Era of Convergence of Cyber and EW, Operations in Multi-domain, along with case studies of Cyber-Reconnaissance, C-UAS, Space warfare, and a glimpse of future warfare from a technological perspective (IoBT).

Using Wordpress comments section as a C&C for fun
by: Juan Karlo Licudine (accidentalrebel)

I explore the possibility and feasibility of using the comments section of abandoned Wordpress-powered blogs as command and control servers. There would be no site take-over nor use of APIs. Communications will be done by disguising commands as legitimate comments or as spam. I'm sharing this as a fun experiment with a novel approach to C&Cs that can offer anonymity with zero hosting costs.

VMProtect2 : Architectural Analysis, Exploitation, and VMP2 IL
by: _xeroxz

This presentation will cover detailed analysis of the VMProtect 2 virtual machine for x86_64 PE binaries, architectural weaknesses,memory movement/virtual instruction introspection on par with that of a hypervisor, VMProtect 2 intermediate level of representation, branching (including loops) inside of the virtual machine, VMProtect 2 packer drag and drop solution, lifting VMProtect 2 IL to VTIL and to LLVM, and lastly future work.Although there has been an excessive amount of time for researchers to create solutions for VMProtect 2, there has been little to no open source software to deal with the polymorphic virtual machine architecture that VMProtect 2 generates. The most significant research pertaining to VMProtect 2 x64 PE binaries has been presented by Samuel Chevet. The dynamic research (VMHook) that I present in my talk is based upon his original work. The static analysis tools are based on my own research and algorithms (VMEmu).

The first half of the presentation will focus primarily on how VMProtect 2 works (not just virtualization, but mutation and “ultra virtualization”, as well as the packer), and how static analysis tools were created to handle such polymorphic behavior. This section of the presentation will spend some time talking about branching inside of the virtual machine, which also extends to looping, as well as stressing the importance of being able to uncover all code paths. The second half of the presentation will focus mostly on how to attack VMProtect 2 binaries by hooking into the virtual machine, how the packer can be defeated pretty trivially with unicorn-pe (unicorn-engine), lifting to VTIL/LLVM, running your own virtual instructions on VMProtect 2 virtual machines, comparing VMProtect 2 to VMProtect 3, and lastly future work pertaining to code obfuscation and virtualization.