Attacking Modern Environments Series: Attack Vectors on Terraform Environments Inbox
by: Mazin Ahmed
Ever come across an environment in an engagement that uses Terraform for IAAC (infrastructure-as-
code) management?Almost every modern company does now.
In this talk, I will be sharing techniques and attack vectors to exploit and compromise Terraform
environments in engagements, as well as patterns that I have seen that achieve successful infrastructure
takeover against companies. I will be also covering detection and prevention methods for each attack vector discussed in my talk.
This is part of my work-in-progress research in cloud security and attacking modern environments.
Burnout: The Security Risk
by: Chloé Messdaghi
Did you notice a shift in your mental health and/or your colleagues? Burnout was at an all time last year due to the surreal 2020. As we approach the end of the pandemic, we recognize how critical mental health plays when accomplishing goals and productivity output. This talk dives into the factors that lead to burnout among security professionals, the clear line between burnout and failure to retain team members, and how to invest in your team to make sure your team is able to thrive during stressful times.
Crafting your own combat hardware
by: Luis Angel Ramírez Mendoza (@larm182luis)
and Mauro Eldritch (@mauroeldritch)
In this talk, we would like to present two of our newest Hardware Hacking experiments.
Our Armory consists of all sorts of weaponized domestic hardware (BadUSB power banks, USB speakers, keyboards, and more) and infiltration devices, which are available as open-source projects. In this new visit to our Armory, we would like to showcase our newest tools: DIY Movement Sensors with integrated cameras for Physical Hacking and WiFi Deauther Charges. The sensors can be deployed while doing physical penetration testings or red teaming exercises, and are connected to the attacker's smartphone to give early warnings about any movement detected on the covered zone. The Electronic Charges are portable throwable devices, covered in a special adhesive coating which allows them to stick to ceilings or other surfaces. Upon being activated, a countdown starts and when it reaches zero, the device will start to run a pre-selected routine which can consist of WiFi deauthing floods, to bruteforcing, or even simply led-light flashing and making noise to attract attention. Demo videos will be shown during the presentation.
Main topics are Hardware Hacking and Hardware Programming.
Discovering C&C in Malicious PDF with obfuscation, encoding and other techniques
by: Filipi Pires
Fuzzing: Revisiting Software Security
Software exploitation has been done for many years and the research keeps continuing, resulting in different types of attacks that have been approached to prove the issue in the software itself are breakable. Back in the early days of software exploitation, vendors kept denying vulnerability exists in their products and some took years to fix the problem. Until then, full disclosure was introduced to the public and everyone doing the same research keeps posting the exploits on the Internet and being abused either in a good or bad way.
Vulnerability research is one of the methods of securing a software that usually involves complex processes, such as reverse engineering, fuzzing, secure code auditing, developing proof-of-concept or could be a full chain exploit. These days, we can see many resources that could help in this process, including tools that can be used for fuzzing or even libraries to speed up exploit development. The speed of mitigations developed by giant tech vendors such as Microsoft has brought some attention to researchers and reduced many attack surfaces. With this, the cost of vulnerability research has slightly changed.
Disclosing vulnerability to a vendor could be a pain process, months of conversation over email, either with updates or no progress at all. In our talk, we will be discussing research that has been done on different types of software, including our approach and analysis. We will discuss the vulnerability we found and the exploitation strategy. To add some fun facts, we will talk about how we approach one of the Malaysia government agencies on coordinating vulnerability disclosure about software security.
Malware Hunting - Using python as attack weapon
by: Filipi Pires
The purpose of this presentation is to use python scripts to perform some tests of efficiency and detection in various endpoint solutions, during our demonstration we`ll show a defensive security analysis with an offensive mind performing an execution some python scripts responsible for downloading some malware in Lab environment. The first objective will be to simulate targeted attacks using a python script to obtain a panoramic view of the resilience presented by the solution, with regard to the efficiency in its detection by signatures, NGAV and Machine Learning, running this script, the idea is to download these artifacts directly on the victim's machine. The second objective is to run more than one python script with daily malware, made available by MalwaresBazaar upon request via API access, downloanding daily batches of malwares .
With the final product, the front responsible for the product will have an instrument capable of guiding a mitigation and / or correction process, as well as optimized improvement, based on the criticality of the risks.
OAuth Authentication Bypass
by: Sheikh Rizan
OAuth is an open standard for access delegation, commonly used as a way for Internet users to grant websites or applications access to their information on other websites but without giving them the passwords. We often see websites with “Sign in with Facebook” option. This facility provides convenience to the users that do not wish to sign up using the traditional username and password option. However, there exist a small number of websites that have poorly implemented OAuth allowing an attacker to bypass the authentication and impersonate another user to gain access to websites’ protected resources. This technique is known in the Bug Bounty community and is regarded as an authentication bypass or an account take-over. While there are various write-ups with regards to OAuth authentication bypass, this technique is not widely covered. We would like to present the technical details of the vulnerability we had found.
During this talk, we will present technical findings pertaining how this exploit works. We will show screenshots of traffic intercepted in Burpsuite and which parameters are tempered by the attacker to gain an account take-over. When successful, an attacker will be able to impersonate another user and will be able to access the protected resource on the Resource server. The incorrect implementation of OAuth to authenticate users could lead to unauthorized access containing sensitive PII user data. This vulnerability is trivial to exploit and identify, a well-trained web penetration tester should be able to spot this vulnerability during a black box test and make recommendations to rectify the problem. It is important to summarize that the fault is not within the Authorization Server (Google, FB or Twitter) but rather due to the failure of the Resource Server to properly validate certain parameter. It is imperative that the Resource server never trust any user supplied parameters.
Phishing & Education: Applying security principles during the pandemic
by: IJ Puzon
Based on a true story, it details the analysis of an email phishing attempt against an ordinary Filipino, an understanding of why the threat of phishing is common and the application of security principles by an educational institution during the pandemic.
Skrull Like A King: From File Unlink to Persistence
by: Sheng-Hao Ma
The king is dead, long live the king! There is a well-known feature by which anti-virus or EDR can capture ambiguous or suspicious program files and send them back to security response center for researcher analysis. For malware designers, playing cat and mouse with security solutions in the post exploitation stage while hiding their backdoors from malware detection and forensics is a crucial mental challenge.
Many methods used in the wild by hackers against researchers have already been discussed, for example using a COM hijack to obscure their malware, deploying a kernel hook-based rootkit, bypassing signature-based scanning, and others besides. There's still no method robust enough to counter these techniques, as researchers often cannot totally understand how the malware works internally even if it's caught and analyzed.
Imagine a situation: malware acquires DRM protection, and thereby naturally damages itself when copied from the infected machine. Is it possible? How would it happen? In short, security vendors should be prepared to handle this situation within the Maginot line of their own defenses.
In this talk, we are going to share a breakthrough discovery obscured from even the most through researchers, which can be weaponized and used in the wild with wide applications. We'll show how it links up three different vulnerabilities, and is then weaponized to form three different methods of abuse. At the end of our talk, we'll live demo three proof-of-concepts, share our source code, and propose several mitigation plans for security vendors.
1. Well-Known Methods of Post-Exploitation (~3min)
- Techniques for Hiding Malware: COM Hijacking, Rootkits and More
- Anti-Debuggers, Sandboxes, Virtual Machines, and Custom Packers
- Masquerade Methods: Hollowing, Doppelganging, and Herpaderping
- Defects in current techniques
2. NTFS Abuse Features in Windows (~13min)
- Alternate Data Streams (ADS)
- How Windows Locks Exe Files of a Running Process
- Abusing ADS to Unlink the Exe File of a Process
- (Demo) Remove The Exe File from a Running Process (Like a Fileless Attack)
- (Demo) Woohoo! We're signed by Microsoft ;)
3. Win32 Application Loader Features (~10min)
- Application Loader Task to Fix Up PE Image in Dynamic
- Import Table & Win32 ABI by Function Ordinals from the Compiler
- (Demo) Designing Malware DRM: Homogenize Backdoors' Import Table with a Victim's ABI
4. Conclusion (~4min)
- Doppelganging vs. Herpaderping vs. Skrull
- Patch Suggestions & Mitigation for Security Vendors
- Closing Remarks