A new secret stash for fileless malware
by: Denis Legezo
Today, attacks using fileless malware have become more complex and the actors behind them have created new advanced means of implementing them. In 2022, Kaspersky discovered the new methods used to keep the code hidden from prying eyes. For the first time, we’ve discovered that Windows’ event logs participate in the infection chain. This is concerning, as the event logging exist in any installation of the most widely used operating system on the globe.
These informational messages might keep the additional binary data. The dropper saves the shellcode into the Key Management System’s (KMS) event sources information, assigning a specific category ID and incremented message IDs. Auxiliary malicious modules can then gather 8KB pieces from logs, turn these into a complete shellcode and run them.
Nevertheless, the actor’s interest in the event logs isn’t limited to just keeping the shellcodes. To hide the infection process, Go droppers also patch the ntdll.dll Windows API functions related to logging (like EtwEventWriteFull, etc.).
In our presentation, we will share the results of our in-depth research into the infection chain, containing:
- commercial pentesting frameworks
- a number of anti-detection decryptor-launchers, written in different languages
- last stage fully-fledged trojans for C2 communications and lateral movement
China’s Cyber Capabilities: Espionage, Warfare, and Implications
by: Aaron Aubrey Ng
Over the past decade, there has been an alarming rise in the frequency and sophistication of China’s state-sponsored and state-affiliated cyberespionage activity, as well as its scope of targeting. China-Nexus Adversaries have deliberately and aggressively pursued targets across a spectrum of industries, including technology, defense, energy, healthcare, education, and other key sectors in pursuit of trade secrets and of sensitive information.
Of note, in early 2021, the China-Nexus Adversaries rapidly and effectively exploited a series of vulnerabilities in Microsoft Exchange — now collectively known as ProxyLogon and ProxyShell — to compromise email servers and consequently the sensitive information of tens of thousands of organizations around the world. Over the duration of the pandemic, Chinese cyberespionage campaigns continue to target hospitals and research institutions for data that could confer competitive advantages in science and technology, and at the same time, demonstrating emphasis on COVID-19 related research.
Coupling these recent prolific intrusions with the longstanding campaign of targeting a wide swarth of industries, including insurance, travel & hospitality, government, for the purpose of acquiring sensitive personnel data, the threat that China-Nexus Adversaries pose to organizations today cannot be understated.
This session will provide insight into China’s intent and capabilities for cyberespionage and importantly what organizations can do to address this challenge effectively.
Hardware Hacking for Bug Bounty Hunters
by: Hrishikesh Somchatwar
Bug bounty has been an entirely different gift to the infosec business, with extraordinary inclusion of bug hunters all around the country we see numerous new writeup shares wherever on the web expressing about their new bugs, discoveries and money related gains from the projects, be that as it may, many (while possibly not all) bug abundance trackers have no comprehension of equipment. This is where the issue lies, hardware hacking was there in the business even before software hacking was introduced but due to lack of resources or motivation or even lack of fundamental understanding of these hardware concepts people generally step back and don’t decide to learn it from scratch.
In this presentation (talk), we will be explaining how bug bounty hunters use some basic techniques, we will be able to hack into devices and find some vulnerabilities for it. I will also be explaining about the impact of these bugs and how you can exploit them using basic tools. The most important factor about the talk is that we will not just be giving a Basic Approach to Hardware Hacking, but also looking at Hardware Hacking from a Bug Bounty Hunters mindset.
We will also be discussing some Low Cost Tools, which will come handy while doing a hardware pentest.
We start from the current status of hardware hacking and security, then talk about the impacts of these bugs in the real world products. Then we go through the explanation of some basic terminologies required to get started with Hardware (Hardware Hacking 101) which includes some basic concepts like identification of hardware components, using measurement tools, gathering all the hardware tools. We will be having a special discussion on Hardware Recon, we will spend some time there and then will directly look at the problems or attacks in the Bug Bounty Hunters mindset. For example: if I am looking at the Printed Circuit Board of the device I will do a quick recon by googling for the chips and identify the components using the datasheet or fccid etc. This Recon is used by bug bounty hunters to find the information about any website. This is a small explanation of the mindset behind bug hunters methodology.
Then we will be covering some basic case studies along with a good explanation of attacks like UART,JTAG, SPI ,I2C ,SWD, firmware extraction.
How Did I Get Here? I still don’t know what I’m doing: Getting into The Lifelong Adventure of Learning Cybersecurity & Incident Response
by: @j3st3rjames (James Kainth)
Where will your journey take you? My adventures have taken me from feeling confident about knowing what is normal for our computers or in our networks, to never feeling that way again and daring to innovate. Incident Response is an ever-growing field, with not enough people who can do the work. Heck, most jobs that require some form of cybersecurity are suffering from lack of support. The skills gap is REAL! If you want to learn and stay up to date with the ever-expanding world of cybersecurity, then this talk is for you. In digital forensics/incident response (DF/IR) you can peek behind the scenes of technology and learn about an entire world you never even knew was there! Think you’ve cleaned up after your ultimate hack? Think again! By starting your adventure into DF/IR you get to sleuth and learn about the artifacts attackers leave behind! Join me on this journey of self-improvement as we discover the potential cyber detectives we know we can be!
Learn what the necessary skills are to get into DF/IR with James Kainth who works on a Fortune 50 Incident Response Team! Develop an action plan to get started on your journey learning DF/IR Today!
While attending this session, folks will:
* Learn about the field of digital forensics & incident response
* Learn about ways to stay up to date in the cybersecurity industry
* Learn skills to tackle the imposter syndrome that comes along with being in any technical field
* Realize that Imposter syndrome can be a productive feeling if managed well
* Learn about free/open-source resources like Wazuh, ZimmermanTools, Autopsy, FTK Imager, Elastic Stack, Wireshark, and more!
* Generate an action plan and outline next steps to continue learning DF/IR
* Don’t delay … Start threat hunting today!
Human-Controlled Fuzzing With AFL
by: Maxim Grishin
/ Igor Korkin (@IgorKorkin)
Early detection of new bugs is crucial for all modern software products. Fuzzing techniques are applied to reveal different types of bugs and vulnerabilities. American Fuzzy Lop (AFL) is a free most popular software fuzzer used by many other fuzzing frameworks. However, AFL has some disadvantages, the key one is that AFL verifies the program code without human intervention. However, involved security expert can make the fuzzing process more focused. On the one hand, AFL simplifies applying fuzzing systems, but, on the other hand, the flexibility of AFL is limited. Fuzzing is based on sending generated data as input to the target application and recording how the instrumented app processes this data. Using the output of the instrumented app, AFL can regenerate new input data to go deep inside the application into the next step.
As a result of such an autonomous mode of operation, a fuzzer spends a lot of time analyzing minor code sections. To solve this question, the paper proposes a new approach that can fuzz only the specified functions. As a result, the chosen ones will be inspected more meticulously by a fuzzer, without wasting the time on inspecting minor code sections. Another new feature is to provide feedback about the inspected functions and controls, so that an expert can change which code functions need work in runtime. The developed module has been integrated with AFL and successfully responds to this challenge. This expert-controlled fuzzing with AFL shows positive test results.
Microsoft Defender Will Be Defended: MemoryRanger Prevents Blinding Windows AV
by: Igor Korkin (@IgorKorkin)
and Denis Pogonin
Windows OS is facing a huge rise in kernel attacks. An overview of popular techniques that result in loading kernel drivers will be presented. One of the key targets of modern threats is disabling and blinding Microsoft Defender, a default Windows AV. The analysis of various attackers’ techniques that can disable and blind Microsoft Defender will be given. One of the recently published attackers’ techniques abuses Mandatory Integrity Control (MIC) and Security Reference Monitor (SRM) by modifying Integrity Level and Privileges for the Defender application via syscalls. However, this user-mode attack can be blocked via the Windows “trust labels” mechanism.
The presented research discovers the internals of MIC and SRM, including the analysis of Microsoft Defender during malware detection. We show how attackers can achieve the same result using a kernel-mode driver. The driver modifies the fields of the Token structure allocated for the Microsoft Defender application. The experiments prove that Microsoft Defender is disabled without triggering any Windows security features, such as PatchGuard. The customized MemoryRanger was used to protect the Windows Defender kernel structures. The experiments show that MemoryRanger successfully restricts access to kernel data from illegal access attempts with affordable performance degradation.
Security Like the 80's : How I stole your RF
by: Ayyappan Rajesh
The issue about convenience vs. security has been spoken about for years now, with most devices having wireless capability now, it invites trouble, especially when it is not encrypted or secured. Right from our tap-to-pay cards to even unlocking and starting out car.
This talk discusses CVE-2022-27254 and the story of how we came about discovering it. The CVE exploits an issues wherein the remote keyless system on various Honda vehicles, allowing an attacker to access the cars, and potentially even let them drive away with it!
Signs, Signs, Everywhere There are Signs of a Ransomware Intrusion
by: Allan Liska
Threat hunting is great way for organizations with even a limited security budget to look for indications that a ransomware actor is in your network. However, there is an assumption that threat hunting is challenging and requires a large, well-funded security team to carry out. That is not always the case. There are some low-cost things organizations can do to conduct effective threat hunting missions in your network. This presentation will review some effective, relatively easy threat hunting missions that defenders can carry out to look for signs of a ransomware actor. Some of these include:
1. Alerting when security tools are disabled
2. Looking for remote desktop tools
3. Hunting through PowerShell logs
4. Traffic to mega.nz or one of its other domains
5. Looking for common file copy tools.
Streamline security with shift left: A cloud approach
by: Avinash Jain
In the agile world, continuous iteration of development and testing happens throughout the software development lifecycle involving constant collaboration with stakeholders and continuous improvement and iteration at every stage, engineers release their changes very frequently. All this makes the chances of potential security loopholes more and more real.
According to the most recent Secure Code Warrior report, more than 50% of organizations are still following reactive security practices, such as using tools on deployed applications and manually reviewing code for vulnerabilities. Even the DORA 2021 Accelerate State of DevOps report suggests that security can no longer be an afterthought. Top performers who have implemented security practices earlier in the software development life cycle are likely to exceed their reliability targets by 2x.
Companies often have the high-quality security scanning and detection signal for application security issues only once the app is running in production, but increasingly need to understand issues when the code is written so that they can have a scalable pipeline for identifying and preventing attacks early before they get into production and also when it is less expensive to fix them in terms of overall efforts and cost. Attacks like Solarigate (Zod) demonstrate how security hardening later in supply chain is shifting attacks earlier. This trend of moving towards prevention by including security from the early stages of SDLC with a proactive mindset is known as “Shift Left” and securing the development environment with DevSecOps controls. Here I seek to build the right framework to get a much-earlier security scanning and detections built within the CICD pipeline in a scalable way to productize testing, monitoring, and response to support security drift detection.
By integrating security in CICD, one can deliver secure and compliant application changes rapidly while running operations consistently with automation. In order to do this well, the most logical place security can be checked are code reviews. But now the series of questions raised -
How can it be achieved?
How can we make sure every release that goes to production has proper security sign-off?
How can we scan and test every piece of code that is changed from not just DAST or SAST point of view but also including wide custom and flexible security test cases?
Here we will talk about building such a solution and framework to integrate security in CICD and automating the complete process for continuous scanning of different kinds of potential security issues on every code change in Azure Pipeline.
Some of the improvements it brings -
Wide Variety of Security checks — Integration of standard and custom checks
Early Checks — Now security checks are performed as soon as any PR is raised or code is modified
Highly Flexible —The security checks are very modular. We can add more checks as we want and configure them to perform response-based action
Completely Automated — Automation is the key/let the machines do the work
Alerting - Integration of alerts for check success or failure
Reporting - Scan reports are shared across different communication channels
Framework as code - Any company having their CICD over Azure can use this framework by just running in-house built cloud formation template
Vulnerability Management - All the vulnerabilities and findings are logged in a single place - Azure Security Center
Uncovering 0-days in Healthcare Management Applications
by: Aden Yap Chuen Zhen
OpenEMR is the most popular open-source medical practice management, electronic medical records, prescription writing and medical billing application used by Healthcare Professionals. Security researchers from Project Insecurity and SonarSource had reported numerous vulnerabilities in OpenEMR application prior to 2021.
However, BAE Systems Vulnerability Research team took up the challenge to uncover more vulnerabilities in the same application. To our surprise, we still found a huge number of high impact vulnerabilities inside the application recently. These vulnerabilities could potentially expose medical records and other sensitive patient data, to tampering of the billing information and administrator functionalities by unauthorized personnel. The security flaws were discovered by combining both manual source code analysis and white box testing.
In this talk we will share our experiences of uncovering over 60 vulnerabilities resulting in 8 public CVEs. We will share the key findings (subject to pending patch rollout) and challenges in hunting for OpenEMR VDP. It is our hope that this talk will enable other researchers to get involved in Vulnerability Research and help make the Internet a safer place.
Understanding and Re-creating Process Injection Techniques through Nimjector
by: Ariz Soriano / ar33zy
Process injection is one of the prominent techniques used by threat actors to execute malicious code and gain access inside the target’s system. It mostly aids in stealth and evasion to avoid common security defenses such as endpoint detection & response (EDRs) and antivirus (AV) softwares.
From a red teamer's perspective, being knowledgeable with different process injection techniques can be handy when crafting payloads that evade such defenses. On the other hand, blue teamers would understand better how a payload interacts and establishes a foothold inside a compromised machine. When either teams are unacquainted with this technique, they could have a hard time producing a working payload or improving the defenses of an organization by detecting indicators of compromise (IOCs).
Nimjector is a payload creation framework written in Nim which enables Penetration Testers and Red Team Operators to easily re-create or simulate process injection techniques based on a template. This tool also allows Security Operations Center (SOC) Analysts or Incident Responders (IRs) to understand and learn how different process injection techniques run and execute.
Inspired by existing repositories crafted with Nim such as OffensiveNim, Nimcrypt2, and NimHollow, this new tool was created to help both teams understand and learn more about Process Injection. It aims to open a collaboration between template creation from malware samples used by threat actors and using these to feed or tune security tools as well to detect such a technique.