ROOTCON 17 - Talks

AI for Red Team && Malware Development
by: Kirk Trychel (@Teach2Breach)

My presentation will focus on examining both the current state of AI use in the world of information security, as well as the future applications of this tech. We will examine real use cases for Red Team and Threat Actors to leverage right now for enhancing their operations. We will do a deeper dive into tool development, with a focus on coding for offensive operations.We will also discuss how AI is already used by blue teams and defenders, as well as the limitations of these controls and how they can be bypassed. We will also talk about future applications for blue team, as well as the implications of both offense and defense implementing AI bot tech into their ops. The goal of the presentation is to encourage Red Teams to begin to work with this tech, as well as to spread education to blue teams about what is possible and what they should expect from Apex threats with the addition of this tech.

Breaking Barriers: Using XSS to Achieve RCE
by: Aden Yap, Ali Radzali, Azrul Zulkifli, Sheikh Rizan

Electron is a free and open-source software framework developed and maintained by OpenJS Foundation. The framework is designed to create desktop applications using web technologies that are rendered using a version of the Chromium browser engine and a back end using the Node.js runtime environment.

To mitigate the vulnerability, “NodeIntegration” function was set to default false on all Electron Frameworks starting from version 5.0.0, which means the renderer process does not have access to the Node.js APIs. Similarly, the “nodeIntegrationInWorker” option is also by default set to false, so that Electron Web Workers do not have access to the Node.js APIs. This helps prevent malicious code from executing in the renderer process and accessing sensitive system resource. If the developer still requires the “NodeIntegration” to be enabled, they will need to explicitly enable it in Electron Node.js configuration.

BAE Systems security researchers was able to identify dozens of misconfigured apps written using Electron framework that are publicly available on the Internet, these misconfigurations could potentially lead to RCE if a simple XSS vulnerability was present. BAE Systems security researchers will demonstrate techniques used to exploit these vulnerabilities to achieve RCE by chaining a simple XSS bug. Some of these vulnerabilities are Pre-auth (no authentication required), thus can be easily exploited in the wild without user interaction (zero-click).

At the time of writing, BAE Systems security researchers had found 3 0-days in popular apps hosted on Github, these apps are widely used on the Internet and are easily exploitable via our zero click exploit that we had developed. We had reported these vulnerabilities to their respective application owners and now awaiting their response. If the fix is available before we present this topic, we will provide full disclosure of the vulnerabilities during the conference.

Car Hacking Scene in the PH: How Far We've Come
by: Jay Turla (@shipcod3)

Car Hacking Village PH presents their first attempt on the main tracks for ROOTCON. This is a rundown of CHVPH's past security research to current research - from hacking infotainment systems to CAN Bus protocols and a summary of cars available in the Philippines which are susceptible to car thefts. Here is the complete rundown:

- Some of our infotainment hacks
- Car Hacking on a cheap
- Clusters you can fuzz
- The CHV PH repo
- Our mini car hacking test bench
- Tools of Trade
- CHV PH appearances in hacking cons
- canTot: quick and dirty canbus h4xing framework
- Vulnerability Disclosures related to automotive
- Understanding the Geely Hacks
- A summary of common vehicles in the Philippines affected by simple and recent key fob vulnerabilities
- Demystifying rollback attacks

Hacking Back Your Car
by: Kamel Ghali

Sophisticated vehicle thefts have been in the news lately due to some great research published by vehicle security experts that have been firsthand victims of said theft. Unlike classic hotwiring or carjacking attacks, the ""new"" way to steal vehicles is more technical and efficient. Vehicle thieves are connecting to the CAN networks inside vehicles and spoofing CAN messages to trick the car into thinking its key is present, disabling the immobilizer and allowing the car to be driven away.

In my talk, I'll discuss the origins of such attacks, how they've been used in different countries over the years, and explore the technical details of what makes such an attack possible. I'll perform a deep dive into the more ""hacker-y"" techniques used by vehicle thieves to target modern vehicles and the differences in the various techniques used over the years. I'll also cover potential mitigations against such attacks that can be applied by vehicle manufacturers and mitigations that you and I can implement today to keep our families safe.

This talk will be a great supplement to the Car Hacking Village planned to be at the event, hopefully increasing interest in vehicle security and car hacking, and giving the participants something to start their journey into vehicle security with.

Old Services, New Tricks: Cloud Metadata Abuse by Threat Actors
by: Nader Zaveri

Mandiant identified exploitation of public-facing web applications by threat actors (UNC2903) to harvest and abuse credentials using Amazon’s Instance Metadata Service (IMDS).

Although the threat actor specifically targeted Amazon Web Services (AWS) environments, many other cloud platforms offer similar metadata services that could be at risk of similar attacks. Related threat actor motives and operations are gaining prominence as enterprises continue their migration to cloud hosting services. Mandiant has tracked access attempts by the threat actors to access S3 buckets and additional cloud resources using the stolen credentials.

This presentation covers how threat actors performed the exploitation and IMDS abuse, as well as related security hardening guidance on how to detect, remediate, and prevent this type of instance metadata abuse in an organization’s environment. As part of this presentation, we will walk through a demo of the web application that was abused and show how easy it is to obtain credentials if the organization is using the legacy version of IMDS. Then, we will show how by performing the remediation techniques mentioned in the presentation, the organization will be able to block such credential harvesting methods via the instance metadata service.

Phish MOMUKAMO: Meticulously Outmaneuvering Malicious and Unscrupulous adversaries with Knowledge, Action, Mitigation, and Organization
by: Eric Reyata and IJ Puzon

This paper presents an in-depth examination of phishing kits, exploring opportunities for detection and enhancement of security measures for both organizations and individuals.

By emphasizing the crucial role of collaboration between public and private sectors, as well as law enforcement agencies, the study highlights the importance of a united front against cyber threats.

Through a thorough technical analysis of phishing kits, the paper delves into various aspects, including the phishing victim's experience, technical considerations, the interplay of HTTP client and server models, essential components of a phishing kit, and effective threat hunting methodologies.

In addition, the paper investigates statistical data on phishing victims and sheds light on the adversary's infrastructure and activities, providing valuable insights for combating such threats.

Conclusively, the paper presents well-rounded recommendations and strategies to bolster the fight against cyber adversaries and ensure the successful pursuit of phishing-related cases to their ultimate resolution.

The Creation of the Out-Of-Band Anti Virus Dock (OOBAVD)
by: Yu Pengfei and Tan Jing Zhi

USB-based attacks account for over 52% of all cybersecurity attacks on operational technology (OT) systems in the industrial control systems (ICS) industry. Stuxnet's discovery in 2015 showed the vulnerability of air-gapped systems, previously considered invulnerable. These systems are found in secure military organizations and SCADA systems. The societal impact of such attacks can be enormous, as evidenced by Stuxnet's impact on Iran's nuclear programs.

Air-gapped systems, while considered secure, mostly require mobile storage devices like USB sticks for updates and data transfers, which risks exposing them to malware. Adding peripherals like keyboards and mice will also render the systems vulnerable to BadUSB attacks. This all can be prevented by OOBAVD, which acts as an intermediary between air-gapped systems and USB devices, blocks malicious files from entering the air-gapped systems. OOBAVD being out of band also mitigates the risk of malware attacking the host's antivirus software.

So what exactly is OOBAVD and how does one take an anti-virus out of band?