RC18 @ TALKS





All in the Shark Family: TODDLERSHARK
by: Keith Wojcieszek & Ely Tingson

The Kroll CTI team, led by Keith, will talk about their analysis of a new malware campaign resembling BABYSHARK, previously associated with the APT group Kimsuky (KTA082). This malware was part of an attempted compromise exploiting vulnerabilities in ConnectWise ScreenConnect, namely CVE-2024-1708 and CVE-2024-1709. These vulnerabilities enable authentication bypass and remote code execution.

The threat actor gained access through ScreenConnect's setup wizard and executed MSHTA with a URL leading to VB-based malware. The malware employed heavy obfuscation and randomly generated code to evade detection. It downloaded a second-stage payload with functionalities including modifying registry keys, stealing system information, and setting up scheduled tasks.

The stolen information was encoded in PEM certificates and exfiltrated to a C2 server. Additionally, the malware created a scheduled task to periodically check for further instructions. The code and behavior of this malware closely resemble BABYSHARK, suggesting it's an iteration of the original.

This malware demonstrates polymorphic behavior, making it challenging to detect. It utilizes legitimate Microsoft binaries for execution and dynamically generates C2 URLs. The use of known vulnerabilities in ScreenConnect highlights the importance of patching systems promptly to prevent exploitation.




Apocalypse?: The Perils of Generative AI
by: Scott Jarkoff

The integration of generative AI by nation-state actors and eCrime groups is catalyzing a transformative shift in the theater of global cyber conflict. These sophisticated adversaries are harnessing generative AI to craft highly nuanced and disruptive operations, targeting critical infrastructures and pivotal systems underpinning national security and economic stability. By leveraging generative AI, malicious actors magnify the impact and sophistication of their strategies, moving beyond traditional cyber tactics to conduct orchestrated campaigns at unprecedented scale and speed. This strategic evolution in cyber warfare not only expands the arsenal of these actors but also escalates the stakes, reshaping the contours of international security dynamics.

The emerging convergence of cyber and physical threats through generative AI is reshaping the battlefield, allowing for a seamless integration of digital assaults with tangible real-world, physical consequences. This capability enables adversaries to craft multi-dimensional attacks manipulating both bits and atoms, blurring the boundaries between online threats and physical vulnerabilities. As generative AI continues to refine the orchestration of complex scenarios involving physical systems, it elevates the strategic sophistication of these actors, underscoring a pressing need for a paradigm shift in how nations conceptualize and counteract the evolving spectrum of global threats. This convergence of cyber prowess with physical world implications heralds a new era in warfare, where the battleground is everywhere and the lines between cyber and kinetic are indistinguishably intertwined.




Cyber-Physical Convergence - Peril or Opportunity?
by: Aaron Ng

During the nascent years of the Internet, there was a well-intentioned naiveté that it was only going to be a force for good, and even if anything was to go awry, the consequences would be contained within the virtual realm. Of course, reality turned out to be very much on the contrary, with the massive proliferation in connectivity resulting in numerous instances of activities in cyberspace that culminated in physical, and unfortunately often negative, effects.

Staying true to the core theme of RootCon 18, this session will examine the “connected reality” that we have been living in for the last three decades, delving into key incidents and developments that originated in cyberspace but resulted in significant impact on the physical world. In doing so, the session strives to mainstream the awareness of this inherent convergence between the virtual and physical worlds. Additionally, we will look into the contemporary developments around artificial intelligence and machine learning, and hope to uncover what lies ahead for human civilisation.




Demystifying the Arcane of Lateral Movement between Azure & On-Prem AD
by: Echo Lee

In a hybrid identity environment, enterprises can integrate and leverage the advantages of cloud and on-premises systems. However, attackers often exploit the blurred trust boundaries between these environments. To the best of our knowledge, this talk would enumerate multiple trust, control, and data flow relationship relationships between Azure and on-premises Active Directory (AD), thus demonstrating how these mechanisms could be abused for lateral movement between the two.

The presentation will be divided into two parts. The first part will explore various techniques for lateral movement from on-premises systems to the cloud. This section will cover methods for stealing user cloud credentials, including multiple phishing techniques and ways of extracting cloud credentials from endpoints, thereby gaining access to the cloud environment by passing the token or cookie. The second part will focus on techniques for lateral movement from the cloud back to on-premises. This section will examine how to abuse mechanisms that have been well-known such as Cloud Kerberos Trust and Microsoft Intune and some obscure techniques such as abusing Azure LAPS, hybrid connections, and adding users as local administrators on the device during Microsoft Entra join to achieve the goal.

Both parts would classify the relationships between cloud and on-premises systems, summarizing the prerequisites for these attacks, such as the mechanisms that need to be enabled and the required permissions, what privileges can be gained from these attacks, and how to detect and mitigate them.




Dissecting a Ransomware Operation: From Propagation to extortion
by: Doan Minh Long

In this talk ,i will delve into the intricate processes behind ransomware attacks, breaking them down into two primary phases: propagation and extortion. Initially, I will explore how ransomware spreads through various vectors such as phishing emails, malicious attachments, and system vulnerabilities. I will highlight how these attacks infiltrate and encrypt data within the targeted systems, often spreading to connected devices to maximize damage, all while remaining undetected by using advanced evasion techniques.

In the second part, I will examine the extortion tactics used by cybercriminals. After successfully encrypting the data, victims are presented with a ransom note demanding payment, usually in cryptocurrency, to restore access to their files. I will discuss the psychological manipulation involved, including threats to increase the ransom or expose sensitive information if demands are not met promptly. This segment will underscore the blend of technical sophistication and psychological strategies that make ransomware operations highly effective and lucrative for attackers, while also posing significant challenges for detection and prevention.




Eerie Glow:Unveiling Security Vulnerabilities in Open-Source Satellite Communication Protocols
by: Vic Huang

Historically, the high costs associated with satellite manufacturing, design, and launch limited satellite production to government agencies or research institutions. However, in recent years, the development and widespread use of small satellites have emerged due to the significant reduction in launch costs associated with their smaller size. Consequently, projects developing satellite protocols and DIY cub satellites have proliferated. This study shares insights into classic vulnerabilities identified in past satellite attack research, along with new security issues we have discovered. We focus on a recent open-source satellite project, SPACECAN, and the decade-old open-source satellite communication protocol, libcsp, which is already in use by satellites. Our research identifies three vulnerabilities in the SPACECAN project related to CAN bus message transmission and highlights a flaw in message verification within the libcsp project. By revealing these vulnerabilities, we aim to raise awareness about the security of satellite communication systems, advocate for secure implementations in open-source satellite projects, and provide actionable recommendations to mitigate these risks




How Attackers Are Compromising Your Networks and What You Can Do About It
by: CJ Villapando

The main objective of this presentation is to inform attendees of impactful network attacks (mostly Active Directory) that lead to company-wide compromise.

These misconfigurations and vulnerabilities are not complex to abuse however they are very impactful once exploited. Unfortunately, there are a lot of organizations that have not realized this. Moreover, a lot of organizations do not really understand how these things work.

Some of the main points of the presentation may include:
- How do threat actors get in (traditional exploitation vs phishing)?
- Modern breaches that were compromised by “simple and old” attacks relevant to Windows authentication (NetNTLMv2 relays, OS credential dumping, Pass-the-Hash, etc.)
- Kerberos, Kerberoasting, Ticket Attacks, Active Directory Certificate Services
- On-prem AD to cloud (Entra ID) escalation

Each of the attacks will have recommendations so that attendees can walk away with something that is actually actionable and something they can look at/implement at their organization.




How to have visibility and security OF CICD ecosystem
by: Pramod Rana

In this talk, I will present how an organization can approach the visibility and thus security OF CICD ecosystem, some common attack areas - access controls, credentials hygiene, misconfiguration etc. & possible solutions. I will introduce CICDGuard - a graph based CICD ecosystem visualizer & security analyzer.

CICD platforms are an integral part of the overall software supply chain and it processes a lot of sensitive data, compromise of which can affect the entire organization. Security IN CICD is a well discussed topic, security OF CICD deserves the same attention.

One of the challenges with security OF CICD, like most areas of security, is the lack of visibility of what actually makes a CICD ecosystem. Security starts with being aware of what needs to be secure.

CICDGuard is a graph based CICD ecosystem visualizer and security analyzer, which
1) Represents entire CICD ecosystem in graph form, providing intuitive visibility and solving the awareness problem
2) Identifies common security flaws across supported technologies and provides industry best practices and guidelines for identified flaws
3) Technologies supported - GitHub, GitHub Action, Jenkins, JFrog, Spinnaker, Drone




How to run a real-world attack on cloud and protect from it
by: Niko Akatyev

Using the cloud is a norm now. Cloud security monitoring and response to incidents in the cloud is essential. Last year, there were notorious cloud security incidents with core IT infrastructure companies such as CircleCI and JumpCloud.

In this talk we show how such attacks can happen and how to defend from them. We set up a simulated environment closely resembling the real setup of modern tech companies in cloud. We show how to run an end-to-end attack. In parallel, we run detection tools and show how to gain visibility about this attack, identify a security event and conduct an analysis.

The attendees will take away principles of cloud security issues and knowledge of how to configure rules to detect attacks in the cloud, analysis of cloud logs, and fundamentals of the cloud.




Red Team Social Engineering 2024: Initial Access TTP and project experience of the our team
by: Konstantin Polishin

This presentation will cover the topic of effective techniques, tactics, and procedures (TTP) for initial access and spear phishing vectors based on the project experience of the PT SWARM Red Team operations.

Key topics include:

Payloads and delivery methods: An examination of the most effective payloads and methods of delivering them to users. Special attention will be given to concepts such as HTML/SVG/PDF Smuggling, PDF Luring, DLL Side-Loading, attacks on developers, persistence via COM hijacking and spoofing email domains.

Project case studies: Examples of successful Red Team operations, including specific cases of initial access based on our Red Team projects and experience.

The presentation will provide participants with a deeper understanding of modern targeted phishing techniques and their practical application in real-world Red Team scenarios.




Rise of Attacks on Infrastructure
by: Alex Bazhaniuk

In modern day and age, the infrastructure of your network is a massive target for the attacker. After the attack on SolarWinds, attackers realized how massive the potential for such attacks are, and are finding new ways to exploit it. This means new attacks on hardware and software which drives such an infrastructure.

In this talk, we will dive into two remote attacks on infrastructure. One of them is an attack against AMI MegaRAC, which is the firmware used to manage servers all around the world. The second one is an attack against F5 BIG-IP Next, next generation of F5 BIG-IP product line, meant to be more secure and close the issues with their previous software versions. Both attacks are relatively simple to conduct and lead to a massive supply chain impact, and they both present an interesting case study on what attacker's goals may be, as well as raise questions on how to deal with such vulnerabilities overall.




Seeing is Not Believing: Bypassing Facial Liveness Detection by Fooling the Sensor
by: Elvin Gentiles (@CaptMeelo)

Given facial recognition's continued popularity as a form of identity verification, organizations are grappling with the real threat of facial spoofing attacks, particularly in light of the rapid pace of development in AI and deepfakes. To combat fraudsters, organizations introduced “facial liveness detection” to ensure the end-user is a live person; but can these systems trust the evidence from their own sensors?

This presentation will demonstrate how to bypass facial liveness detection systems on different platforms by fooling the camera/sensor. While previous research in this area has relied on hardware modules, the method demonstrated here leverages open-source software and is simple, free, and not time or resource-intensive. The talk will also cover the tools used, the setup process, and demonstrations of the bypasses using different platforms. The pros and cons of this approach will also be considered, as well as the threats it poses, particularly, how videos posted on social media platforms could help fraudsters abuse this method. The presentation will conclude with recommendations to help organizations combat such an attack.

The main takeaways from this research are:
- How easy it is to bypass facial liveness detection using publicly and readily available tools
- How fraudsters could use what is posted on social media platforms
- How this attack could be mitigated for organizations to improve their algorithms/detection, and inform users on what to look for when choosing an identity verification provider.

The main objective of this topic is to provide awareness to users about the risk involved with posting their videos on social media platforms and inform organizations on how easy to bypass facial liveness detection to improve their systems.




Shuttling Through Secret Pipes: Unveiling Vulnerabilities in Leading VPNs
by: Zeze Lin

Named pipes have been an integral part of Windows operating systems since the early days of Windows NT, offering a robust mechanism for inter-process communication (IPC). They allow processes to communicate on the same machine or across networked systems using a client-server model. A key feature is impersonation, where a server temporarily adopts the security context of a client, enabling it to perform actions with the client's permission.

In my research, I developed a tool to analyze named pipe security. This tool combines a minifilter driver and a ring3 hook via DLL injection to monitor and intercept named pipe communications. The minifilter driver operates at a low level within the file system, while the ring3 hook intercepts user mode API calls related to named pipes. Using this tool, I identified vulnerabilities in named pipe implementations in software from Windscribe, CyberGhost, and OpenVPN. Specifically, vulnerabilities in Windscribe allow an attacker to achieve both Elevation of Privilege (EoP) and Broken Access Control (BAC). In CyberGhost, vulnerabilities can be exploited to achieve BAC, and in OpenVPN, they can lead to EoP (CVE-2024-4877). These vulnerabilities present significant security risks, as EoP can allow attackers to gain higher privileges, and BAC can enable unauthorized access to sensitive resources.

By attending this talk, the audience will gain a deeper understanding of named pipes, their functionality, and associated security implications. The presentation will cover the methodology behind the analysis tool, the specific vulnerabilities discovered, and their potential impacts. Attendees will learn about named pipe security intricacies, common pitfalls, and mitigation strategies. This talk aims to equip security professionals and software developers with the knowledge to better secure their applications against similar threats, emphasizing vigilant security practices for IPC mechanisms.




TA577 Tactics: NTLM Hash Theft Through SMB Thread Hijacking
by: Marianne Bermejo

My presentation revolves around the ongoing challenges faced by organizations worldwide in combating evolving tactics and threats. By exploiting NT LAN Manager (NTLM) hashes through thread hijacking, attackers utilized deceptive emails with zipped HTML attachments to bypass email filters, infiltrating systems undetected. These seemingly harmless attachments served as gateways for malicious activities, redirecting users via the Server Message Block (SMB) protocol to external servers, thus compromising system security. The attackers' objective was clear: to obtain NTLMv2 challenge/response pairs and NTLM hashes, facilitating unauthorized access to sensitive data.

To achieve their goals, malicious actors employed tailored tools and tactics for both Linux and Windows environments, demonstrating a sophisticated understanding of system vulnerabilities. I am going to demonstrate how attackers utilize tools like Impacket, to exploit NTLM authentication traffic, extract hashes and execute commands remotely. These incidents underscore the urgent need for organizations to strengthen their defenses against evolving cyber threats.