SlideShare a Scribd company logo

Behind Enemy Lines: Inside the operations of a nation state’s cyber program

A
Andrew Blaich

We’ve all heard about Nation State surveillance programs and their capabilities throughout the world, but have you ever wondered how these programs were developed and the decisions that went into them? In this talk we will go through the very recent actions a particular nation-state undertook in order to build up their offensive cyber capabilities for both desktop and mobile, including iOS and Android. With insights gleaned from exfiltrated content obtained during a recent investigation into one of their bespoke tools, we will look at the build vs. buy decisions that key individuals involved in this process went through–from the lawful intercept and exploit shops they communicated with, to their in-house development, and ultimately to what their resulting solution(s) were.

Technology
1 of 38
Behind Enemy Lines: Inside the operations of a nation state’s cyber program SHMOOCON 2019 Washington D.C, USA
New phone, who dis? 2 Andrew Blaich Head of Device Intelligence @Lookout Michael Flossman Head of Threat Intelligence @Lookout Discover, track, disrupt, and understand the context around targeted Surveillanceware Pegasus, ViperRAT, DarkCaracal, StealthMango, and many many more
Outsource Tooling? The Quest for a Cyber Surveillance Program 3 Adversary Infrastructure WhatsApp Databases $23 million government budget Surveillance Tooling Internal development?
Agenda • Surveillance Goals • Vendor communications • Rolling Your Own Surveillance Platform • StoneFish and Barracuda 4
Same decisions as any other engineering organization. What is the budget? What are our resources? How much time do we have? What’s on the market? What do we want to achieve? 5 What goes through the mind of a nation state? Build Buy ?
6 Building Your Cyber Surveillance Program Record Calls & Surrounding Audio Connected Cell Tower Details Key Logging Retrieve & Push Specified Files Take photos & Screencaps Call Logs Text Messages Email Accounts Browser History Location Tracking Contacts Messaging Apps Intel Focused Capabilities Exploits Vectors
Group Objectives “In general, we are interested in infecting iOS and Android phones to extract correspondence from messaging apps.” 7
8 SELLERS OF SURVEILLANCEWARE… ASSEMBLE!!!
The Vendors 9 Arity Business Inc Ezov Creative Solutions
Zero Click iOS Compromise 10 Communication with FinFisher Item: iOS 10 RCE, root, persistent, zero click Tested Against iOS Versions: - 10 beta, 10.0.x, 10.1.x, 10.2 Tested Devices: - iPhone 7, 6s, 6, 5s, 5c, 5 - iPad Air, iPad 4 Attack Vector & Deployment: - Victim must have iMessage and internet data enabled - Malicious iMessage sent to target, arbitrary code executed as Mobile user, privileges escalated to root, persistence achieved after reboot. - User does not need to click a link and does not even need to read the iMessage. This is a zero-click exploit. iMessage receipt is enough to compromise any phone.
Flash SMS Mobile Compromise 11 NSO Group Item: Mobile Vulnerability Description: - The SMS services launches the default browser, the browser goes to the correct server, downloads and installs the Trojan, then closes. Deployment Recommendations: - It is recommended to do at night, because the browser itself opens for a few seconds. NSO Group
Mobile 0-days Compromise 12 Arity Business Inc Item: Android RCE Vulnerability Description: - Vulnerability in Mediaserver but not in libstagefright. - Exploit could be delivered via MMS, browser content, or mail clients. - Bypasses all implementations of ASLR. - Doesn’t exploit any buffer overflows or rely on return to libc. - Would provide root access to an APK agent delivered in tandem. Tested on Android Versions 4.4.4 – 7.1 Tested on devices from: - HTC, Samsung, ASUS, Motorola, Xiaomi, LG, Sony, and Huawei. - Exploitation time between 6 and 15 seconds depending on model. Price: - $90000 Estonian based “Arity Business Inc”
Desktop 0-days Compromise 13 Arity Business Inc Item: IE & Edge Sandbox Escape & RCE Tested Against Windows Versions: - 7, 8, 10, Server 2008, 2012 (x64, x86) Attack Vector & Deployment: - Target directed to specially crafted webpage - Priv esc and arbitrary code escalation may take 3 – 10 seconds and cause browser page to be unresponsive during that time frame Price: - $50000 Estonian based “Arity Business Inc”
Edge 0-Day Demo Video 14
Desktop 0-days Compromise 15 Arity Business Inc Item: Flash RCE Vulnerability Description: - Takes advantage of vulnerability in action script (AS3) - No visible indicators that vulnerability exploited Tested on browsers: - IE / Edge, Mozilla Firefox, Google Chrome, Opera (Windows & Linux) Price: - $65000 Estonian based “Arity Business Inc”
Flash 0-Day Demo Video 16
Desktop 0-days Compromise 17 Item: Exclusive access & guaranteed replacements Description: - exclusive access == 40 day guarantee - secondary exploit guarantee of 30 days - if vuln patched, guaranteed provision of additional exploit from their arsenal*. (exploit may be for different product) • Only if usage instructions and recommendations have been followed. No stupid deployments. e.g, mass emailing of exploits to large enterprises. Estonian based “Arity Business Inc” Arity Business Inc
Network Traffic Interception 18 Expert Team
Network Traffic Interception 19 Expert Team
Vendors Are Reading Our Research 20 Seller Seller: A scandal with the NSO product was published. In the past, there was a story with an iPhone and now they are exposed on Android. https://www.forbes.com/sites/thomasbrewster/2017/04/04/google- nso-group-android-surveillance-tool/#6019c5391a1d" "Well, how? Read?" Buyer: Yes, I read, but I did not understand how they learned about the NSO product for Android. Seller Seller: In this world, everyone can know everything they want. But you ask them. We did not write this article!
21 DIY Surveillance What could go wrong?
22 “This is the only inexpensive way to get to the iPhone, except for the [Israeli] solution for 7 million and that’s only for WhatsApp. We still need Viber, Skype, Gmail and so on.” - Buyers Why inhouse development? “There are a lot of Android OS versions and the hardware differences between devices is making it a pain to use these exploits. They need tuning for each targeted environment!” - Buyers
23 Dark Caracal Attributed to the Lebanese General Directorate of General Security (GDGS)
24 Dark Caracal Attributed to the Lebanese General Directorate of General Security (GDGS)
Stealth Mango & Tangelo Modified Spouseware for APT36 25
ViperRAT Custom tool in long running campaign against the Israeli Defense Force 26
27
28
29 Immediate solution was inhouse developed iOS (StoneFish) and Android (Barracuda) malware w/ associated tooling. StoneFish and Barracuda Malware Stats Infection Vectors: Physical Access and Phishing Active Exploits: None discovered at this time Infrastructure: Shared C2’s for iOS and Android exfil Number of malware variants: 400+ (testing and targeting) Successfulness: > 50GB of Data
iOS Tooling and Capabilities 30 Custom end to end solution using open source and existing tools and techniques Pre-DRM removed Apps - Used to add trojan code iOS Developer Account $99 to sign and distribute apps for targeted device IDs Open Source – PPSideloader - CydiaSubstrate for hooking - pptweak.dylib for malicious code Desktop Tooling - Parse device backups - Request trojan versions of apps - Provision apps for installing - Instructions on how to infect targets Developer(s) are active in these communities
iOS Infection Vector 31 Physical Access Trojan App WhatsApp Physical access Backup Machine Creates an iTunes backup of the phone and uploads to the provisioning server using the custom desktop tool. Provisioning Server Creates a trojan copy of: WhatsApp, Viber, WeChat, or Telegram Apple’s Signing Servers Provisions an iOS app for a specific device UDID using a developer account. Install Server Installs the requested trojan apps onto the device via an install URL Trojan App Viber Trojan App Telegram Trojan App WeChat
Android Infection Vectors 32 Shared Command and Control Server for Android & iOS implants Trojan App Fake System Application Self-signed Phishing Physical Access Victim Device with 3rd party installs on
Data Analysis 33 ENCRYPTED FILE HEADER (4 bytes) AES INITIALIZATION VECTOR (16 bytes) ENCRYPTED CONTENT (remainder) AES SECRET KEY (last 16 bytes of device GUID) ae7fa65e-995e-4796-9933-00dacc80cefa1
Data Analysis 34 ENCRYPTED FILE HEADER (4 bytes) AES INITIALIZATION VECTOR (16 bytes) FILE METADATA (JSON OBJECT) RAW FILE (Remainder of content)
The Quest for a Cyber Surveillance Program 35 DarkCaracal ViperRAT Record Calls & Surrounding Audio Connected Cell Tower Details Key Logging Retrieve & Push Specified Files Take photos & Screencaps Call Logs Text Messages Email Accounts Browser History Location Tracking Contacts Messaging Apps Exploits Attack Vectors Stealth Mango & Tangelo
We are not making attribution public at this time. Stay tuned for Part 2… 36 Attribution Disclaimer
Contact Us E-mail: threatintel@lookout.com Andrew Blaich @ablaich Michael Flossman @terminalrift
Thank you! Questions? Note: All security research conducted by Lookout employees is performed according to the Computer Fraud and Abuse Act (CFAA) of 1986. As such, analysis of adversary infrastructure and the retrieval of any exposed data is limited to only that which is publicly accessible. Any sensitive information obtained during this process, such as usernames or passwords, is never used in any authentication-based situations where its use would grant access to services or systems.

Recommended

2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
Marius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
Expeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage Engineerings
Pixeldarts
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
ThinkNow
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
marketingartwork
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture Code
Skeleton Technologies
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
Neil Kimberley
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
contently
 

Recommended

2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
Marius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
Expeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage Engineerings
Pixeldarts
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
ThinkNow
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
marketingartwork
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture Code
Skeleton Technologies
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
Neil Kimberley
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
contently
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
The Digital Insurer
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
Khushali Kathiriya
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
Martijn de Jong
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
The Digital Insurer
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
Remote DBA Services
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
Andrey Devyatkin
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
Boston Institute of Analytics
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
ThousandEyes
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Juan lago vázquez
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
wesley chun
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Principled Technologies
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
Khem
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Roshan Dwivedi
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
apidays
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
Albert Qian
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
Kurio // The Social Media Age(ncy)
 

More Related Content

Recently uploaded

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Principled Technologies
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Roshan Dwivedi
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 

Recently uploaded (20)

Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 

Featured

Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
Kurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
SpeakerHub
 
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Applitools
 
Good Stuff Happens in 1:1 Meetings: Why you need them and how to do them well
Good Stuff Happens in 1:1 Meetings: Why you need them and how to do them wellGood Stuff Happens in 1:1 Meetings: Why you need them and how to do them well
Good Stuff Happens in 1:1 Meetings: Why you need them and how to do them well
Saba Software
 
Introduction to C Programming Language
Introduction to C Programming LanguageIntroduction to C Programming Language
Introduction to C Programming Language
Simplilearn
 

Featured (20)

How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data Science
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best Practices
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project management
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
 
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
 
12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work
 
ChatGPT webinar slides
ChatGPT webinar slidesChatGPT webinar slides
ChatGPT webinar slides
 
More than Just Lines on a Map: Best Practices for U.S Bike Routes
More than Just Lines on a Map: Best Practices for U.S Bike RoutesMore than Just Lines on a Map: Best Practices for U.S Bike Routes
More than Just Lines on a Map: Best Practices for U.S Bike Routes
 
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
 
Barbie - Brand Strategy Presentation
Barbie - Brand Strategy PresentationBarbie - Brand Strategy Presentation
Barbie - Brand Strategy Presentation
 
Good Stuff Happens in 1:1 Meetings: Why you need them and how to do them well
Good Stuff Happens in 1:1 Meetings: Why you need them and how to do them wellGood Stuff Happens in 1:1 Meetings: Why you need them and how to do them well
Good Stuff Happens in 1:1 Meetings: Why you need them and how to do them well
 
Introduction to C Programming Language
Introduction to C Programming LanguageIntroduction to C Programming Language
Introduction to C Programming Language
 

Behind Enemy Lines: Inside the operations of a nation state’s cyber program

  • 1. Behind Enemy Lines: Inside the operations of a nation state’s cyber program SHMOOCON 2019 Washington D.C, USA
  • 2. New phone, who dis? 2 Andrew Blaich Head of Device Intelligence @Lookout Michael Flossman Head of Threat Intelligence @Lookout Discover, track, disrupt, and understand the context around targeted Surveillanceware Pegasus, ViperRAT, DarkCaracal, StealthMango, and many many more
  • 3. Outsource Tooling? The Quest for a Cyber Surveillance Program 3 Adversary Infrastructure WhatsApp Databases $23 million government budget Surveillance Tooling Internal development?
  • 4. Agenda • Surveillance Goals • Vendor communications • Rolling Your Own Surveillance Platform • StoneFish and Barracuda 4
  • 5. Same decisions as any other engineering organization. What is the budget? What are our resources? How much time do we have? What’s on the market? What do we want to achieve? 5 What goes through the mind of a nation state? Build Buy ?
  • 6. 6 Building Your Cyber Surveillance Program Record Calls & Surrounding Audio Connected Cell Tower Details Key Logging Retrieve & Push Specified Files Take photos & Screencaps Call Logs Text Messages Email Accounts Browser History Location Tracking Contacts Messaging Apps Intel Focused Capabilities Exploits Vectors
  • 7. Group Objectives “In general, we are interested in infecting iOS and Android phones to extract correspondence from messaging apps.” 7
  • 9. The Vendors 9 Arity Business Inc Ezov Creative Solutions
  • 10. Zero Click iOS Compromise 10 Communication with FinFisher Item: iOS 10 RCE, root, persistent, zero click Tested Against iOS Versions: - 10 beta, 10.0.x, 10.1.x, 10.2 Tested Devices: - iPhone 7, 6s, 6, 5s, 5c, 5 - iPad Air, iPad 4 Attack Vector & Deployment: - Victim must have iMessage and internet data enabled - Malicious iMessage sent to target, arbitrary code executed as Mobile user, privileges escalated to root, persistence achieved after reboot. - User does not need to click a link and does not even need to read the iMessage. This is a zero-click exploit. iMessage receipt is enough to compromise any phone.
  • 11. Flash SMS Mobile Compromise 11 NSO Group Item: Mobile Vulnerability Description: - The SMS services launches the default browser, the browser goes to the correct server, downloads and installs the Trojan, then closes. Deployment Recommendations: - It is recommended to do at night, because the browser itself opens for a few seconds. NSO Group
  • 12. Mobile 0-days Compromise 12 Arity Business Inc Item: Android RCE Vulnerability Description: - Vulnerability in Mediaserver but not in libstagefright. - Exploit could be delivered via MMS, browser content, or mail clients. - Bypasses all implementations of ASLR. - Doesn’t exploit any buffer overflows or rely on return to libc. - Would provide root access to an APK agent delivered in tandem. Tested on Android Versions 4.4.4 – 7.1 Tested on devices from: - HTC, Samsung, ASUS, Motorola, Xiaomi, LG, Sony, and Huawei. - Exploitation time between 6 and 15 seconds depending on model. Price: - $90000 Estonian based “Arity Business Inc”
  • 13. Desktop 0-days Compromise 13 Arity Business Inc Item: IE & Edge Sandbox Escape & RCE Tested Against Windows Versions: - 7, 8, 10, Server 2008, 2012 (x64, x86) Attack Vector & Deployment: - Target directed to specially crafted webpage - Priv esc and arbitrary code escalation may take 3 – 10 seconds and cause browser page to be unresponsive during that time frame Price: - $50000 Estonian based “Arity Business Inc”
  • 14. Edge 0-Day Demo Video 14
  • 15. Desktop 0-days Compromise 15 Arity Business Inc Item: Flash RCE Vulnerability Description: - Takes advantage of vulnerability in action script (AS3) - No visible indicators that vulnerability exploited Tested on browsers: - IE / Edge, Mozilla Firefox, Google Chrome, Opera (Windows & Linux) Price: - $65000 Estonian based “Arity Business Inc”
  • 16. Flash 0-Day Demo Video 16
  • 17. Desktop 0-days Compromise 17 Item: Exclusive access & guaranteed replacements Description: - exclusive access == 40 day guarantee - secondary exploit guarantee of 30 days - if vuln patched, guaranteed provision of additional exploit from their arsenal*. (exploit may be for different product) • Only if usage instructions and recommendations have been followed. No stupid deployments. e.g, mass emailing of exploits to large enterprises. Estonian based “Arity Business Inc” Arity Business Inc
  • 20. Vendors Are Reading Our Research 20 Seller Seller: A scandal with the NSO product was published. In the past, there was a story with an iPhone and now they are exposed on Android. https://www.forbes.com/sites/thomasbrewster/2017/04/04/google- nso-group-android-surveillance-tool/#6019c5391a1d" "Well, how? Read?" Buyer: Yes, I read, but I did not understand how they learned about the NSO product for Android. Seller Seller: In this world, everyone can know everything they want. But you ask them. We did not write this article!
  • 22. 22 “This is the only inexpensive way to get to the iPhone, except for the [Israeli] solution for 7 million and that’s only for WhatsApp. We still need Viber, Skype, Gmail and so on.” - Buyers Why inhouse development? “There are a lot of Android OS versions and the hardware differences between devices is making it a pain to use these exploits. They need tuning for each targeted environment!” - Buyers
  • 23. 23 Dark Caracal Attributed to the Lebanese General Directorate of General Security (GDGS)
  • 24. 24 Dark Caracal Attributed to the Lebanese General Directorate of General Security (GDGS)
  • 25. Stealth Mango & Tangelo Modified Spouseware for APT36 25
  • 26. ViperRAT Custom tool in long running campaign against the Israeli Defense Force 26
  • 27. 27
  • 28. 28
  • 29. 29 Immediate solution was inhouse developed iOS (StoneFish) and Android (Barracuda) malware w/ associated tooling. StoneFish and Barracuda Malware Stats Infection Vectors: Physical Access and Phishing Active Exploits: None discovered at this time Infrastructure: Shared C2’s for iOS and Android exfil Number of malware variants: 400+ (testing and targeting) Successfulness: > 50GB of Data
  • 30. iOS Tooling and Capabilities 30 Custom end to end solution using open source and existing tools and techniques Pre-DRM removed Apps - Used to add trojan code iOS Developer Account $99 to sign and distribute apps for targeted device IDs Open Source – PPSideloader - CydiaSubstrate for hooking - pptweak.dylib for malicious code Desktop Tooling - Parse device backups - Request trojan versions of apps - Provision apps for installing - Instructions on how to infect targets Developer(s) are active in these communities
  • 31. iOS Infection Vector 31 Physical Access Trojan App WhatsApp Physical access Backup Machine Creates an iTunes backup of the phone and uploads to the provisioning server using the custom desktop tool. Provisioning Server Creates a trojan copy of: WhatsApp, Viber, WeChat, or Telegram Apple’s Signing Servers Provisions an iOS app for a specific device UDID using a developer account. Install Server Installs the requested trojan apps onto the device via an install URL Trojan App Viber Trojan App Telegram Trojan App WeChat
  • 32. Android Infection Vectors 32 Shared Command and Control Server for Android & iOS implants Trojan App Fake System Application Self-signed Phishing Physical Access Victim Device with 3rd party installs on
  • 33. Data Analysis 33 ENCRYPTED FILE HEADER (4 bytes) AES INITIALIZATION VECTOR (16 bytes) ENCRYPTED CONTENT (remainder) AES SECRET KEY (last 16 bytes of device GUID) ae7fa65e-995e-4796-9933-00dacc80cefa1
  • 34. Data Analysis 34 ENCRYPTED FILE HEADER (4 bytes) AES INITIALIZATION VECTOR (16 bytes) FILE METADATA (JSON OBJECT) RAW FILE (Remainder of content)
  • 35. The Quest for a Cyber Surveillance Program 35 DarkCaracal ViperRAT Record Calls & Surrounding Audio Connected Cell Tower Details Key Logging Retrieve & Push Specified Files Take photos & Screencaps Call Logs Text Messages Email Accounts Browser History Location Tracking Contacts Messaging Apps Exploits Attack Vectors Stealth Mango & Tangelo
  • 36. We are not making attribution public at this time. Stay tuned for Part 2… 36 Attribution Disclaimer
  • 37. Contact Us E-mail: threatintel@lookout.com Andrew Blaich @ablaich Michael Flossman @terminalrift
  • 38. Thank you! Questions? Note: All security research conducted by Lookout employees is performed according to the Computer Fraud and Abuse Act (CFAA) of 1986. As such, analysis of adversary infrastructure and the retrieval of any exposed data is limited to only that which is publicly accessible. Any sensitive information obtained during this process, such as usernames or passwords, is never used in any authentication-based situations where its use would grant access to services or systems.