In this talk we'll take a look at the two Android surveillanceware families ViperRAT and FrozenCell which have both been used in long running campaigns. Victims include the Israeli Defence Force and analysis suggests the Palestinian Security Services, Ministry of the Interior, and leading political party in Palestine, were also targeted. We'll cover the capabilities of each family, their supporting infrastructure, some OpSec fails that allowed us to gain an insight into exfiltrated data, and see just how effective ViperRAT and FrozenCell have been given that they don't use any exploits.
Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...CODE BLUE
Windows 10 IoT was released as a platform for IoT.
Windows 10 IoT Core, which is the lightest among Windows 10 IoT, is usable without charge, and can be run on single board computers like Raspberry Pi. So far, Linux-based platforms were considered as the platform for IoT devices, but now there is another option.
We conducted research on security system of Windows 10 IoT Core to judge whether it could be used safely.
We investigated the security design, the security functions, and default services, such as Web, FTP, and SSH, served by this OS. Furthermore, we also analyzed risks of intrusion and malware infection.
As a result of the investigation, like the newest Windows, we found that DEP, ASLR and CFG are also effective as countermeasures for being attacked vulnerabilities that affect the main memory. These countermeasures are not omitted from Windows 10 IoT Core.
On the other hand, we also found some designs and default settings of services and components are insecure.
For example, Windows update is disabled, Windows Firewall is disabled by default settings, Web interface is served on HTTP, and its authentication is basic authentication.
Moreover, we found a problem in the design of the remote debug service. This problem allows an attacker to create any user account and intrude using the web interface or SSH. Therefore, this problem might be abused by worm malware.
Lastly, we will introduce recommended security measures such as disabling unused services, changing settings, enabling the firewall, enabling web interface on HTTPS, etc.
Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...FFRI, Inc.
Table of Contents
• Background • Use case and Weave
• Android Things Security Considerations
• Android Things Version Information
• File system information • Firewall setting
• ADB port setting
• SELinux setting
• Conclusions
• Reference
An Overview of the Android Things Security (FFRI Monthly Research Jan 2017) FFRI, Inc.
• Security incidents related to IoT devices
• About the Android Things
• Major features
• Installation and Settings
• Accessible network service
• Security configurations
• Conclusions
• References
Security of Windows 10 IoT Core(FFRI Monthly Research 201506)FFRI, Inc.
•Windows 10 IoT is successor platform of Windows Embedded that optimized for embedded devices.
•Windows 10 IoT Core Insider Preview has been provided for single-board computers such as the Raspberry Pi 2.
•We show tutorial about security of Windows 10 IoT Core using the Raspberry Pi 2.
Understanding Cyber Industrial Controls in the Manufacturing and Utilities En...Dawn Yankeelov
"Understanding Cyber Industrial Controls in the Manufacturing and Utilities Environment," By Dr. John Naber, Co-Founder & Partner in True Secure SCADA, which is KY-based and holds 2 key patents in this area. This was given at the TALK Cybersecurity Summit 2018 in Louisville, KY.
Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...CODE BLUE
Windows 10 IoT was released as a platform for IoT.
Windows 10 IoT Core, which is the lightest among Windows 10 IoT, is usable without charge, and can be run on single board computers like Raspberry Pi. So far, Linux-based platforms were considered as the platform for IoT devices, but now there is another option.
We conducted research on security system of Windows 10 IoT Core to judge whether it could be used safely.
We investigated the security design, the security functions, and default services, such as Web, FTP, and SSH, served by this OS. Furthermore, we also analyzed risks of intrusion and malware infection.
As a result of the investigation, like the newest Windows, we found that DEP, ASLR and CFG are also effective as countermeasures for being attacked vulnerabilities that affect the main memory. These countermeasures are not omitted from Windows 10 IoT Core.
On the other hand, we also found some designs and default settings of services and components are insecure.
For example, Windows update is disabled, Windows Firewall is disabled by default settings, Web interface is served on HTTP, and its authentication is basic authentication.
Moreover, we found a problem in the design of the remote debug service. This problem allows an attacker to create any user account and intrude using the web interface or SSH. Therefore, this problem might be abused by worm malware.
Lastly, we will introduce recommended security measures such as disabling unused services, changing settings, enabling the firewall, enabling web interface on HTTPS, etc.
Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...FFRI, Inc.
Table of Contents
• Background • Use case and Weave
• Android Things Security Considerations
• Android Things Version Information
• File system information • Firewall setting
• ADB port setting
• SELinux setting
• Conclusions
• Reference
An Overview of the Android Things Security (FFRI Monthly Research Jan 2017) FFRI, Inc.
• Security incidents related to IoT devices
• About the Android Things
• Major features
• Installation and Settings
• Accessible network service
• Security configurations
• Conclusions
• References
Security of Windows 10 IoT Core(FFRI Monthly Research 201506)FFRI, Inc.
•Windows 10 IoT is successor platform of Windows Embedded that optimized for embedded devices.
•Windows 10 IoT Core Insider Preview has been provided for single-board computers such as the Raspberry Pi 2.
•We show tutorial about security of Windows 10 IoT Core using the Raspberry Pi 2.
Understanding Cyber Industrial Controls in the Manufacturing and Utilities En...Dawn Yankeelov
"Understanding Cyber Industrial Controls in the Manufacturing and Utilities Environment," By Dr. John Naber, Co-Founder & Partner in True Secure SCADA, which is KY-based and holds 2 key patents in this area. This was given at the TALK Cybersecurity Summit 2018 in Louisville, KY.
Secure calling for IP telephony - webinar 2016, EnglishAskozia
With Voice-over-IP, secure calling becomes more and more important. In cooperation with snom, the next episode of our free webinar series discusses the importance of secure calling and how to implement it.
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Website: https://samsclass.info/121/121_F16.shtml
Combining an External pfSense firewall with AskoziaPBX - webinar 2016, EnglishAskozia
VoIP offers many new features in comparison to ISDN and analog. However, as your IP phone system is now part of your IT infrastructure, VoIP is also affected by some risks that haven’t been existing for traditional analog and ISDN phone systems. If a network component is successfully attacked, the whole IT network infrastructure can be in danger. This now includes your IP telephony infrastructure. In this webinar recording, we explain why a firewall is a must-have, and how to connect a pfSense firewall with AskoziaPBX.
Meet Remaiten : Malware Builds Botnet on Linux based routers and potentially ...APNIC
Meet Remaiten : Malware Builds Botnet on Linux based routers and potentially other (IoT) devices by Afifa Abbas.
A presentation given at APNIC 42's FIRST TC Security Session (2) session on Wednesday, 5 October 2016.
Presentación del fundador y CTO de Palo Alto Networks, Nir Zuk, sobre las amenazas de seguridad actuales, como ha evolucionado el ciberterrorismo, y las formas de controlarlo con el FW de Nueva Generación de Palo Alto Networks.
Slides for a college course at City College San Francisco. Based on "Hands-On Ethical Hacking and Network Defense, Third Edition" by Michael T. Simpson, Kent Backman, and James Corley -- ISBN: 9781285454610.
Instructor: Sam Bowne
Class website: https://samsclass.info/123/123_S17.shtml
CNIT 121: 6 Discovering the Scope of the Incident & 7 Live Data CollectionSam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Website: https://samsclass.info/121/121_F16.shtml
Presenter: Chris Sistrunk
Why haven’t we seen more ICS-focused attacks? Perhaps it’s because we’re not looking for them. The current state of security in Industrial Control Systems is a widely publicized issue, but fixes to ICS security issues are long cycle, with some systems and devices that will unfortunately never have patches available.
In this environment, visibility into security threats to ICS is critical, and almost all of ICS monitoring has been focused on compliance, rather than looking for indicators/evidence of compromise. The non-intrusive nature of Network Security Monitoring (NSM) is a perfect fit for ICS. This presentation looks at using NSM as part of an incident response strategy in ICS, various options for implementing NSM, and some of the capabilities that NSM can bring to an ICS cyber security program.
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia".
Ch 1: Real-World Incidents
Teacher: Sam Bowne
Website: https://samsclass.info/121/121_F16.shtml
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...Positive Hack Days
Author: John Bambenek
The cat-and-mouse game between malware researchers and malware operators has been going for years. The defense community is getting faster at responding to growing threats and taking down command and control centers of malware operators before they causes too much damage. Meanwhile, “bad guys” are building multitier redundant architectures utilizing P2P networks, Tor, and domain generation algorithms (DGA) to improve availability of supporting infrastructure against take-down operations. This report will cover the research of both American and Russian analysts into the use of such techniques and what can be learned about the adversaries who use them. Additionally, the speaker will introduce a new tool that helps researchers dig into DGAs.
Touring the Dark Side of Internet: A Journey through IOT, TOR & DockerAbhinav Biswas
With the advent of IOT, Every 'Thing' is getting Smart, starting from the range of smartwatches, smart refrigerators, smart bulbs to smart car, smart healthcare, smart agriculture, smart retail, smart city and what not, even smart planet. But why is every thing getting smart? People are trying to bridge the gap between Digital World & Physical World by means of ubiquitous connectivity to Internet, and when digital things become physical, digital threats also become physical threats. Security & Privacy issues are rising as never before. What if the microphone in your smart TV can be used to eavesdrop the private communications in your bed room? What if a smart driverless car deliberately crashes itself into an accident? What if you want to be Anonymous over Internet and don't want anybody to track you?
This talk will focus on answering the above questions with a view on 'What are we currently doing to protect ourselves' and 'What we need to do'. What are the new security challenges that are coming up and how privacy & anonymity is taking the lead over security. The talk will also sensitive the audience about the paradigm shift that is happening in IOT DevOps, with help of Docker Containers and how they can be anonymised using TOR.
Secure calling for IP telephony - webinar 2016, EnglishAskozia
With Voice-over-IP, secure calling becomes more and more important. In cooperation with snom, the next episode of our free webinar series discusses the importance of secure calling and how to implement it.
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Website: https://samsclass.info/121/121_F16.shtml
Combining an External pfSense firewall with AskoziaPBX - webinar 2016, EnglishAskozia
VoIP offers many new features in comparison to ISDN and analog. However, as your IP phone system is now part of your IT infrastructure, VoIP is also affected by some risks that haven’t been existing for traditional analog and ISDN phone systems. If a network component is successfully attacked, the whole IT network infrastructure can be in danger. This now includes your IP telephony infrastructure. In this webinar recording, we explain why a firewall is a must-have, and how to connect a pfSense firewall with AskoziaPBX.
Meet Remaiten : Malware Builds Botnet on Linux based routers and potentially ...APNIC
Meet Remaiten : Malware Builds Botnet on Linux based routers and potentially other (IoT) devices by Afifa Abbas.
A presentation given at APNIC 42's FIRST TC Security Session (2) session on Wednesday, 5 October 2016.
Presentación del fundador y CTO de Palo Alto Networks, Nir Zuk, sobre las amenazas de seguridad actuales, como ha evolucionado el ciberterrorismo, y las formas de controlarlo con el FW de Nueva Generación de Palo Alto Networks.
Slides for a college course at City College San Francisco. Based on "Hands-On Ethical Hacking and Network Defense, Third Edition" by Michael T. Simpson, Kent Backman, and James Corley -- ISBN: 9781285454610.
Instructor: Sam Bowne
Class website: https://samsclass.info/123/123_S17.shtml
CNIT 121: 6 Discovering the Scope of the Incident & 7 Live Data CollectionSam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Website: https://samsclass.info/121/121_F16.shtml
Presenter: Chris Sistrunk
Why haven’t we seen more ICS-focused attacks? Perhaps it’s because we’re not looking for them. The current state of security in Industrial Control Systems is a widely publicized issue, but fixes to ICS security issues are long cycle, with some systems and devices that will unfortunately never have patches available.
In this environment, visibility into security threats to ICS is critical, and almost all of ICS monitoring has been focused on compliance, rather than looking for indicators/evidence of compromise. The non-intrusive nature of Network Security Monitoring (NSM) is a perfect fit for ICS. This presentation looks at using NSM as part of an incident response strategy in ICS, various options for implementing NSM, and some of the capabilities that NSM can bring to an ICS cyber security program.
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia".
Ch 1: Real-World Incidents
Teacher: Sam Bowne
Website: https://samsclass.info/121/121_F16.shtml
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...Positive Hack Days
Author: John Bambenek
The cat-and-mouse game between malware researchers and malware operators has been going for years. The defense community is getting faster at responding to growing threats and taking down command and control centers of malware operators before they causes too much damage. Meanwhile, “bad guys” are building multitier redundant architectures utilizing P2P networks, Tor, and domain generation algorithms (DGA) to improve availability of supporting infrastructure against take-down operations. This report will cover the research of both American and Russian analysts into the use of such techniques and what can be learned about the adversaries who use them. Additionally, the speaker will introduce a new tool that helps researchers dig into DGAs.
Touring the Dark Side of Internet: A Journey through IOT, TOR & DockerAbhinav Biswas
With the advent of IOT, Every 'Thing' is getting Smart, starting from the range of smartwatches, smart refrigerators, smart bulbs to smart car, smart healthcare, smart agriculture, smart retail, smart city and what not, even smart planet. But why is every thing getting smart? People are trying to bridge the gap between Digital World & Physical World by means of ubiquitous connectivity to Internet, and when digital things become physical, digital threats also become physical threats. Security & Privacy issues are rising as never before. What if the microphone in your smart TV can be used to eavesdrop the private communications in your bed room? What if a smart driverless car deliberately crashes itself into an accident? What if you want to be Anonymous over Internet and don't want anybody to track you?
This talk will focus on answering the above questions with a view on 'What are we currently doing to protect ourselves' and 'What we need to do'. What are the new security challenges that are coming up and how privacy & anonymity is taking the lead over security. The talk will also sensitive the audience about the paradigm shift that is happening in IOT DevOps, with help of Docker Containers and how they can be anonymised using TOR.
Ransomware- What you need to know to Safeguard your DataInderjeet Singh
Ransomware - a malicious software used by hackers to block access to a computer system until a ransom is paid. Attackers contact the user with ransom demands. Most attackers request payment in Bitcoin (the crypto-currency). Even if you pay the ransom, the attackers may not deliver the key to unencrypt files.
As ransomware attacks continue to grow in number and sophistication, individual PC users and organizations should reassess their current security strategy. There is a common misconception that adding layers of automated defence technologies will reduce the risk of falling victim to ransomware attacks. While endpoint security products and secure email gateways can offer some level of protection, sooner or later a phishing email, which is the most widely-used attack vector, will penetrate defences and user will be faced with determining whether or not an email is legitimate or part of an attack.
Pentesting iPhone Applications - It mainly focuses on the techniques and the tools that will help security testers while assessing the security of iPhone applications.
Fore more info visit - http://www.securitylearn.net
[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...CODE BLUE
Since 2010 Stuxnet caused substantial damage to the nuclear program of Iran, ICS security issues have been raised. Lots of researchers dig into the hacking skills and path and those known attacks in the history and more malwares and events happened. Enterprises need an efficient way to find vulnerabilities but they might not have the budget for ICS pentesters , which need strong background knowledge , and all the fields they have. To solve this problem, we try to make a rare OT targeting , open source adversary emulation tool as a plugin on MITRE open source tool - Caldera. Users can easily combine IT attacks with our OT adversaries and change steps of attacks or send manual commands in the process.
We summarize the experience of reviewing over 20 factories traffic and analyzing 19 MITRE defined ICS malwares, PIPEDREAM/Incontroller in 2022. We found the main trend of ICS malwares changes from single protocol targeting to modularized , multiple protocols supporting. The actions in malwares can be summarized as a 4 stages attacking flow, We will explain it with the real attacks from malwares. We use the above conclusions to build automatic adversary emulation tool.
Now the tool already supports 10 common protocols and over 23 techniques on the MITRE ICS matrix , which is able to reproduce over 80% of defined ICS malware actions in OT. We also follow the 4 stages conclusion to add some attacks havent been used by any malwares. We have tested it on real oil ,gas ,water, electric power factory devices , protocol simulations for SCADA developers and honeypot. We will have a demo in this presentation.
Creating HAGRAT, A Remote Access Tool (RAT) and the related Command and Control (C2) infrastructure for Penetration Testing exercises that simlate persistent, targeted attacks.
Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...PaloAltoNetworks
Palo Alto Networks Live Community Senior Engineers Tom and Joe present best security practices at the Fuel Spark event in London. For more details, please visit: https://live.paloaltonetworks.com/t5/Community-Blog/Live-Community-team-at-Spark-User-Summit-London/ba-p/153182
Slides for a college course at City College San Francisco. Based on "Hacking Exposed Mobile: Security Secrets & Solutions", by Bergman, Stanfield, Rouse, Scambray, Geethakumar, Deshmukh, Matsumoto, Steven and Price, McGraw-Hill Osborne Media; 1 edition (July 9, 2013) ISBN-10: 0071817018.
Instructor: Sam Bowne
Class website: https://samsclass.info/128/128_S17.shtml
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
3. • Threat Intel Services @ Lookout
• Hunting for surveillanceware
• Looking for novel techniques
• Tracking actors & campaigns
• Co-founded Tesserae Security
• Android app dev, BYOD security tool DigitalPrince
• Aussie Govt
• Prototyping, vuln research, IR, blue team, mobile sec,
device hardening
3
Flossman
$whoami
4. 4
Expanding Arsenals
New tools to follow the money & intel
Implementation of mTANs
Transactions tied to one time code sent to mobile
Security control to mitigate unauthorized transactions
Attackers rapidly evolve
Traditionally desktop based arsenal now with mobile capability
Actors focused on gathering intelligence have been making a similar transition
5. 5
Surveillanceware Prereqs
Can haz zero day?
T
r
i
T
s
yo
Hi there handsome … I’d love to hear more about your military unit and
the equipment you have access to. I’ll send more photos of myself, but
I’d feel more comfortable first if you installed this custom chat app. k
thx bai
9. 9
ViperRAT
First stages – Minimal footprint profiling
• Gather basic telemetry & profile device (installed apps, dev metadata etc)
• Functionality to manage installation of ‘agent’ aka 2nd stage.
• Provides attacker with basic API
• Get agent URLs, upload profile / check if previously posted
• Silently install 2nd stage or prompt user and flag operator that prompt shown
• Cleanup download of 2nd stage post install
• Entry points – user driven || on boot
10. • Attempts to hide in the noise on target device
• WhatsApp Update
• Viber Update
• System Update
• System Updates
10
ViperRAT
2nd Stages – Semi-tailored for victim environment
11. 11
ViperRAT
2nd Stages – Capabilities
• Search external storage for office docs
• PDF, doc, docx, xls, xlsx, ppt, pptx
• Retrieve the WhatsApp database and also pull
back the WhatsApp key for decryption
• User dictionary words
• user words entered into other apps
• associated app id
• frequency
• First Android app that uses dlls??
• Record audio
• Record video
• Take a screenshot
• Text messages
• Contacts
• Geolocation
• Browser bookmarks, search history – (default browser,
Chrome, Firefox)
• Call logs
• Launch the browser to attacker specified URL
• Taking photos with device camera
• Get installed apps
• Get / delete attacker specified files
• Cell tower id, cell LAC,MCC, Singal strength, base
station id (implemented for GSM, CDMA, LTE, WCDMA)
16. 16
ViperRAT
Directory structure – Recovering device and IMEI details
352117661948102
1723272119172935 3302822 2852102311761661948102
U S M S A N GS
19. 19
ViperRAT
Analysis around modified timestamps of exfil
• Mirror C2 - > Log2timeline -> Kibana
• Using modified timestamps from victim data from July 17th 2017
• Pictures taken when victims answer their phone
• Likely used for profiling users
• Looks like tapering off but still collecting 1k+ files a week
Victim behaviour – images taken when calls received
20. 20
ViperRAT
Operator instructions & behaviour – Fri & Sat only?
Contacts retrieved by operator
Geolocation info retrieved
SMS content retrieved
21. • Palestinian Security Services (Dismissal &
Promotion notices)
• General Directorate of Civil Defence - Ministry of
the Interior (Troop movements)
• 7th Fateh Conference of the Palestinian National
Liberation Front (Meeting Minutes)
•
21
FrozenCell
Desktop Lures
Trump
impersonator with
models - hot models
.mpg.exe
22. 22
FrozenCell
I got 99 apps but a sploit ain’t one
- Call recording
- SMS retrieval
- Image retrieval
- Location tracking
- Device metadata - MCC, MNC
- Downloading and installing attacker specified apps
- Searching for and exfiltrating PDF, doc, docx, ppt, pptx, xls,
and xlsx
- Contacts
- Huawei device with protected mode will automatically try to
add itself to the list of protected apps that are allowed to run
in the background while the screen’s off. Shows dialog to
get added if it can’t do it automatically.
23. • Trigger call recording
• Message needs to contain a #. for call recording.
• #....# where each . adds an hour to the total amount of time to record or before
recording is stopped
• Stop call recording
#,, - stops any recording that’s been kicked off by SMS command messages
• Ends with
• 15171 – enables receivers (call mon, hot micing, connectivity, update apk)
• 15181 – disable receivers
• 15191 – Uninstall
• 15101 - delete any recordings from <external_storage>/android/sys/rec/
• *.g – enable comms when only mobile data available
• *,g – disable comms when only mobile data available
23
FrozenCell
Out of band comms
Your Google verification code is
1644827
http://gmail.com/mail/u/0/#.#/
Your LinkedIn verification code is
15171.
Your order 177283 has shipped. UPS
tracking #8123661. Thanks for your
order http://wtrk.us/?x=33319204*.g
30. • Exfilled msg data indicates GMT +3
• Call data to +972 area code & 059 prefix
• Pretty sure server timezone is 12hrs off
• Eg; datetime in filename of recorded call is
7am, duration is 50 seconds, modify
timestamp on server file is 19:01 and they
get uploaded immediately on completion.
30
FrozenCell
You used to call me on the cell phone
Editor's Notes
Sophisticated end of the spectrum when it comes to exploits – NSO, FF, HT.
As researchers I think we sometimes underestimate the effectiveness of actors operating at the lower end of the cost spectrum when it comes to exploits. The two families I’ll talk about don’t use exploits but it’s worth keeping in mind that when you take out exploits the surveillanceware capabilities and functionality of actors at both ends of the spectrum are fairly similar and in some cases identical.
So if we’re not using zero days, what’s our attack vector?
More often a text message …. That’s carefully crafted …. along with some social engineering is simply all that is needed.
Messages like this that appear to be sent from females are super effective and are nowhere near the cost of developing your own zerodays. Also means that if their tooling falls into the hands of security researchers that investment into zeroday development isn’t burnt.
This is exactly what we saw earlier this year with targeted attacks against the IDF with an Android surveillanceware tool that we call ViperRAT.
In this case, members of the IDF received messages on social media from accounts that appeared to belong to women. Once a rapport was built with the victim they’d be asked to install another chat application, linked to by the attacker.
Other trojanised first stage applications did come with complete legitimate functionality intact and we a phone stats app, billiards game, and music player.
Goal of the first stage is all having a minimal footprint, while profiling a device, and managing the installation of the 2nd stage.
No DGA
No resilience to takedowns
Potentially multiple campaigns given the number of domains and associated apps but having found a pattern around that just yet.
Analysis of infrastructure did show that these guys had directory listings on for what we initially thought was exfiltrated data however running file magic wasn’t able to identify the content, catting it out showed what looked like two distinct sections, the first being base64 followed by binary data and each file had a fairly high entropy so we were pretty sure there was at least some encrypted data.
Dead end without the private RSA key? GG? Bits please, lets keep digging.
Value at n (manufacturer index) added to hex 0x37 gets the character we’re interested in
Id type – identifier we’re dealing with
Manufacturer – number of characters in the manufacturer name
Indexes where we find the manufacturer name – so the first one is 23, so we count our way in to index 23, and find 28. Not in diagram but we need to add 0x37 hex to the value at the specified index. The resulting character representation of that addition is going to get us part of the manufacturer name. So we can repeat that to find out that this specific compromised device is a samsung model. Looking at the remaining unused digits we are then able to get the IMEI. So we can automate this process to extract all victim IMEIs and models. Turns out Samsung was way in front.
We can do the same thing with subdirectories. Each device directory on the C2 contains a list of folders like this. An each of these names appears in the client itself and is used as an identifier when certain operations take place and specific data is taken. So analysing the client we can see that the identifier starting with CO412356789 is used when contact information is handled, similarly the CCAPT identifier is used by images are captured from the device camera.
So these guys haven’t used any zero days but they’ve managed to recover, by now, over 3 gig of data from approximately 600 devices.
Interestingly, we can also do analysis around the modified times of exfiltrated data on C2 infrastructure. So once we’ve mirrored a C2, we can run log2timeline over it, kick it over to Kibana and then filter on various filenames, types, and metadata. So the picture we see here is from a single C2 server, which we can see has been operational from halfway through this year. When we first analysed infrastructure back in January and February there were only 30 devices so their operations have picked up considerably since then given the number of victims we’re currently seeing.
This particular sever is still collecting 1000 of files a week although it looks like collection is tapering off however we’ve seen new samples released so maybe their moving to new infrastructure or evolving how they operate.
Narrow in on attacker behaviour …
We can also do the same timeline analysis around data that’s been stolen as a direct result of an operator explicitly triggering this functionality – for example pulling back contact info, geo, or SMS content happens rarely and has only been seen to occur on Friday’s and Saturday’s?? This doesn’t seem to be automated given how irregularly it occurs although it’s interesting to see given that Friday and Saturday are the weekend in certain middle eastern countries.
Issue instructions even if C2 down
Dialog shown for uninstall
API Key
No longer accessible and only used in late 2016 before they moved away from using opencellid.
Haven’t reused any creds that we’ve seen
Have had usernames specific to infrastructure
These ones are down atm.
Seeing this from a number of actors in this region – not sure if they all go to the same C2 training school and working off the same course material…
Smaller # number of infected devices
Multiple C2s – cleaned daily
Details for almost 500 individuals – passports, DOBs, addresses, etc.
Exfil of content is regularly scheduled
Saw two mobile families without exploits in what appear to be targeted attacks and they’ve been really successful at gathering intel from their targets.
No zero days so these guys are operating at a fraction of the cost in comparison to other actors
Multi platform actors is becoming more frequent