Here comes another enlightening document that dives into the thrilling world of breaking BitLocker, Windows' attempt at full disk encryption.
This analysis will walk you through the myriad of creative hacks, from the classic cold boot attacks—because who doesn't love freezing their computer to steal some data—to exploiting those oh-so-reliable TPM chips that might as well have a "hack me" sign on them.
We'll also cover some software vulnerabilities, because Microsoft just wouldn't be the same without a few of those sprinkled in for good measure. And let's not forget about intercepting those elusive decryption keys; it's like a digital treasure hunt!
So, whether you're a security expert, a forensic analyst, or just a curious cat in the world of cybersecurity, enjoy the read, and maybe keep that data backed up somewhere safe, yeah?
-------
This document provides a comprehensive analysis of the method demonstrated in the video "Breaking Bitlocker - Bypassing the Windows Disk Encryption" where the author showcases a low-cost hardware attack capable of bypassing BitLocker encryption. The analysis will cover various aspects of the attack, including the technical approach, the use of a Trusted Platform Module (TPM) chip, and the implications for security practices.
The analysis provides a high-quality summary of the demonstrated attack, ensuring that security professionals and specialists from different fields can understand the potential risks and necessary countermeasures. The document is particularly useful for cybersecurity experts, IT professionals, and organizations that rely on BitLocker for data protection and to highlight the need for ongoing security assessments and the potential for similar vulnerabilities in other encryption systems.
Enabling TPM 2.0 on coreboot based devicesPiotr Król
This talk was presented during European coreboot Conference 2017 in Bochum. In this talk we walk through procedures required for enabling TPM 2.0 using LPC interface. We implemented that support as part of our ongoing maintainances of PC Engines apu series (AMD G-series) platform.
Video is available here: https://youtu.be/Yjb9n5p3giI
Enabling TPM 2.0 on coreboot based devicesPiotr Król
This talk was presented during European coreboot Conference 2017 in Bochum. In this talk we walk through procedures required for enabling TPM 2.0 using LPC interface. We implemented that support as part of our ongoing maintainances of PC Engines apu series (AMD G-series) platform.
Video is available here: https://youtu.be/Yjb9n5p3giI
Today connected devices are everywhere, where we expect a massive growth over the upcoming years. What are connected devices (IOT)? It connects people to machines, machines to machines and shares data both people and machines create. However, why should you care about security?
This presentation walks you through why connected devices (IOT) are being targeted, what typically goes wrong during development making these devices vulnerable to attacks and whats next...
TRITON: How it Disrupted Safety Systems and Changed the Threat Landscape of I...Priyanka Aash
In 2017, a sophisticated threat actor deployed the TRITON attack framework engineered to manipulate industrial safety systems at a critical infrastructure facility. This talk offers new insights into TRITON attack framework which became an unprecedented milestone in the history of cyber-warfare as it is the first publicly observed malware that specifically targets protection functions meant to safeguard human lives. While the attack was discovered before its ultimate goal was achieved, that is, disruption of the physical process, TRITON is a wakeup call regarding the need to urgently improve ICS cybersecurity.
W32.Stuxnet has gained a lot of attention from researchers and media recently. There is good reason for this. Stuxnet is one of the
most complex threats we have analyzed. In this paper we take a detailed look at Stuxnet and its various components and particularly
focus on the final goal of Stuxnet, which is to reprogram industrial
control systems. Stuxnet is a large, complex piece of malware with
many different components and functionalities. We have already
covered some of these components in our blog series on the topic. While some of the information from those blogs is included here,
this paper is a more comprehensive and in-depth look at the threat.
Stuxnet is a threat that was primarily written to target an industrial
control system or set of similar systems. Industrial control systems are
used in gas pipelines and power plants. Its final goal is to reprogram
industrial control systems (ICS) by modifying code on programmable
logic controllers (PLCs) to make them work in a manner the attacker intended and to hide those changes from the operator of the equipment.
In order to achieve this goal the creators amassed a vast array of components to increase their chances of success. This includes zero-day
exploits, a Windows rootkit, the first ever PLC rootkit, antivirus evasion...
Piratng Avs to bypass exploit mitigationPriyanka Aash
"Put a low-level security researcher in front of hooking mechanisms and you get industry-wide vulnerability notifications, affecting security tools such as Anti-Virus, Anti-Exploitations and DLP, as well as non-security applications such as gaming and productivity tools. In this talk we reveal six(!) different security issues that we uncovered in various hooking engines. The vulnerabilities we found enable a threat actor to bypass the security measures of the underlying operating system. As we uncovered the vulnerabilities one-by-one we found them to impact commercial engines, such as Microsoft's Detours, open source engines such as EasyHook and proprietary engines such as those belonging to TrendMicro, Symantec, Kaspersky and about twenty others.
In this talk we'll survey the different vulnerabilities, and deep dive into a couple of those. In particular, we'll take a close look at a vulnerability appearing in the most popular commercial hooking engine of a large vendor. This vulnerability affects the most widespread productivity applications and forced the vendor to not only fix their engine, but also that their customers fix their applications prior to releasing the patch to the public. Finally, we'll demonstrate how security tools can be used as an intrusion channel for threat actors, ironically defeating security measures."
(Source: Black Hat USA 2016, Las Vegas)
Captain Hook: Pirating AVs to Bypass Exploit MitigationsenSilo
In this talk we reveal six(!) different security issues that we uncovered in various hooking engines. The vulnerabilities we found enable a threat actor to bypass the security measures of the underlying operating system. As we uncovered the vulnerabilities one-by-one we found them to impact commercial engines, such as Microsoft’s Detours, open source engines such as EasyHook and proprietary engines such as those belonging to TrendMicro, Symantec, Kaspersky and about twenty others.
Trusted Computing intends to make PC platform trustworthy so that a user can have level of trust when
working with it. To build a level of trust TCG gave specification of TPM, as integral part of TCB, for
providing root(s) of trust. Further TCG defined Dynamic Root of Trust Measurement in Trusted Computing
systems in its specification as a technology for measured platform initialization while system is in running
state. The DRTM approach is contrary to Static Root of Trust Measurement where measurements are taken
during boot process. In this study, since this technology was first introduced, we list and discuss upon
publically available open source solutions that either implement DRTM or are applications of these DRTM
based solutions. Further, the challenges faced by the DRTM technology along with observations from
authors are listed.
Breaking hardware enforced security with hypervisorsPriyanka Aash
"Hardware-Enforced Security is touted as the panacea solution to many modern computer security challenges. While certainly adding robust options to the defenders toolset, they are not without their own weaknesses. In this talk we will demonstrate how low-level technologies such as hypervisors can be used to subvert the claims of security made by these mechanisms. Specifically, we will show how a hypervisor rootkit can bypass Intel's Trusted Execution Environment (TXT) DRTM (dynamic root of trust measurement) and capture keys from Intel's AES-NI instructions. These attacks against TXT and AES-NI have never been published before. Trusted computing has had a varied history, to include technologies such as Trusted Execution Technology (TXT), ARM TrustZone, and now Microsoft Isolated User Mode and Intel SGX. All of these technologies attempt to protect user data from privileged processes snooping or controlling execution. These technologies claim that no elevated process, whether kernel based, System Management Mode (SMM) based, or hypervisor based will be able to compromise the user's data and execution.
This presentation will highlight the age-old problem of misconfiguration of Intel TXT by exploiting a machine through the use of another Intel technology, the Type-1 hypervisor (VT-x). Problems with these technologies have surfaced not as design issues but during implementation. Whether there remains a hardware weakness where attestation keys can be compromised, or a software and hardware combination, such as exposed DMA that permits exfiltration, and sometimes modification, of user process memory. This presentation will highlight one of these implementation flaws as exhibited by the open source tBoot project and the underlying Intel TXT technology. Summation will offer defenses against all too often pitfalls when deploying these systems, including proper deployment design using sealed storage, remote attestation, and hardware hardening."
(Source: Black Hat USA 2016, Las Vegas)
Welcome to the next edition of our Monthly Digest, your one-stop resource for staying informed on the most recent developments, insights, and best practices in the ever-evolving field of security. In this issue, we have curated a diverse collection of articles, news, and research findings tailored to both professionals and casual enthusiasts. Our digest aims to make our content is both engaging and accessible. Happy reading
Another day, another CVE exploited by our favorite cyber adversaries. This time, the spotlight is on CVE-2023-42793, and let's just say, it's not getting rave reviews from the cybersecurity community.
TeamCity, for those not in the loop, is the Swiss Army knife for software developers, handling everything from compiling code to tying it up with a pretty bow. But, plot twist, it turns out to be the perfect backdoor for our cyber villains to waltz right in.
With all seriousness, the document aims to shed light on the critical cybersecurity threats posed by the exploitation of JetBrains TeamCity software. The ultimate goal is to enhance organizational cybersecurity postures, safeguarding against similar threats and contributing effectively to the collective defense against sophisticated cyber espionage activities.
-------
This document provides aт analysis of the Exploiting JetBrains TeamCity CVE advisory, as detailed in the Defense.gov publication. The analysis delves into various critical aspects of cybersecurity, focusing on the exploitation of CVEs to gain initial access to networks, deployment of custom malware.
This analysis serves as a valuable resource for cybersecurity professionals, software developers, and stakeholders in various industries, offering a detailed understanding of the tactics, techniques, and procedures (TTPs) employed by cyber actors. By providing a qualitative summary of the advisory, this document aims to enhance the cybersecurity posture of organizations, enabling them to better protect against similar threats and contribute to the collective defense against state-sponsored cyber espionage activities.
More Related Content
Similar to Microsoft BitLocker Bypass Attack Method.pdf
Today connected devices are everywhere, where we expect a massive growth over the upcoming years. What are connected devices (IOT)? It connects people to machines, machines to machines and shares data both people and machines create. However, why should you care about security?
This presentation walks you through why connected devices (IOT) are being targeted, what typically goes wrong during development making these devices vulnerable to attacks and whats next...
TRITON: How it Disrupted Safety Systems and Changed the Threat Landscape of I...Priyanka Aash
In 2017, a sophisticated threat actor deployed the TRITON attack framework engineered to manipulate industrial safety systems at a critical infrastructure facility. This talk offers new insights into TRITON attack framework which became an unprecedented milestone in the history of cyber-warfare as it is the first publicly observed malware that specifically targets protection functions meant to safeguard human lives. While the attack was discovered before its ultimate goal was achieved, that is, disruption of the physical process, TRITON is a wakeup call regarding the need to urgently improve ICS cybersecurity.
W32.Stuxnet has gained a lot of attention from researchers and media recently. There is good reason for this. Stuxnet is one of the
most complex threats we have analyzed. In this paper we take a detailed look at Stuxnet and its various components and particularly
focus on the final goal of Stuxnet, which is to reprogram industrial
control systems. Stuxnet is a large, complex piece of malware with
many different components and functionalities. We have already
covered some of these components in our blog series on the topic. While some of the information from those blogs is included here,
this paper is a more comprehensive and in-depth look at the threat.
Stuxnet is a threat that was primarily written to target an industrial
control system or set of similar systems. Industrial control systems are
used in gas pipelines and power plants. Its final goal is to reprogram
industrial control systems (ICS) by modifying code on programmable
logic controllers (PLCs) to make them work in a manner the attacker intended and to hide those changes from the operator of the equipment.
In order to achieve this goal the creators amassed a vast array of components to increase their chances of success. This includes zero-day
exploits, a Windows rootkit, the first ever PLC rootkit, antivirus evasion...
Piratng Avs to bypass exploit mitigationPriyanka Aash
"Put a low-level security researcher in front of hooking mechanisms and you get industry-wide vulnerability notifications, affecting security tools such as Anti-Virus, Anti-Exploitations and DLP, as well as non-security applications such as gaming and productivity tools. In this talk we reveal six(!) different security issues that we uncovered in various hooking engines. The vulnerabilities we found enable a threat actor to bypass the security measures of the underlying operating system. As we uncovered the vulnerabilities one-by-one we found them to impact commercial engines, such as Microsoft's Detours, open source engines such as EasyHook and proprietary engines such as those belonging to TrendMicro, Symantec, Kaspersky and about twenty others.
In this talk we'll survey the different vulnerabilities, and deep dive into a couple of those. In particular, we'll take a close look at a vulnerability appearing in the most popular commercial hooking engine of a large vendor. This vulnerability affects the most widespread productivity applications and forced the vendor to not only fix their engine, but also that their customers fix their applications prior to releasing the patch to the public. Finally, we'll demonstrate how security tools can be used as an intrusion channel for threat actors, ironically defeating security measures."
(Source: Black Hat USA 2016, Las Vegas)
Captain Hook: Pirating AVs to Bypass Exploit MitigationsenSilo
In this talk we reveal six(!) different security issues that we uncovered in various hooking engines. The vulnerabilities we found enable a threat actor to bypass the security measures of the underlying operating system. As we uncovered the vulnerabilities one-by-one we found them to impact commercial engines, such as Microsoft’s Detours, open source engines such as EasyHook and proprietary engines such as those belonging to TrendMicro, Symantec, Kaspersky and about twenty others.
Trusted Computing intends to make PC platform trustworthy so that a user can have level of trust when
working with it. To build a level of trust TCG gave specification of TPM, as integral part of TCB, for
providing root(s) of trust. Further TCG defined Dynamic Root of Trust Measurement in Trusted Computing
systems in its specification as a technology for measured platform initialization while system is in running
state. The DRTM approach is contrary to Static Root of Trust Measurement where measurements are taken
during boot process. In this study, since this technology was first introduced, we list and discuss upon
publically available open source solutions that either implement DRTM or are applications of these DRTM
based solutions. Further, the challenges faced by the DRTM technology along with observations from
authors are listed.
Breaking hardware enforced security with hypervisorsPriyanka Aash
"Hardware-Enforced Security is touted as the panacea solution to many modern computer security challenges. While certainly adding robust options to the defenders toolset, they are not without their own weaknesses. In this talk we will demonstrate how low-level technologies such as hypervisors can be used to subvert the claims of security made by these mechanisms. Specifically, we will show how a hypervisor rootkit can bypass Intel's Trusted Execution Environment (TXT) DRTM (dynamic root of trust measurement) and capture keys from Intel's AES-NI instructions. These attacks against TXT and AES-NI have never been published before. Trusted computing has had a varied history, to include technologies such as Trusted Execution Technology (TXT), ARM TrustZone, and now Microsoft Isolated User Mode and Intel SGX. All of these technologies attempt to protect user data from privileged processes snooping or controlling execution. These technologies claim that no elevated process, whether kernel based, System Management Mode (SMM) based, or hypervisor based will be able to compromise the user's data and execution.
This presentation will highlight the age-old problem of misconfiguration of Intel TXT by exploiting a machine through the use of another Intel technology, the Type-1 hypervisor (VT-x). Problems with these technologies have surfaced not as design issues but during implementation. Whether there remains a hardware weakness where attestation keys can be compromised, or a software and hardware combination, such as exposed DMA that permits exfiltration, and sometimes modification, of user process memory. This presentation will highlight one of these implementation flaws as exhibited by the open source tBoot project and the underlying Intel TXT technology. Summation will offer defenses against all too often pitfalls when deploying these systems, including proper deployment design using sealed storage, remote attestation, and hardware hardening."
(Source: Black Hat USA 2016, Las Vegas)
Similar to Microsoft BitLocker Bypass Attack Method.pdf (20)
Welcome to the next edition of our Monthly Digest, your one-stop resource for staying informed on the most recent developments, insights, and best practices in the ever-evolving field of security. In this issue, we have curated a diverse collection of articles, news, and research findings tailored to both professionals and casual enthusiasts. Our digest aims to make our content is both engaging and accessible. Happy reading
Another day, another CVE exploited by our favorite cyber adversaries. This time, the spotlight is on CVE-2023-42793, and let's just say, it's not getting rave reviews from the cybersecurity community.
TeamCity, for those not in the loop, is the Swiss Army knife for software developers, handling everything from compiling code to tying it up with a pretty bow. But, plot twist, it turns out to be the perfect backdoor for our cyber villains to waltz right in.
With all seriousness, the document aims to shed light on the critical cybersecurity threats posed by the exploitation of JetBrains TeamCity software. The ultimate goal is to enhance organizational cybersecurity postures, safeguarding against similar threats and contributing effectively to the collective defense against sophisticated cyber espionage activities.
-------
This document provides aт analysis of the Exploiting JetBrains TeamCity CVE advisory, as detailed in the Defense.gov publication. The analysis delves into various critical aspects of cybersecurity, focusing on the exploitation of CVEs to gain initial access to networks, deployment of custom malware.
This analysis serves as a valuable resource for cybersecurity professionals, software developers, and stakeholders in various industries, offering a detailed understanding of the tactics, techniques, and procedures (TTPs) employed by cyber actors. By providing a qualitative summary of the advisory, this document aims to enhance the cybersecurity posture of organizations, enabling them to better protect against similar threats and contribute to the collective defense against state-sponsored cyber espionage activities.
So, here we have a riveting tale from the NSA, spinning a yarn about the dark arts of Living Off the Land (LOTL) intrusions. It's like a bedtime story for cyber security folks, but instead of dragons, we have cyber threat actors wielding the mighty power of... legitimate tools? Yep, you heard it right. These digital ninjas are sneaking around using the very tools we rely on daily, turning our digital sanctuaries into their playgrounds.
The document, in its infinite wisdom, distills the essence of the NSA's advisory into bite-sized, actionable insights. Security pros, IT wizards, policymakers, and anyone who's ever touched a computer – rejoice! You now have the secret sauce to beef up your defenses against these stealthy intruders. Thanks to the collective brainpower of cybersecurity's Avengers – the U.S., Australia, Canada, the UK, and New Zealand – we're privy to the secrets of thwarting LOTL techniques.
With all seriousness, this document aims to equip professionals with the knowledge and tools necessary to combat the increasingly sophisticated LOTL cyber threats. By adhering to the NSA's advisory, organizations retrospectively can significantly enhance their security posture, ensuring a more secure and resilient digital environment against adversaries who exploit legitimate tools for malicious purposes.
-------
This document provides an in-depth analysis of the National Security Agency's (NSA) advisory on combatting cyber threat actors who perpetrate Living Off the Land (LOTL) intrusions. The analysis encompasses a thorough examination of the advisory's multifaceted approach to addressing LOTL tactics, which are increasingly leveraged by adversaries to exploit legitimate tools within a target's environment for malicious purposes.
The analysis offers a high-quality summary of the NSA's advisory, distilling its key points into actionable insights. It serves as a valuable resource for security professionals, IT personnel, policymakers, and stakeholders across various industries, providing them with the knowledge to enhance their defensive capabilities against sophisticated LOTL cyber threats. By implementing the advisory's recommendations, these professionals can improve their situational awareness, refine their security posture, and develop more robust defense mechanisms to protect against the subtle and stealthy nature of LOTL intrusions.
PureVPN presents itself as a beacon of online privacy and security in the vast and murky waters of the internet.
In the grand tradition of "security first", we find ourselves marveling at the latest contributions to the cybersecurity hall of fame: CVE-2023-38043, CVE-2023-35080, and CVE-2023-38543. These vulnerabilities, discovered in the Avanti Secure Access Client, previously known as Pulse Secure VPN, have opened up a new chapter in the saga of "How Not To VPN".
-------
This document presents a analysis of the vulnerabilities identified in Ivanti Secure Access VPN (Pulse Secure VPN) with their potential impact on organizations that rely on this VPN. The analysis delves into various aspects of these vulnerabilities, including their exploitation methods, potential impacts, and the challenges encountered during the exploitation process.
The document provides a qualitative summary of the analyzed vulnerabilities, offering valuable insights for cybersecurity professionals, IT administrators, and other stakeholders in various industries. By understanding the technical nuances, exploitation methods, and mitigation strategies, readers can enhance their organizational security posture against similar threats.
This analysis is particularly beneficial for security professionals seeking to understand the intricacies of VPN vulnerabilities and their implications for enterprise security. It also serves as a resource for IT administrators responsible for maintaining secure VPN configurations and for industry stakeholders interested in the broader implications of such vulnerabilities on digital security and compliance.
What a joyous day it was on October 31, 2023, when Atlassian graciously informed the world about CVE-2023-22518, a delightful little quirk in all versions of Confluence Data Center and Server. This minor hiccup, a mere improper authorization vulnerability, offers the thrilling possibility for any unauthenticated stranger to waltz in, reset Confluence, and maybe, just maybe, take the whole system under their benevolent control. Initially, this was given a modest CVSS score of 9.1, but because we all love a bit of drama, it was cranked up to a perfect 10, thanks to some lively exploits and a charming group of enthusiasts known as 'Storm-0062'.
In a heroic response, Atlassian released not one, but five shiny new versions of Confluence (7.19.16, 8.3.4, 8.4.4, 8.5.3, and 8.6.1) to put a dampener on the festivities. They've kindly suggested that perhaps, just maybe, organizations might want to consider updating to these less fun versions to avoid any uninvited guests. And, in a stroke of genius, they recommend playing hard to get by restricting external access to Confluence servers until such updates can be applied. Cloud users, you can sit back and relax; this party is strictly on-premise.
This whole saga really highlights the thrill of living on the edge in the digital world, reminding us all of the sheer excitement that comes with the need for timely patching and robust security measures.
-------
This document presents a analysis of CVE-2023-22518, an improper authorization vulnerability in Atlassian Confluence Data Center and Server. The analysis will cover various aspects of the vulnerability, including its discovery, impact, exploitation methods, and mitigation strategies.
Security professionals will find the analysis particularly useful as it offers actionable intelligence, including indicators of compromise and detailed mitigation steps. By understanding the root causes, exploitation methods, and effective countermeasures, security experts can better protect their organizations from similar threats in the future.
BianLian ransomware has shown a remarkable ability to adapt and evolve faster than a chameleon at a disco. Initially an Android banking trojan, it decided that was too mainstream and reinvented itself as a ransomware strain in July 2022, because why not join the lucrative world of digital extortion?
BianLian targets just about anyone it can, from healthcare and education to government entities, because diversity is key in the world of cybercrime. It's not picky about its victims, much like a buffet enthusiast at an all-you-can-eat restaurant.
In a twist that would make a soap opera writer proud, BianLian ditched its encryption antics after Avast released a decryptor and now they focus on data exfiltration, threatening to spill your secrets unless you pay up, like a cyber version of "I know what you did last summer."
-------
This document provides an analysis of the Bian Lian ransomware, a malicious software that has been increasingly targeting various sectors with a focus on data exfiltration-based extortion. The analysis delves into multiple aspects of ransomware, including its operational tactics, technical characteristics, and the implications of its activities on cybersecurity.
The analysis of BianLian ransomware is particularly useful for security professionals, IT personnel, and organizations across various industries. It equips them with the knowledge to understand the threat landscape, anticipate potential attack vectors, and implement robust security protocols to mitigate risks associated with ransomware attacks.
Oh, where do we even start with the digital drama that is Anonymous Sudan? Picture this: a group of "hacktivists" (because apparently, that's a career choice now) decides to throw the digital equivalent of a temper tantrum across the globe. From the comfort of their mysterious lairs, they've been unleashing chaos since January 2023, targeting anyone from Sweden to Australia.
There's a twist! Despite their name, there's a juicy conspiracy theory that these digital vigilantes are actually Russian state-sponsored actors in disguise (guess the name of country who announces this theory and spent USD money to promote it?). Yes, you heard that right. They've been dropping hints in Russian, cheering for Russian government, and hanging out with their BFFs in the hacking group KillNet. Anonymous Sudan, however, is adamant they're the real deal, proudly Sudanese and not just some Russian operatives on a digital espionage mission.
Either way, they've certainly made their mark on the world, one DDoS attack at a time.
-------
This document provides a analysis of the hacktivist group known as Anonymous Sudan. The analysis delves into various aspects of the group's activities, including their origins, motivations, methods, and the implications of their actions. It offers a qualitative unpacking of the group's operations, highlighting key findings and patterns in their behavior.
The insights gained from this analysis are useful for cyber security experts, IT professionals, and law enforcement agencies. Understanding the modus operandi of Anonymous Sudan equips these stakeholders with the knowledge to anticipate potential attacks, strengthen their defenses, and develop effective countermeasures against similar hacktivist threats
What a dramatic cyber soap opera we've witnessed with the Alpha ransomware group, also known by their edgy alias, BlackCat. It's like a game of digital whack-a-mole, with the FBI and friends swinging the mallet of justice and the ransomware rascals popping up with a cheeky "unseized" banner as if they're playing a high-stakes game of capture the flag.
The FBI's initial victory lap was cut short when AlphV's site reemerged, now mysteriously devoid of any incriminating victim lists.
Will the FBI finally pin the cyber tail on the Black Cat, or will these digital desperados slip away once more? Stay tuned for the next episode of "Feds vs. Felons: The Cyber Chronicles."
-------
This document presents a analysis of the Alpha ransomware site, associated with the ransomware group also known as BlackCat. The analysis covers the ransomware technical details, including its encryption mechanisms, initial access vectors, lateral movement techniques, and data exfiltration methods.
The insights gained from this analysis are important for cybersecurity practitioners, IT professionals, and policymakers. Understanding the intricacies of AlphV/BlackCat ransomware enables the development of more effective defense mechanisms, enhances incident response strategies.
The infamous Mallox is the digital Robin Hoods of our time, except they steal from everyone and give to themselves. Since mid-2021, they've been playing hide and seek with unsecured Microsoft SQL servers, encrypting data, and then graciously offering to give it back for a modest Bitcoin donation.
Mallox decided to go shopping for new malware toys, adding the Remcos RAT, BatCloak, and a sprinkle of Metasploit to their collection. They're now playing a game of "Catch me if you can" with antivirus software, using their FUD obfuscator packers to turn their ransomware into the digital equivalent of a ninja.
-------
This document provides a analysis of the Target Company ransomware group, also known as Smallpox, which has been rapidly evolving since its first identification in June 2021.
The analysis delves into various aspects of the group's operations, including its distinctive practice of appending targeted organizations' names to encrypted files, the evolution of its encryption algorithms, and its tactics for establishing persistence and evading defenses.
The insights gained from this analysis are crucial for informing defense strategies and enhancing preparedness against such evolving cyber threats.
In the world of cyber warfare, where the stakes are as high as the egos, the Cyber Toufan Al-Aqsa hacking group burst onto the scene in 2023 with all the subtlety of a bull in a China shop. They've been busy bees, buzzing from one Israeli company to another, leaving a trail of digital chaos in their wake. And who's behind this masquerade of mischief? Well, the jury's still out, but fingers are wagging towards Iran, because if you're going to accuse someone of cyber shenanigans, it might as well be your geopolitical frenemy, right?
-------
This document presents an analysis of the Cyber Toufan Al-Aqsa hacking group, a newly emerged cyber threat that has rapidly gained notoriety for its sophisticated cyberattacks primarily targeting Israeli organizations.
The analysis delves into various aspects of the group's operations, including its background and emergence, modus operandi, notable attacks and breaches, alleged state sponsorship, and the implications of its activities for cybersecurity professionals and other specialists across different industries. It also aims to highlight its significant impact on cybersecurity practices and the broader geopolitical landscape.
The analysis serves as a valuable resource for cybersecurity professionals, IT specialists, and industry leaders, offering insights into the challenges and opportunities presented by the evolving cyber threat landscape.
In a twist of snarky irony, the very technology that powers our AI and machine learning models is now the target of a new vulnerability, dubbed "LeftoverLocals". Disclosed by Trail of Bits, this security flaw allows the recovery of data from GPU local memory created by another process, affecting Apple, Qualcomm, AMD, and Imagination GPUs
In this document, we provide a detailed analysis of the "LeftoverLocals" CVE-2023-4969 vulnerability, which has significant implications for the integrity of GPU applications, particularly for large language models (LLMs) and machine learning (ML) models executed on affected GPU platforms, including those from Apple, Qualcomm, AMD, and Imagination.
This document provides valuable insights for cybersecurity professionals, DevOps teams, IT specialists, and stakeholders in various industries. The analysis is designed to enhance the understanding of GPU security challenges and to assist in the development of effective strategies to safeguard sensitive data against similar threats in the future.
CRAFTED BY THE DIGITAL ARTISANS KNOWN AS SANDWORM, THE CHISEL IS NOT JUST MALWARE; IT'S A MASTERPIECE OF INTRUSION. THIS COLLECTION OF DIGITAL TOOLS DOESN'T JUST SNEAK INTO ANDROID DEVICES; IT SETS UP SHOP, KICKS BACK WITH A MARTINI, AND GETS TO WORK EXFILTRATING ALL SORTS OF JUICY INFORMATION. SYSTEM DEVICE INFO, COMMERCIAL APPLICATION DATA, AND OH, LET'S NOT FORGET THE PIÈCE DE RÉSISTANCE, MILITARY-SPECIFIC APPLICATIONS. BECAUSE WHY GO AFTER BORING, EVERYDAY DATA WHEN YOU CAN DIVE INTO THE SECRETS OF THE MILITARY?
THE CHISEL DOESN'T JUST EXFILTRATE DATA; IT CURATES IT. LIKE A CONNOISSEUR OF FINE WINES, IT SELECTS ONLY THE MOST EXQUISITE INFORMATION TO SEND BACK TO ITS CREATORS. SYSTEM DEVICE INFORMATION? CHECK. COMMERCIAL APPLICATION DATA? CHECK. MILITARY SECRETS THAT COULD POTENTIALLY ALTER THE COURSE OF INTERNATIONAL RELATIONS? DOUBLE-CHECK. IT'S NOT JUST STEALING; IT'S AN ART FORM.
In the thrilling conclusion to 2023, ransomware groups had a banner year, really outdoing themselves in the "make everyone's life miserable" department. LockBit 3.0 took gold in the hacking olympics, followed by the plucky upstarts Clop and ALPHV/BlackCat. Apparently, 48% of organizations were feeling left out and decided to get in on the cyber attack action. Business services won the "most likely to get digitally mugged" award, with education and retail nipping at their heels. Hackers expanded their repertoire beyond boring old encryption to the much more exciting world of extortion. The US, UK and Canada took top honors in the "countries most likely to pay up" category. Bitcoins were the currency of choice for discerning hackers, because who doesn't love untraceable money?
The average enterprise ransom payment soared to over $100,000, with demands averaging a cool $5.3 million. But here's the kicker: 80% of organizations have a "Do-Not-Pay" policy, and yet, 41% ended up paying the ransom last year. And for those thinking insurance might save the day, think again. A whopping 77% of organizations found out the hard way that ransomware is the party crasher not covered by their security insurance. It's like showing up to a hurricane with an umbrella.
With Ransomware as a Service (RaaS) making it easier for any wannabe cybercriminal to join the fun, we can only expect more chaos, more victims, and more snarky retellings like this one. So, here's to 2023, a year that will be remembered not for technological breakthroughs or cyber defense victories, but for the sheer audacity and success of ransomware groups. May 2024 be a bit less... successful for them.
The Kings of Brute-Force and DDoS Meet KillNet [EN].pdfOverkill Security
KillNet has risen to the top of the cyber activity leaderboard, eclipsing over a hundred other groups in grandiose proxy cyber wars. Their favorite weapon? A very sophisticated distributed Denial of Service (DDoS) attack that hits a sore spot: vital infrastructure, government services, airport websites and, why not, media companies in NATO countries. Europe is their favorite playground, where more than 180 attacks have been reported, while North America is in the corner with less than 10. However, they are not picky: the financial industry, transportation, government agencies and business services. Healthcare in the USA? Taken aim at. Gov websites from Romania to the United States? The following.
To prove themselves as professionals in their field, they expanded their activities, moving from using ready-made tools to creating their own... with a subscription to let you share your achievements.
The action of the next cyber saga takes place in the mystical lands of the Asia-Pacific region, where the main characters began their digital activities in the middle of 2021 and qualitatively strengthened it in 2022. Corporate espionage, document theft, audio recordings, and data leaks from messaging platforms were all a matter of one day for Dark Pink. Their geographical focus may have started in the Asia-Pacific region, but their ambitions knew no bounds, targeting a European government ministry in a bold move to expand their portfolio. Their victim profile was as diverse as a UN meeting, targeting military organizations, government agencies, and even a religious organization. Because discrimination is not a fashionable agenda.
In the world of cybercrime, they serve as a reminder that sometimes the most serious threats come in the most unassuming packages with a pink bow.
TechAttacks. Star Blizzard continues worldwide spear-phishing campaigns [EN].pdfOverkill Security
"Star Blizzard" should not be confused with a celestial weather phenomenon or a limited-edition threat from the Dairy Queen. This saga takes place in a digital space where the only snowflakes are the unique identifiers of each hacked system.
The audacity of Blizzard, which conducts targeted social engineering attacks on Microsoft Teams using ready-made infrastructure against everyone who uses it. The group has been doing this since November 2023, remaining unnoticed until January 12, 2024. And not just sneaking around, but camping, making a bonfire in your digital backyard while you serenely watched your favorite TV series.
In the world of cybersecurity, where the stakes are high and the attackers are always looking for the next weak link, it's a wonder that any industry can keep a straight face. So, let's all have a nervous chuckle and then maybe, just maybe, update those passwords.
CVE-2024-0204 is like a key under the mat that has not been authenticated and wants to create its own administrator user. This vulnerability can be exploited remotely and is a classic example of CWE-425: "Forced access when a web application is simply too polite to provide proper authorization." Once they've tiptoed through the secret passage, they can create an admin user with read, write, command execution, access sensitive data, deploy malware, or just take complete control because, why not? It's free-for-all!
Vulnerable versions 6.x starting from 6.0.1 and version 7.x up to 7.4.1, in which they decided to hang a lock on the door. If you're feeling DIY, the advisory suggests a workaround: delete the endpoint /InitialAccountSetup.xhtml and restart the service. For those fancy container-deployed instances, just replace the file with an empty one and give it a good ol' reboot.
Welcome to the next edition of our Monthly Digest, your one-stop resource for staying informed on the most recent developments, insights, and best practices in the ever-evolving field of security. In this issue, we have curated a diverse collection of articles, news, and research findings tailored to both professionals and casual enthusiasts. Our digest aims to make our content is both engaging and accessible. Happy reading
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
1. Read more: Boosty | Sponsr | TG
Abstract – This document provides a comprehensive analysis of the
method demonstrated in the video "Breaking Bitlocker - Bypassing
the Windows Disk Encryption" where the author showcases a low-
cost hardware attack capable of bypassing BitLocker encryption. The
analysis will cover various aspects of the attack, including the
technical approach, the use of a Trusted Platform Module (TPM)
chip, and the implications for security practices.
The analysis provides a high-quality summary of the demonstrated
attack, ensuring that security professionals and specialists from
different fields can understand the potential risks and necessary
countermeasures. The document is particularly useful for
cybersecurity experts, IT professionals, and organizations that rely
on BitLocker for data protection and to highlight the need for
ongoing security assessments and the potential for similar
vulnerabilities in other encryption systems.
I. INTRODUCTION
In the video "Breaking Bitlocker - Bypassing the Windows
Disk Encryption", the author is talking about a method to bypass
the Windows Disk Encryption (BitLocker) using different
attacks including using a low-cost hardware attack. He shows
how an attacker can use a simple device to extract the encryption
key from a computer's TPM (Trusted Platform Module) chip,
which is used to store the encryption key for BitLocker. This
attack allows the attacker to decrypt the computer's hard drive
and access the data without knowing the BitLocker password.
The video provides:
• The method to bypass BitLocker using a low-cost
hardware attack.
• The attack targets the TPM chip, which is used to store
the encryption key for BitLocker.
• The detailed explanation of the attack, including the
hardware and software components involved.
• The implications of this attack and provides
recommendations for how users can protect their data
from this type of attack.
II. METHODOLOGY
The methodology for analyzing BitLocker involves several
steps:
• Understanding the Technical Details: it begins by
thoroughly understanding the technical aspects of
BitLocker, including its encryption algorithms, key
management mechanisms, and security features. This
knowledge is essential for identifying potential
vulnerabilities and weaknesses in the system.
• TPM Bypass Attack Demonstration: it provides a
detailed explanation of the TPM bypass attack,
including the hardware and software components
required to provide strong visual evidence of attack in
practice, showing how an attacker can extract the
encryption key from a computer's TPM chip using a
simple device.
• Analysis of BitLocker's Encryption Algorithms: it
analyzes BitLocker's encryption algorithms, including
AES and XTS-AES, and discusses their strengths and
weaknesses. It also examines the key management
mechanisms used by BitLocker and how they can be
exploited by attackers. This analysis provides a deeper
understanding of the vulnerabilities in BitLocker and
helps viewers appreciate the significance of the attack.
• Vulnerability Analysis: Based on the technical
understanding, literature review, and practical testing, it
performs a comprehensive vulnerability analysis of
BitLocker. This involves identifying potential attack
vectors, exploiting vulnerabilities, and assessing the
impact of these vulnerabilities on the security of
BitLocker.
• Practical Testing and Experimentation: It conducts
practical tests and experiments to evaluate the
effectiveness of BitLocker's security features. This may
involve setting up test environments, simulating attacks,
and analyzing the results to identify potential
weaknesses.
• Developing Countermeasures and
Recommendations: Finally, he develops
countermeasures and recommendations to mitigate the
identified vulnerabilities and improve the overall
security of BitLocker. These recommendations may
include configuration best practices, security updates,
and additional security measures to enhance the
protection of data encrypted with BitLocker.
III. SECURITY WEAKNESSES VIEWPOINT
The attack is possible due to several factors:
• Weak Encryption Algorithms: BitLocker uses weak
encryption algorithms, such as AES-128 and XTS-
AES, which can be easily broken using brute-force
attacks.
2. Read more: Boosty | Sponsr | TG
• Poor Implementation of BitLocker: BitLocker is
poorly implemented, which makes it vulnerable to
various attacks, including the TPM bypass attack and
the boot process attack.
• Lack of Security Awareness: many users are not
aware of the security risks associated with BitLocker
and do not take adequate steps to protect their data.
It is mentioned that the attack is possible because of the
availability of low-cost hardware devices that can be used to
bypass BitLocker's security features.
In terms of hardware this attack is also possible because the
LPC bus related to TPM communication is not encrypted. This
means that an attacker who has physical access to the computer
can easily monitor the data that is being sent over the bus.
IV. LPC BUS
The LPC (Low Pin Count) bus is a computer bus used on
IBM-compatible personal computers to connect low-bandwidth
devices to the motherboard, such as the boot ROM, "legacy" I/O
devices (integrated into a super I/O chip), and Trusted Platform
Module (TPM).
A. Purpose of the LPC Bus in a TPM
The LPC bus is a low-speed, multiplexed, point-to-point bus
that is used to connect low-bandwidth devices to the
motherboard. The LPC bus is a legacy bus and is no longer used
in new computer systems.
The TPM chip is a hardware security module that is used to
store cryptographic keys and perform cryptographic operations.
The LPC bus is used to send commands to the TPM chip and to
receive responses from the TPM chip. Some key details:
• The LPC bus is a low-speed bus that operates at a speed
of 33 MHz.
• The LPC bus is a multiplexed bus, which means that it
uses the same wires to send data in both directions.
• The LPC bus is a point-to-point bus, which means that
it connects only two devices.
• The LPC bus is a legacy bus, which means that it is no
longer used in new computer systems.
B. Some Other Uses of the LPC Bus in Computer Systems
• Connecting low-bandwidth devices to the motherboard,
such as the boot ROM and the BIOS ROM
• Connecting legacy ISA devices to the motherboard
• Connecting Trusted Platform Modules (TPMs) to the
motherboard
• Connecting other low-bandwidth devices to the
motherboard, such as serial ports and parallel ports
C. BitLocker Extraction
To extract the BitLocker key from a TPM using the LPC bus,
an attacker would need to:
• Gain physical access to the computer. This could be
done by stealing the computer or by gaining access to it
through social engineering or other means.
• Open the computer case and locate the TPM chip.
The TPM chip is usually located on the motherboard.
• Connect a logic analyzer or other hardware device to
the LPC bus. This will allow the attacker to monitor the
data that is being sent over the bus.
• Boot the computer and wait for the BitLocker key to
be sent over the LPC bus. The BitLocker key is sent
from the TPM chip to the operating system when the
computer is booted.
• Capture the BitLocker key using the logic analyzer
or other hardware device. Once the BitLocker key has
been captured, the attacker can use it to decrypt the
BitLocker-encrypted drive.
D. LPC Security
The LPC bus does not protect the TPM chip from security
attacks. In fact, the LPC bus is a potential attack vector that can
be used to extract the BitLocker key from the TPM chip.
An attacker could use a hardware device to connect to the
LPC bus and monitor the data that is being sent between the
TPM chip and the computer's motherboard. This data includes
the BitLocker key. Once the attacker has captured the BitLocker
key, they can use it to decrypt the BitLocker-encrypted drive.
To protect against this attack, users should enable
BitLocker's "TPM-only" mode. This mode requires the TPM
chip to be present and functional in order to decrypt the
BitLocker-encrypted drive. This makes it much more difficult
for an attacker to extract the BitLocker key from the TPM chip.
V. TPM BYPASS ATTACK DEMONSTRATION
The TPM Bypass Attack Demonstration is a practical
demonstration of how an attacker can bypass the Trusted
Platform Module (TPM) chip and extract the encryption key
used by BitLocker to encrypt data on a computer. This attack
allows the attacker to decrypt the computer's hard drive and
access the data without knowing the BitLocker password.
In the video it is used a simple and inexpensive hardware
device to perform the attack. The device is connected to the
computer's motherboard and allows the attacker to access the
TPM chip directly. Once the attacker has access to the TPM
chip, they can extract the encryption key and use it to decrypt
the computer's hard drive.
It is discussed that several examples of attacks that can be
combined to bypass BitLocker
A. TPM Bypass Attack
The TPM bypass attack targets the Trusted Platform Module
(TPM) chip, which is a hardware component that is used to store
the encryption key for BitLocker. By bypassing the TPM, an
attacker can extract the encryption key and decrypt the
computer's hard drive.
There are several ways to bypass the TPM, including:
3. Read more: Boosty | Sponsr | TG
• Physical Attacks: An attacker could physically remove
the TPM chip from the computer or use a hardware
device to access the TPM chip directly.
• Firmware Attacks: An attacker could exploit
vulnerabilities in the TPM chip's firmware to extract the
encryption key.
• Software Attacks: An attacker could use a software
exploit to bypass the TPM chip and access the
encryption key.
B. Boot Process Attack
The boot process attack targets the boot process of the
computer. By modifying the boot process, an attacker could
prevent BitLocker from loading or could load a malicious
version of BitLocker that would allow the attacker to decrypt the
computer's hard drive.
There are several ways to modify the boot process,
including:
• Modifying the Bootloader: An attacker could modify
the bootloader to prevent BitLocker from loading or to
load a malicious version of BitLocker.
• Using a Bootkit: An attacker could use a bootkit to
modify the boot process and load a malicious version of
BitLocker.
• Exploiting Vulnerabilities in the Boot Process: An
attacker could exploit vulnerabilities in the boot process
to bypass BitLocker.
C. Side-Channel Attacks
Side-channel attacks exploit information that is leaked
during the encryption or decryption process. By analyzing this
information, an attacker could potentially recover the encryption
key. There are several types of side-channel attacks, including:
• Timing Attacks: An attacker could measure the time it
takes to encrypt or decrypt data and use this information
to recover the encryption key.
• Power Analysis Attacks: An attacker could measure
the power consumption of the computer during the
encryption or decryption process and use this
information to recover the encryption key.
• Electromagnetic Attacks: An attacker could measure
the electromagnetic emissions of the computer during
the encryption or decryption process and use this
information to recover the encryption key.
D. Brute-Force Attacks
A brute-force attack is a type of attack in which an attacker
tries all possible combinations of a password or encryption key
until the correct one is found. Brute-force attacks can be very
time-consuming, but they can be successful if the password or
encryption key is weak.
VI. PRACTICAL TESTING AND EXPERIMENTATION'
A. Practical Testing and Experimentation
The author of the video on BitLocker bypass attack conducts
practical tests and experiments to evaluate the effectiveness of
BitLocker's security features and to demonstrate the TPM
bypass attack. These tests and experiments involve setting up
test environments, simulating attacks, and analyzing the results
to identify potential weaknesses.
B. Test Environments
The author sets up several test environments to simulate
different scenarios and configurations. This allows to test the
effectiveness of BitLocker's security features in different
situations, such as when a computer is booted from a USB drive
or when the TPM chip is disabled.
C. Simulated Attacks
The author simulates various attacks on BitLocker, including
brute-force attacks, side-channel attacks, and hardware attacks.
These attacks are designed to test the strength of BitLocker's
encryption algorithms and key management mechanisms.
D. Analysis of Results
This analysis includes examining the time it takes to break
BitLocker's encryption, the resources required to carry out the
attack, and the impact of the attack on the integrity of the data.
E. TPM Bypass Attack Demonstration
This demonstration shows how an attacker can use a simple
and inexpensive hardware device to extract the encryption key
from a computer's TPM chip. This demonstration is used to
highlight the vulnerability of BitLocker to this type of attack.
The practical testing and provides strong evidence to support
the argument that BitLocker can be bypassed using a relatively
simple and inexpensive attack.
VII. HARDWARE AND SOFTWARE COMPONENTS
A. Hardware Components:
1) TPM Bypass Attack:
• Raspberry Pi 3 Model B+
• Bus Pirate v3.6
• Dupont wires
• Soldering iron
• Solder
2) Boot Process Attack:
• USB flash drive
• Rufus software
• A bootable Linux distribution
B. Software Components:
1) TPM Bypass Attack:
• TPM2-Tools
• Python
4. Read more: Boosty | Sponsr | TG
• Scapy
C. Boot Process Attack:
• GRUB Customizer
• Syslinux
D. Detailed Explanation per the Attack:
1) TPM Bypass Attack:
• Hardware Setup: Connect the Raspberry Pi to the
computer's TPM header using the Dupont wires.
• Software Setup: Install TPM2-Tools, Python, and
Scapy on the Raspberry Pi.
• Extract the Encryption Key: Use TPM2-Tools to
extract the encryption key from the TPM chip.
2) Boot Process Attack:
• Create a Bootable USB Drive: Use Rufus to create
a bootable USB drive with a Linux distribution.
• Modify the Bootloader: Use GRUB Customizer to
modify the bootloader on the USB drive to load a
malicious version of BitLocker.
• Boot from the USB Drive: Boot the computer
from the USB drive.
• Decrypt the Hard Drive: The malicious version of
BitLocker will decrypt the computer's hard drive.
E. Steps to extract the bitlocker key
• Connect the Raspberry Pi to the computer's TPM
header. Use the Dupont wires to connect the
Raspberry Pi's GPIO pins to the computer's TPM
header.
• Install TPM2-Tools, Python, and Scapy on the
Raspberry Pi. Follow the instructions provided by
the author in the video.
• Boot the Raspberry Pi.
• Run the following command to extract the
encryption key from the TPM chip: python
tpm2_extractkey.py -d /dev/tpm0 -o key.bin
• The encryption key will be saved to the file key.bin.
VIII. TPM SNIFFING
A. TPM Sniffing: Bootmgr Communicates with TPM in the
Clear
TPM sniffing is a technique that allows an attacker to extract
the BitLocker key from a TPM chip by monitoring the
communication between the boot manager and the TPM chip.
This is possible because the boot manager communicates with
the TPM chip in the clear, meaning that the communication is
not encrypted.
B. Purpose of TPM Sniffing
The purpose of TPM sniffing is to extract the BitLocker key
from a TPM chip. This key can then be used to decrypt the
BitLocker-encrypted drive.
C. How TPM Sniffing Works
TPM sniffing works by monitoring the communication
between the boot manager and the TPM chip. This
communication takes place over the LPC bus. An attacker can
use a hardware device to connect to the LPC bus and monitor
the data that is being sent between the boot manager and the
TPM chip.
The boot manager is a small program that is responsible for
loading the operating system. When the computer is turned on,
the boot manager is loaded into memory and it begins to execute.
The boot manager then loads the operating system into memory
and transfers control to the operating system.
During the boot process, the boot manager communicates
with the TPM chip. This communication is used to verify the
integrity of the boot process and to load the encryption key for
the BitLocker-encrypted drive.
An attacker can use a hardware device to connect to the LPC
bus and monitor the communication between the boot manager
and the TPM chip. This allows the attacker to extract the
encryption key for the BitLocker-encrypted drive.
D. denandz/lpc_sniffer_tpm
The LPC Sniffer TPM is an open-source project that was
used to extract BitLocker VMK keys by sniffing the LPC bus
when BitLocker was enabled in its default configuration.
The LPC Sniffer TPM is a hardware device that can be used
to extract the BitLocker key from a TPM chip by sniffing the
communication between the boot manager and the TPM chip.
The device connects to the LPC bus and monitors the data that
is being sent between the boot manager and the TPM chip.
1) Features of the LPC Sniffer TPM
• I/O read and writes
• Memory read and writes
• Sync errors
2) How to Use the LPC Sniffer TPM
• Modify the EEPROM of the FTDI and enable OPTO
mode on Channel B.
• Program lpc_sniffer.bin into your ice40 by iceprog
lpc_sniffer.bin.
• Connect the LPC bus.
• Extract LPC data: python3 ./parse/read_serial.py
/dev/ttyUSB1| tee outlog.
• Extract key from data: cut -f 2 -d' outlog | grep '2...00$'
| perl -pe 's/.{8}(..)..n/$1/' | grep -Po
"2c0000000100000003200000(..){32}".
3) Additional Information
• The LPC Sniffer TPM is an open-source project.
• The project was used to extract BitLocker VMK keys by
sniffing the LPC bus when BitLocker was enabled in its
default configuration.
5. Read more: Boosty | Sponsr | TG
IX. CONSEQUENCES OF THE ATTACK
The consequences of the attack discussed in the video are
severe and far-reaching:
• Data Loss: The attack allows attackers to decrypt and
access the data on the victim's computer, including
personal files, financial information, and business
secrets. This can lead to significant financial losses,
reputational damage, and legal liability for the victim.
• Malware Infection: Attackers can use the attack to
install malware on the victim's computer, such as
ransomware, spyware, or botnets. This can give the
attackers remote control over the victim's computer,
allowing them to steal data, launch attacks on other
systems, or spy on the victim's activities.
• Denial of Service: The attack can be used to deny
service to the victim's computer, preventing them from
accessing their data or using their computer for work or
personal purposes. This can lead to lost productivity,
financial losses, and reputational damage for the victim.
• Compromise of Sensitive Information: The attack can
be used to compromise sensitive information, such as
government secrets, military plans, or corporate trade
secrets. This can have serious consequences for national
security, public safety, and economic stability.
X. COUNTERMEASURES
There are several countermeasures and recommendations to
mitigate the identified vulnerabilities and improve the overall
security of BitLocker, including:
• Using a Strong BitLocker Password: A strong
password makes it more difficult for an attacker to brute-
force the encryption key.
• Enabling Additional Security Features: BitLocker
offers several additional security features, such as two-
factor authentication and secure boot, that can help to
protect against attacks.
• Keeping the Computer's Operating System and
Software Up to Date: Software updates often include
security patches that can help to protect against
vulnerabilities.
• Using a Hardware-Based TPM Chip: Hardware-
based TPM chips are more secure than software-based
TPM chips.
A. Preventing TPM Sniffing
There are a few things that can be done to prevent TPM
sniffing, including:
• Enable BitLocker's "TPM-only" mode. This mode
requires the TPM chip to be present and functional in
order to decrypt the BitLocker-encrypted drive. This
makes it much more difficult for an attacker to extract
the BitLocker key from the TPM chip.
• Keep the computer's operating system and firmware
up to date. This will help to protect against
vulnerabilities that could be exploited by an attacker to
gain access to the LPC bus.
• Use a strong password or passphrase for the
BitLocker encryption key. This will make it more
difficult for an attacker to brute-force the encryption
key.