BruCON 0x0E

The industry has come a long ways in a short time in regards to understanding attack patterns and the ability to defend organizations. In 2011, David gave a talk on Adaptive Penetration Testing at DerbyCon and how we needed to understand an organization and craft our attacks based on the defenses of the organization for high levels of success. This talk went into how attacker methodologies would evolve over time and focus more on targeted attack vs. mass commodity In 2011, organized crime really hadn’t kicked off or had the high level of success it does today. When we look at the defenses we have – its through crowd sourcing breach data, various TTPs, and building defenses against known attacks. In this talk, we’ll dive into how adversaries capabilities ranging from novice to some of the most advanced that have adapted their techniques and what to expect on the horizon. This talk will dive into what we need to do to evolve to our next level, and most importantly how to build better defenses that aren’t heavily reliant on previously identified attacks.

Between Agile, DevOps, and infrastructure as code, development is happening faster than ever. As a security team, it can be tough to keep up. How can you help empower your engineering counterparts to ship software quickly and securely?

An increasingly popular answer is secure defaults - make it easy to do the secure thing, and hard to do the insecure thing, whether that’s parsing XML files, interacting with the database, authorization, or any other security-relevant functionality.

Done properly, secure defaults (also called “guardrails” or building a “paved path”) can effectively eliminate classes of vulnerabilities from ever occurring in the first place, effectively scaling your security team. The power of secure defaults have been praised by established companies like Netflix, Google, Facebook, and Microsoft as well as rapidly growing mid-sized companies and even start-ups.

Security maturity frameworks such as BSIMM, OWASP SAMM and NIST SSDF indicate that the most mature and efficient security programs will tailor these secure defaults to their organization. Many security tools allow such customization, but they are not all created equally. With Semgrep creating custom rules is done in a simple YAML format and the first rule can be written within several minutes.

This workshop will teach you:
• Why the current approach to software security is not working to reduce vulnerabilities
• Why developers should be considered early and often in the SDLC
• How a paved security path for developers can create a higher standard of secure code, without compromising speed of delivery
• How to enforce security best practices unique to your organization (for the workshop we will be using the open source static analysis tool Semgrep)

This workshop will be part big picture ideas and best practices, and a lot of hands on examples and demos. You’ll leave with some insights, open source tools, and actionable tips to get started immediately.

Strings analysis consists of extracting readable strings from binary files. It's a simple reverse-engineering technique, applicable to malware analysis too.
And although a lot of malware is obfuscated, strings analysis can still be valuable.
For example with sophisticated Excel 4 macros, that employ complex string obfuscation to hide the URL from which they download their payload. In these documents, the cleartext URL can be cached and easily retrieved.

Didier Stevens has developed several tools to help with strings analysis, because it is a simple technique that everyone can learn.
That's the advantage of strings analysis: it's a simple technique, that can easily be explained and understood.
The disadvantage: if the strings are obfuscated, we can try some simple tricks to deobfuscate them (like with tool xorsearch), but that's as far as it goes.
There is a lot to learn about strings analysis. For example, how to Pascal strings in malware written in Delphi.

In his typical style hands-on no BS-style, Didier Stevens will lead the participants through many exercises, learning to discern meaningful strings. Because with strings analysis, the problem is not extracting strings, but detecting the strings that are meaningful in the context of the analysis.

For this workshop, Didier Stevens is also working on new and updated tools to facilitate strings analysis.

As usual, this workshop is 100% hands-on. Just a few slides, many exercises.

In the last few years, a slew of high-profile, most critical remote code execution vulnerabilities have been found, disclosed and then promptly exploited en-masse against the category of networking hardware known as load balancers. These devices primarily serve to distribute traffic across server farms & offload SSL processing; they cost between $40k-$250k per device and are largely viewed as black box systems due to restrictive licensing, proprietary hardware and a lack of transparency from the vendors into the guts of the systems. They run at the borders and cores of most cell carriers, banks, Fortune 500 companies, ISPs and some cloud providers.

Since many of these devices function not only to balance traffic, but as VPN concentrators, WAFs and SSL proxies, they are generally installed in high-access parts of the network. Due to their mission criticality, they also frequently run outdated vendor code and, even worse, the Linux/BSD based operating systems they use are generally numerous versions behind current and due to the proprietary nature of their code, one does not simply 'apt get upgrade -y'. Since they all run Linux/BSD as the management OS, once you've breached one with an 'exploit that fits in a tweet' the environment is ripe for lateral movement, persistence and further exploitation using commonly available open source tools.

In this talk, I will lean on a decade of experience working for one of the most prominent load balancing vendors and teach you the architecture, how the devices operate, how they're deployed, what their management plane looks like and the access it affords you post-breach. You will also learn how to avoid common mistakes which can interrupt traffic processing, trigger device failures and otherwise give away your presence on the system. While this talk will focus on a specific architecture, all vendors use essentially the same design concepts so the information is applicable across most platforms. Additionally, armed with an understanding of the designs you'll be able to use freely available vendor documentation to hone & tune your post-exploitation shenanigans across other load balancing products.

While this talk is primary aimed at offensive operations, the information provided can also be leveraged by defenders to harden their environments and provide guidance on DFIR operations post-breach.

The domain name system, or DNS, is a critical component of the Internet ecosystem we use. Almost every single transaction and connection from email to online commerce makes use of DNS as an initial  a fundamental step. While the primary purpose in the eyes of the public is to mask the complexities of host addressing, it’s use has evolved to be critical for a whole lot more – one of the oldest and arguably the second most important component being its foundation for email delivery though the use of MX records.  In recent years we have seen the introduction and gradual adoption of several security measures rooted within and implemented by extending the DNS protocol.  These include DNSSEC, SPF, and more recently CAA. In essence the global domain Domain Name Systems should be regarded as critical infrastructure. However, for many organisations, especially those reliant on hosting providers, ISPs or MSPs, despite the requirement for functional DNS, the deployment and operation of the servers (as outlined in RFC 2182) and associated domain zones, are often neglected. This may be due to the ‘care and feeding’ been seen as 'too complex', mundane or unexciting in comparison to more exciting areas with ‘Cyber operations’ such as Threat Intelligence, Malware Analysis and ML/AI based security solutions.  The irony is these all have a strong dependence on DNS!

This talk has a dual focus initially presents an overview of the state of DNS operations for several ccTLD’s and in comparison, with top domains globally. A concern worth raising particularly considering the Global sanctions on the Russian Federation is to consider – where is ones DNS hosted physically and logically, and who has control? An evaluation of risk, particularly the dependency on key providers (for example about a third of the .no domains surveyed are hosted by a single provider), as well as adherence to good practice is presented.

The secondary part of the talk presents several short case studies of the adoption rate of security functionality (primarily the adoption of DNSSEC and CAA records) within and offered by DNS for ccTLDs investigated. As appropriate these are compared with adoption rates in neighbouring ccTLDs.
From the research undertaken a number of key operational and risk management principles and associated tests are offered with a specific focus on smaller organisations to enable better compliance with current best practice.

The research was undertaken using domain lists constructed and gathered from various public sources. These were then queried over a period in March to May 2022.

Securing Industrial Control Systems from cyberattacks often starts by properly segmenting the network, securing remote accesses and overall focusing on traditional  “IT” cybersecurity measures. However, we can also leverage existing technology to detect and protect from cyberattacks.
The Top 20 Secure PLC Coding Practices (www.plc-security.com) is a community-led effort to identify best practices in Programmable Logic Controllers (PLC) code development that improve cybersecurity.
In this workshop, you will learn how to program a PLC and connect it to a SCADA system. You will then perform attacks on this system and finally implement a sample of the TOP20 coding practices to block or detect such attacks.
You will be provided with access to cloud VMs preconfigured with a SCADA software as well as a PLC simulator. Some demonstrations will also be performed on-site on real hardware PLCs.

The workshop is accessible to anyone, even with no prior ICS experience.

The SpaceX operated Starlink low Earth orbit satellite constellation aims to provide satellite internet coverage to the whole world. The widespread availability of Starlink User Terminals (UT) exposes them to hardware hackers and opens the door for an attacker to freely explore the network.
The recent Viasat attack demonstrates a need for satellite communication security and the impact security vulnerabilities can have on UTs that are often deployed in isolated locations.

This presentation covers the first black-box hardware security evaluation of the SpaceX Starlink UT. The UT uses a custom quad-core Cortex-A53 System-on-Chip (SoC) that implements verified boot based on the ARM trusted firmware (TF-A) project. The early stage TF-A bootloaders, and in particular the immutable ROM bootloader include custom fault injection countermeasures. Despite the black-box nature of our evaluation we were able to bypass firmware signature verification during execution of the ROM bootloader using voltage fault injection.

Using a modified second stage bootloader we could extract the ROM bootloader and eFuse memory. Our emulation based analysis demonstrates that the fault model used during countermeasure development does not hold in practice. Our voltage fault injection attack was first performed in a laboratory setting and later implemented as a custom printed circuit board or 'modchip'. Our attack results in an unfixable compromise of the Starlink UT and allows us to execute arbitrary code.

The ability to obtain root access on the Starlink UT is a prerequisite to freely explore the Starlink network. This presentation will cover an initial exploration of the Starlink network and provides some details on the communication links. Other researchers should be able to build on our work to further explore the Starlink ecosystem.

The documented attacks were performed within the scope of the SpaceX Bug Bounty program and were responsibly disclosed.

Microsoft Defender for Identity (MDI) is a service that protects on-premises Active Directory identities. MDI analyses network traffic, Windows events, SIEM/Syslog and ETW data on DCs and/or AD FS servers to create user profiles and behaviour baselines that used to detect deviations from baseline and anomalies. MDI can generate alerts across phases of an attack "kill chain" - Reconnaissance, Compromised credentials, Lateral Movements, Domain Dominance and Exfiltration.

MDI detects popular attacks like Kerberoasting, AS-REP roasting, Pass-the-hash, Pass-the-ticket, Overpass-the-hash, Brute Force, DCSync, DCShadow, Golden Ticket, Remote code execution and more.

This talk focuses on TTPs that Red Teams can use to avoid generating anomalies that trigger detections. We will execute high impact attacks across the kill chain with precision to bypass or avoid MDI instance that has sensors configured and enriched in our target environment. Behold the 0wning of on-premises identities!

In recent years companies and Microsoft have increased hardening against malicious Office documents. Hence, we started a quest for unexplored Office features that could be abused for phishing. After various research directions, we identified “code side-loading in signed documents” as an innovative approach for phishing.

We identified vulnerabilities in various Microsoft signed Office add-in’s and believe that there are many more unidentified. For example, the MS Office installation comes with signed Microsoft Analysis ToolPak Excel add-ins (.XLAM file type) which are vulnerable to multiple code injections (CVE-2021-28449). An attacker can abuse the provided file (LOLFile) and embed malicious code without invalidating the signature for use in phishing scenarios.

This presentation will cover the process of finding, exploiting and weaponising this class of vulnerabilities and the complexities in mitigations.

What does it mean to be a cyberdefender ?
What’s the true nature of the job ?

We’re going to talk about how we deal with cyberattacks in an organization, how do we manage all their impacts, and what it means to you and me as cyberprofessionnals.

In this workshop, SANS instructor Jean-Francois Maes is going to walk over several tactics on how to compromise organizations from the inside.
Let Jean-Francois guide you on how AD authentication works and how an inside threat can abuse the flow to establish a foothold and potentially escalate privileges.
This workshop will use 3 virtual machines, which cannot be deployed to the cloud so make sure to bring a beefy enough laptop that is able to run three VMS in tandem!

This workshop will cover:
- Introduction to AD authentication (NTLM + Kerberos)
- using responder and impacket to capture credentials and relay them
- Active Directory Certificate Services
- Shadow Credentials

Strings analysis consists of extracting readable strings from binary files. It's a simple reverse-engineering technique, applicable to malware analysis too.
And although a lot of malware is obfuscated, strings analysis can still be valuable.
For example with sophisticated Excel 4 macros, that employ complex string obfuscation to hide the URL from which they download their payload. In these documents, the cleartext URL can be cached and easily retrieved.

Didier Stevens has developed several tools to help with strings analysis, because it is a simple technique that everyone can learn.
That's the advantage of strings analysis: it's a simple technique, that can easily be explained and understood.
The disadvantage: if the strings are obfuscated, we can try some simple tricks to deobfuscate them (like with tool xorsearch), but that's as far as it goes.
There is a lot to learn about strings analysis. For example, how to Pascal strings in malware written in Delphi.

In his typical style hands-on no BS-style, Didier Stevens will lead the participants through many exercises, learning to discern meaningful strings. Because with strings analysis, the problem is not extracting strings, but detecting the strings that are meaningful in the context of the analysis.

For this workshop, Didier Stevens is also working on new and updated tools to facilitate strings analysis.

As usual, this workshop is 100% hands-on. Just a few slides, many exercises.

Only a few times in history we have seen publicly documented malware developed to target industrial control systems (ICS). Over ten years ago STUXNET impacted Iranian nuclear centrifuges. Then INDUSTROYER turned off electric power in Ukraine and TRITON targeted the safety systems from a critical infrastructure organization. Today, a couple years later, we ran into INCONTROLLER.

INCONTROLLER is a set of novel ICS- oriented attack tools built to target specific Schneider Electric and Omron devices that are embedded in different types of machinery leveraged across multiple industries. The tools – which are very likely state-sponsored – represent an exceptionally rare and dangerous cyber-attack that contains capabilities related to disruption, sabotage, and potentially physical destruction. In this talk I will present our analysis of INCONTROLLER, its components, attack scenarios, and the implications for defenders.

Encrypting sensitive data at rest has always been a good idea, especially when storing it on small, portable devices like external hard drives or USB flash drives. Because in case of loss or theft of such a storage device, you want to be quite sure that unauthorized access to your confidential data is not possible. Unfortunately, even in 2022, "secure" portable storage devices with 256-bit AES hardware encryption and sometimes also biometric technology are sold that are actually not secure when taking a closer look.

In this presentation, I will talk about how a customer request led to further research resulting in several cryptographically broken "secure" portable storage devices. This research continues the long story of insecure portable storage devices with hardware AES encryption that goes back many years. With this presentation, I want to raise the awareness of security issues and practical attacks against vulnerable "secure" portable USB storage devices, and tell an interesting story.

How do anti-debug tricks actually work? Is there a way to automate tedious debugging tasks like unpacking malware? Have you ever wondered what is happening under the hood of a debugger?

In this workshop you will build your own programmable Windows debugger from scratch (using Python). Each component in the debugger will be built as a separate module with an accompanying lab used to explain the concepts and Windows internals that support the component. In the final lab you will have the chance to test your new debugger against various malware samples and attempt to automatically unpack them, and extract IOCs.

This workshop is aimed at malware analysts and reverse engineers who are interested in learning more about debuggers and how programmable debuggers can be used to automate some reverse engineering workflows. Students must be able to write basic Python scripts, and have a working knowledge of the Windows OS.

You will be provided with a VirtualMachine to use during the workshop. Please make sure to bring a laptop that meets the following requirements.
- Your laptop must have VirtualBox or VMWare installed and working prior to the start of the course.
- Your laptop must have at least 60GB of disk space free.
- Your laptop must also be able to mount USB storage devices. (Make sure you have the appropriate dongle if you need one.)

The cyber threat intelligence (CTI) analyst role is arguably the most recent entrant to emerge under the cyber security career tracks with the job role, responsibilities, and skill requirements wide ranging and not well understood by organization leadership or cyber security peers. During this talk, we use the newly developed, open sourced, Mandiant Cyber Threat Intelligence (CTI) Analyst Core Competencies Framework, which outlines the predicate knowledge, skills, and abilities requirements for analysts to aptly support organizational risk exposure reduction initiatives.

We unpack the significant overlaps that exist between those in a cyber threat analyst's role and the other cyber security disciplines defined by NIST SP 800-181 to provide the groundwork for threat hunters, incident responders, red teamers, and others to understand how to optimize collaboration and support received from cyber threat intelligence analysts. We highlight the overlaps by examining the Framework's identifies 4 underpinning pillars--Problem Solving, Professional Effectiveness, Technical Literacy, and Cyber Threat Proficiency--with a distinct focus on how acute knowledge of cyber adversary operations can empower hunters and red teams to properly perform adversary emulation when testing the security posture of an organization.

We conclude by discussing how organizations can use this framework as a guidepost to grow and shape their CTI programs; ensure proper knowledge, skills, and ability coverage commensurate to support organizational cyber security elements; and to inform future training and hiring decisions.

Just like many organizations, we are ingesting Threat Intelligence from a number of different sources. Very frequently however, we notice that the data received is lacking context or generates a lot of false positives (which in turn causes alert fatigue). In this talk we would like to demonstrate how we achieved to get around this problem by setting up a MISP ecosystem backed by a number of automation scripts and processes that support us in the curation and contextualization of individual events.

This dedicated MISP ecosystem consists of multiple MISP instance and ZeroMQ scripts. In conjunction with the extensive use of the MISP tagging features and workflow procedures, we were able to set up a curation process that not only saves us a lot of time, but also provides a clean feed of directly actionable threat intelligence. A happy side effect of this setup was that it allowed us to instill a full TI feedback loop between the SOC, Incident response team and our malware analysts.

Attendees will learn how we at NVISO have set up a functional MISP architecture and operational curation process. The attendees will then be able to duplicate this setup in their own organization to ensure an optimal threat intelligence feedback loop and workflow.

In a series of events that began in March, 2022, Sophos learned of the bug designated CVE-2022-1040, and discovered that two different APT groups were exploiting the devices to install malware, and exfiltrate sensitive information. It's unclear whether the two groups were coordinating their efforts.

The exploit combined two separate vulnerabilities - an authentication bypass bug, and a command injection bug - that would have required the attacker to have deep knowledge of not-publicly-disclosed APIs and opcodes that are integral to the functioning of the devices. Using these bugs, the attackers launched a chain of commands that resulted in a few different malware families being introduced into the devices.

One APT group deployed two common malware families onto the exploited devices - GoMet and Gh0st RAT - while the other opted to create a bespoke ELF executable malware specifically for the purpose of conducting espionage on the owners' networks. The attackers also hijacked system services and processes running on the devices to listen for, and respond to, specially crafted PING packets, which do not occur "in nature" and, if received by an infected device, would open a reverse shell back-connection to an IP address of the attacker's choosing.

In this talk we will discuss the technical details of the exploit, the technical details about the common and uncommon malware they deployed, and the techniques and procedures used by the APT actors to evade detection and blend in to their network surroundings.