What does the DNS have in common with an iceberg? Both are hiding invisible dangers! Beneath an iceberg there is... hiding even more ice, however, beneath the DNS there are hiding unexpected vulnerabilities!
If you want to resolve a name via DNS, there are multiple open DNS resolvers all across the Internet. A very commonly used open DNS resolver is Google’s resolver with the IP address 188.8.131.52. However, not every system is using such an open resolver. Hosting providers, ISPs or alike are often using resolvers that are not directly accessible from the Internet. These are the so called “closed” resolvers.
In my previous research “Forgot password? Taking over user accounts Kaminsky style” I have unearthed critical vulnerabilities in DNS resolvers of web applications, but I haven’t shared a second thought about the fact that these web applications were most likely using closed resolvers. So, this time I took a look at the root of the problem!
In this talk, we’ll take a look at how we can indirectly access these closed resolvers from the Internet. Furthermore, I’ll introduce open-source tools and methods to discover vulnerabilities in them. How we can attack these closed resolvers and potentially compromise thousands of systems, will lastly be shown in a proof-of-concept exploit.
Logrotate is prone to a race-condition on systems with a log directory that is in control of a low privileged user. This talk shows how easy it is to use logrotate in a dangerous way and illustrates the impact of this vulnerability. Finally the current state of logrotate will be discussed.
A brief introduction to the world of InfoSec charlatans - from KimDotCom to JonathanData. Why it's important to expose them - and how you can do it. This talk not only covers historical charlatans, but also teaches common techniques and behaviors of fraudsters. It also explains why it is important to expose such fraudsters.
Windows 11 ships with a nifty feature called Power Automate Desktop, which lets users automate mundane processes. In a nutshell, Users can build custom processes and hand them to Microsoft, which in turn ensures they are distributed to all user machines, executed successfully and reports back to the cloud. You can probably already see where this is going..
In this presentation, we will show how Power Automate Desktop can be repurposed to power malware operations. We will demonstrate the full cycle of distributing payloads, bypassing perimeter controls, executing them on victim machines and exfiltrating data. All while using nothing but Windows baked-in and signed executables, and Office cloud services.
We will then take you behind the scenes and explore how this service works, what attack surface it exposes on the machine and in the cloud, and how Microsoft managed to enable it across their customer base without explicit user consent. We will also point out a few promising future research directions for the community to pursue.
Finally, we will share an open-source command line tool to easily accomplish all of the above, so you will be able to add it into your Red Team arsenal and try out your own ideas.
Governments, email vendors, social media websites, and even your favorite food recipes forum require account registrations where you pass your secret, often the same, password over insecure channels, riddled with sniffing agents while subjecting your online identity to theft, data breaches, and a whole bag of privacy concerns.
This doesn't need to be the case. With the massive explosion of fast, secure, and privacy-preserving cryptographic protocols, your credentials need never leave your device and websites don't need to store your passwords for authentication to complete.
In this talk, I'll introduce zero-knowledge password protocols; a well-established field of cryptography that puts privacy first, as well as demo a full implementation of such a protocol live.
Hey You! Get off my Satellite!
There are many components and systems that may be targeted in a space
system by adversaries including ground station systems and satellites. In
this presentation we will discuss ideas for providing cyber resiliency in
zero-gravity. Both theoretical and real-world examples of cybersecurity
issues concerning satellite systems will be covered. This presentation
will step through attack trees for targeting satellite systems.
Recommendations best practices for securing satellite systems will be
discussed. In addition, new ideas industry is currently developing for
improving the cyber resiliency of space systems will be presented.
Electronic Shelf Label (ESL) tags are increasing in popularity. More and more stores switch their price tags to digital ones for various reasons, such as competing with online wholesalers.
In this talk, we analyzed the 433MHz connection of a popular ESL tag and identified multiple security flaws that allowed us to spoof the RF signal
and display arbitrary content on the displays. Furthermore, the original manufacturer of the E-Tag labeled microcontrollers was discovered.
This talk will give an overview of analyzing unknown hardware with an unknown RF protocol without any prior known research.
Exfiltration and command and control are essential parts of the adversary's kill chain. One of the primary goals of a malicious adversary is to exfiltrate data from an environment undetected and uninterrupted.
As a result, several attackers have opted for third-party services typically sanctioned for use in most enterprises. The accepted status of such applications coupled with an established developer ecosystem makes services such as Slack and Telegram suitable for their exfiltration and command and control tool of choice.
We have observed the usage of Telegram in different types of malicious activities including but not limited to ransomware, phishing, remote access trojans and stealers. We will discuss active samples found in the wild with a particular emphasis on stealers. Stealers are a class of malware that are primarily interested in gathering information on a host. Recent examples of Telegram in Stealers include Lapsus$ compromise of major enterprises such as Microsoft, Okta, and Nvidia. They are particularly interested in credentials and information related to financial assets (fiat and crypto): E.g.
Files from personal directories
Direct messaging applications sessions (Telegram, WhatsApp, etc.)
Screenshots(in some cases live webcam view)
Our discussion will cover the exfiltration and detection evasion techniques on different platforms, including but not limited to Windows, macOS, and Android. In furtherance of the point, we introduce how malware-as-a-service provides easily accessible kits to entry-level and sophisticated malicious actors, thus reducing entry barriers, particularly in the stealer and ransomware community.
In our analysis, we observed a varied level of attacker operational competency. Attackers falter in several stages of the attack process, and we discuss some of their shortcomings and the best practices when it comes to using Telegram.
The techniques we discuss include:
Correlating attacker identity to the real world
- Image Correlation
- Username correlation
Message Interception via
Throughout the talk, we provide several samples that use Telegram as an exfiltration vector and had one or no detections in VirusTotal. The absence of detections underscore the essence of building an enterprise that is aware of the shortcomings of vendor security products as well as open source intelligence sources. We also provide detections and common patterns we see associated with samples in the space.