The Tick group, also known as Bald Knight, Bronze Butler, Nian, and RedBaldKnight, is a threat actor whose main targets are institutions and companies in Korea and Japan. This group became known in 2016 although it first engaged in attacks on Korea in 2008. The group was first confirmed to be active in 2014.

The Tick group has used various malware, such as Bisodown (Homam), Gofarer, Daserf, NetBoy(Invader), Xxmm, and Datper, for more than 10 years, and various security vendors have reported on this group's activities, malware, and malware builders.

The activities of this group in Japan have been researched and disclosed to some extent, but not as much as their attacks on another main target, Korea. While there are common characteristics in the attack methods, malware, and techniques used for the attacks in Korea and Japan, there are certainly differences. The attacks on the countries shared the same method of creating large files tens or hundreds of megabytes in length when generating malware files in an attempt to bypass security programs. However, it has also used different strategies for each country, such as by exploiting the vulnerabilities of an asset management software widely used in Japan and targeting a secure USB drive in Korea.

In this presentation, I will talk about the Tick group's attack vectors, major activities in East Asia with a focus on Korea, the characteristics of their malware, and its techniques for bypassing security programs. I will also share some new information about them that was mistakenly exposed by the group through various internal tools. I believe that sharing information is essential for minimizing future damages so today, I will share with you my findings with a focus on Korea.

-------------------

[Comments]

My paper can be found here.

https://asec.ahnlab.com/1216 (Korean)
https://www.ahnlab.com/kr/site/securityinfo/secunews/secuNewsView.do?curPage=1&menu_dist=2&seq=28186 (Korean)

Sorry, my paper has not been translated into English.

The attached slides (draft version) contain Korean.

Attacks on IVR-systems and Call-centers were discussed at some conferences (PHDays, DeepSec 2018). I will show during this talk, how those attacks look in 2019. Some companies tried to prevent these attacks, some new targets and vectors become more popular and interesting (for example, IoT devices).

Those attacks do not change in general: attacker makes a call with spoofed Caller ID (phone number) and performs different actions to bypass authorization.

I will tell about several changes:

* Banks trying to mitigate those attacks. Different methods will be discussed (some are effective, some are insecure). Also, we will discuss fake protection: situation, when the bank tried to do something, that looks secure, but hackers can still bypass it.

* Some banks presented voice recognition systems this year. In general, it looks like advanced IVR-system. I will tell about the main problems and attacks methods.

* Attacks on mobile operators: some dangerous problems still exist here (like attack, that allows to spend money from user's account or get private information), but operators try to prevent spoofed calls. I will tell about attacks on different systems and effective methods, which should be considered.

I will tell about new things:

* Brute force attacks on IVR systems. I will tell in details when it can be effective. Different brute force methods will be considered.

* Using mistakes of employees for effective attacks:
* * When using mistakes can be effective? For example, if an attacker knows only a part of data, which is necessary for the authorization, he can try to call again and again, while new employees will make a mistake and accept this data.
* * Typical mistakes. Employee forgets to ask something (practical case: employee of one bank forgot to ask authorization data and forward me to an automatic line to set new pin-code). Employee changed authorization questions or decided, that some questions are not necessary. The employee regretted the client and made the authorization.
* * "Uncommon situation" attack: the employee can do more mistakes when a user asks something uncommon.
* * When an attacker can expect mistakes? How to protect the company from these mistakes?

* "Call again" attack: an attacker can make call after call which was made by a legitimate user with proper authorization. And try to bypass authorization with something like "Hey, I just called you and forgot to ask...". In several practical cases, it allowed me to bypass authorization.

* Financial attacks: an attacker can make company spend money for paid actions (like sending SMS) via IVR in some cases. If a criminal can make a company send thousands of SMS, it will cause direct financial harm.

* Also, an attacker can enable paid subscriptions via IVR in some cases. It can cause problems and financial harm for the user.

* Attacks on IoT: it is a big new chapter. Some IoT devices (like GSM-alarms, smart homes controllers and industrial GSM-control systems, access control systems) allows to control them with calls. They use small IVR menu with DTMF-commands. In some cases, an attacker can perform different attacks on these devices. Some results of effective attacks:
* * GSM-alarms: an attacker can change settings, disable and enable security mode, add new control phone numbers, listen to an environment.
* * Smart homes control systems: an attacker can switch off and switch on devices, get information, listen to an environment.
* * Industrial GSM-control systems: an attacker can switch off and switch on different industrial systems.
* * Access control systems and locks: an attacker can open doors.
* * Smartwatches for kids: an attacker can send fake messages, make fake calls from parents, get location, listen to an environment.

If it is possible, I will show some attacks in practice (I expect to attack IoT-device).

Deep learning is a must for cybersecurity especially today when the sheer volume of diverse morphing threats crush us every second. Despite the overwhelming interest, the cybersecurity world has been quite frustrated with the lack of information in how to apply this Pandora's box to our problems. A bunch of conference presentations and conceptual academic papers barely help us in developing our own deep learning based detection engine. We don't know how to feed the samples to our model, how to analyse the data, what model we need to use, how to debug a model, and whether deep learning even works for our malware sample set! We have never seen how a deep learning researcher from a cybersecurity firm does suffer, fail, learn, grow tall, and finally stand up and declare a triumph. It takes a great length for a security software engineer to go through all this uncharted territory.

In this demo-driven session, you will witness a whole development process and its back story of a working deep learning model for malware outbreak detection, which involves feature transformation, internal model inspection through gradient tracking, neural signature development using semantic hashing, use of the state of the art neural network, debugging math with visualisation, and the deepest agony you want to dodge in every possible way.

The following is an excerpt of the related paper, 'Generative Malware Outbreak Detection', published at IEEE ICIT 2019.

Abstract—Recently several deep learning approaches have been attempted to detect malware binaries using convolutional neural networks and stacked deep autoencoders. Although they have shown respectable performance on a large corpus of dataset, practical defense systems require precise detection during the malware outbreaks where only a handful of samples are available. This paper demonstrates the effectiveness of the latent representations obtained through the adversarial autoencoder for malware outbreak detection. Using instruction sequence distribution mapped to a semantic latent vector, the model provides a highly effective neural signature that helps detecting variants of a previously identified malware within a campaign mutated with minor functional upgrade, function shuffling, or slightly modified obfuscations. The method demonstrates how adversarial autoencoder can turn a multiclass classification task into a clustering problem when the sample set size is limited and the distribution is biased. The model performance is evaluated on OS X malware dataset against traditional machine learning models.

I. Introduction
Statically identifying malware has been the most viable approach when timely detection is critical. This is especially true under current threat environment where malware outbreaks became a daily routine. This paper considers static features for malware detection. Although malware packing problem [21] is crucial when reverse engineering the detailed functional characteristics of the malware is the objective, the surface level static features are sufficient to differentiate malware families from benign samples when the ultimate goal is solely the detection. Therefore this paper does not attempt to propose a method to unpack malware samples.
The observations in the malware battle forefront are malware mutates over time to bypass static signature based detection by upgrading its functions or applying new metamorphic (or obfuscation) techniques. The downside for attackers is this malware mutation requires their time and effort. Due to this development cost, minor tactical modification to the original malware code frequently occurs and arrives in the form of an outbreak while a major strategic code change rarely occurs across a longer period of time. This inevitably causes a similar pattern of instruction sequence either generated by a metamorphic engine or upgraded from previous functions. As a result, there appears a phenomenon typically seen for the instruction sequence of malware samples from a campaign as shown in Figure 1. The method in this paper will exploit the presence of this unique pattern of instruction sequence in the malware samples of a campaign whether or not it forms unpacking routine, metamorphic components, or pure functional modification.
Traditional machine learning algorithms such as SVM, Random Forest and Gradient Boosting commonly use metadata as features such as executable file header fields, n-gram of raw binary file and entropy of sections because they are optimised to work with independent sparse features. In the meantime, encoded high dimensional data such as sequence of program instructions constitutes the substantial body of a sample in malware detection context, which contains rich information of the sample's identity. Although several attempts utilised the instruction sequence as a feature [22][23][24][25], the n-gram reduction they performed simply throws away the sequence order information, leaving those approaches vulnerable to a trivial histogram matching attack [26]. However, adversarial autoencoder used in this paper, like many other deep learning models, fully takes advantage of the input samples with the sequence order retained. In this paper, we use the sequence of program instructions as a feature.
One critical aspect of malware outbreak detection is the scarce number of samples we can train with. The goal of this paper is not only detecting malware variants but also detecting them with extremely small number of samples captured at the very early outbreak as it should be in real world detection scenario. The method as well as various other machine learning models will be evaluated with this scarce training dataset setting.
This paper presents a novel method that detects similar malware samples with high accuracy on malicious samples and low false positives on benign samples, using a single sample of a kind for training with adversarial autoencoder. The techniques described in this paper are applicable to the other domains, such as IoT (Internet Of Things), that require well-generalised detection using a handful of malware samples.

II. Related Works
For binary malware classification, Saxe J [1] used fully connected layers with dropouts over handcrafted independent sparse features from the executable file. The approach does not deal with complex variations of metamorphism well especially when the changes occur globally within the sample let alone the binary classification significantly overfits over limited number of training samples. Li Y [2] recorded 92.1% accuracy over binary classification problem over KDDCUP'99 dataset using stacked RBM (Restricted Boltzmann Machine) autoencoder combined with softmax regression. Although it did not use layer-wise noises for autoencoder and the dataset consists of handcrafted sparse features, it demonstrated the efficacy of autoencoder. David OE [3] demonstrated the use of DBN (Deep Belief Network) for malware detection over a relatively fine-grained number of target classes. Dahl GE [5] tried to solve the most fine-grained malware classification problem using DBN using 136 malware family categories as output classes. However, it still used a sparse feature set. Using convolutional neural network, Davis [6] first adopted raw binary samples as features, which contains program code in it. However the binary distribution of a malware outbreak can significantly vary depending on the packed code and data, and the layout of sections can change with little effort by the attacker. Using highly structured content such as an executable file as a sequence of raw bytes is less likely to generalize the distributions of a malware and its variants. Sean P [18] introduced a method to detect malware metamorphism using stacked de-noising autoencoder and semantic hashing on the features generated by Fourier transform applied to the program instructions. Although the method successfully captures intra-function metamorphism, no sample-wise similarity detection approach was suggested.
The majority of these approaches use a large dataset with the assumption that the dataset has unbiased distribution across different styles of samples. In addition, many approaches attempted to solve binary classification problem where samples are labelled in one of two classes. The proposed approach in this paper attempts to solve multiclass classification problem by leveraging unsupervised learning with no assumptions on the number of training samples and sample distribution.

III. Method
This section discusses features, dataset, model architecture, and training methods.

[Fig 1. Each row represents a per-sample feature, which is a sequence of instructions of a malware sample. Each normalised instruction is rendered as vertical bar with a unique color to differentiate between different instructions. X axis is the feature. Y axis is the sample number. ]

Features:
In modern days malware samples are automatically generated by a custom tool created by the attacker. It renders hard-coded static signature based detection obsolete. A run of automatic malware generation tool essentially creates a batch of the functionally same malware in a different look, which can involve different obfuscations [14][15] such as dead code insertion, register reassignment, code transposition and integration and control flow obfuscation. Nonetheless the observation is the distribution of the program instruction sequence remains relatively intact. Figure 1 shows three unique variants of MAC.OSX.CallMe family. The samples in Figure 1 are described below.
MAC.OSX.CallMe.A (3 samples)
MAC.OSX.CallMe.E (1 samples)
MAC.OSX.CallMe.F (1 samples)
As shown in Figure 1, MAC.OSX.CallMe variants have identical instruction sequence until a variation was introduced at approximately instruction 5250. Despite this variation it is visually clear that parts of instructions of sample 2 and sample 3 are merely shifted from the instructions of the rest of the samples. In short, the instruction sequences appear very similar to each other for these three MAC.OSX.CallMe variants. Visual analysis on the majority of malware families shows that program instruction sequence plays a significant role in identifying the variants during outbreaks.

Adversarial Autoencoder (AAE):
The model consists of two independent modules. Firstly the latent representation for the instruction sequence feature that is resilient to metamorphism is acquired by adversarial autoencoder. Then the class number for the latent representation is computed via HDBSCAN with predefined threshold.
Over the past few years, GAN (Generative Adversarial Network) [7] has successfully demonstrated its capability to understand the data distributions by generating realistic samples. The power of GAN primarily comes from its generative nature by jointly training the generator and the discriminator in a tight competitive loop. In a situation like malware outbreaks where a handful of samples are available, adversarial autoencoder is a natural choice so that the scarce number of training samples produce smooth approximated nearby distributions. The core architecture for malware outbreak detection in this paper is borrowed from the original adversarial autoencoder [8] (See Figure 3).

[Fig. 3. Adversarial autoencoder architecture used for malware outbreak detection. The input, x, and the reconstructed input, p(x) are instruction sequence feature.]

As one of the desired properties in malware outbreak detection is to identify relocated functions, the autoencoder used in the proposed model is a stacked convolutional autoencoder [10] to take advantage of translation invariant property of the architecture. This allows the model to capture the program instruction sequence in the presence of code transposition and integration metamorphism [14].
The input vector consists of sparse discrete symbols, which are difficult to train with stochastic gradient descent. Therefore we create an embedding lookup for the symbols, and let the model find the best representations for them during the training. This embedding layer nicely transforms 1D input vector to a 2D array, which can be fed as an input to this convolutional autoencoder. The reconstruction method based on cosine similarity cross entropy is used to deal with sparse discrete input symbols [13].
As outlined in [8], both the adversarial network and the autoencoder are trained jointly with stochastic gradient descent in two phases – the reconstruction phase and the regularization phase – executed on each mini-batch. Specifically, in reconstruction phase, the model is trained by minimizing the cross entropy loss between the input symbol and the decoder output with sigmoid activation. During regularization phase, binary cross entropy is used for the discriminator loss, which is computed by summing the loss between positive samples from Gaussian normal distribution and negative samples from the encoder output. Binary cross entropy is also used for the generator loss. Let x be the one-hot encoded representation of input data distribution and z be the latent code vector of an autoencoder. Let p(z) be the prior distribution imposed on the codes, q(z|x) be the encoding distribution, p(x|z) be the decoding distribution, and p(x) be the model’s reconstructed distribution. Reconstruction loss is described in (1), and discriminator and generator loss are defined by (2).

E_x [E_(q(z|x)) [-log⁡〖p(x|z)〗]] (1)

min┬G⁡max┬D⁡█(E_(x~p_data ) [log D(x)]+@E_(z~p(z)) [log⁡(1-D(G(z))] ) (2)

In order to mitigate the instability caused by standard adversarial autoencoder training, consensus optimization has been adopted. Mescheder L [9] showed that simultaneous gradient descent used in GAN does not generally converge to Nash equilibrium in non-cooperative minmax game. The solution proposed by Mescheder L is to construct a conservative vector field from the original using consensus optimization [9][17].

IV. Evaluation
Dataset:
3,254 in-the-wild OS X malware samples collected from proprietary source and randomly chosen 9,981 benign OS X Mach-O samples were used for evaluation. A snapshot of family distribution of 3,254 in-the-wild malware samples is shown in Figure 4. In order to simulate the outbreak situation, 175 out of 3,254 malicious samples that exhibit unique instruction sequence patterns were manually selected by a human malware expert as core malicious training samples and were assigned a unique label for each sample. Note that no benign samples were included in the training set.
Since there is no generic evaluation metric available to find a core sample of a malware family based on instruction sequence, the instruction sequences of all 3,254 malicious samples were visually explored to obtain the core sample of each family. The properties used to put samples in the same category are summarized as follows.

[Fig. 4. Malicious sample distribution by VirusTotal detection names. The biggest bar at the far left hand side indicates the samples with no detection or with generic name.]

In order to find out the category for the latent representation, HDBSCAN clustering algorithm was used, which shows the most appealing performance against unknown number of clusters [12]. The samples categorized as a noise by HDBSCAN are classified as benign because it indicates no similar cluster was found for the test sample. Overall flow chart is illustrated in Figure 5.

Result:
Using raw instruction sequence for classification models significantly reduces the accuracy. Gradient boosting, Support Vector Machine and Random Forest models were chosen as baseline with the feature implemented using n-gram [23] over the instruction sequence. Clustering models such as KNN were not included in the baseline model since they need decent number of training samples to work, which is different to the problem setting put forward in this research.
As shown in Table 1, traditional classifiers perform reasonably well even for a training dataset that consists of a single sample for each class. The proposed model, aae-sh, which is adversarial autoencoder combined with semantic hashing, shows reasonably high detection accuracy against malicious samples. However, all traditional classification models catastrophically fail on benign samples, recording 100% false positives. With the training set of only core malicious samples by which outbreaks are simulated, the traditional classification methods do not work at all. On the contrary, aae-sh, records a 91% accuracy over benign samples with this training setting.

Model Malicious (3,254) Benign (9,981)
gradient-boosting-1gram 0.935 0.000
gradient-boosting-2gram 0.936 0.000
gradient-boosting-3gram 0.931 0.000
svm-1gram 0.934 0.000
svm-2gram 0.944 0.000
svm-3gram 0.968 0.000
randomforest-1gram 0.983 0.000
randomforest-2gram 0.987 0.000
randomforest-3gram 0.989 0.000
aae-sh 0.959 0.910
Table 1. Detection rate against malicious and benign samples for various models.

Analysis:
Visual analysis of the families detected by aae-sh not only shows similar instruction sequences with variations within the family but also it does not exhibit undesirable properties described in the previous subsection. Figure 6 shows aae-sh correctly identifying malware variants whose major feature mass is identical across all samples in the cluster while variations occur in many different ways. These samples are the variants of malware named Blackhole or Freezer. It becomes clear that the names from VirusTotal [16] do not necessarily agree with malware clusters produced by aae-sh because human analysts tag detection names based on analyst-specific heuristics whereas the proposed approach in this paper derives the detection purely from the instruction sequence pattern.

[Fig. 6. Visualisation of instruction sequence of Blackhole or Freezer samples identified by aae-sh. X axis is the feature. Y axis is the sample number.]

Figure 7 shows the detected cluster 49 that contains many Flashback variants. Note that aae-sh detected the samples of different lengths as long as instruction sequences are similar.

[Fig. 7. Visualisation of instruction sequence of malware samples within cluster 49 in Figure 7 identified by aae-sh. X axis is the feature. Y axis is the sample number.]

[Fig. 8. VirusTotal detection names for the samples in cluster 49 that is visualised in Figure 6.]

Figure 8 shows redacted VirusTotal detection names for the samples in Figure 7. It is notable that 447 samples either had no names or had generic names.

V. Conclusion
The research shows that the generative power of adversarial autoencoder creates latent representations that can be used to identify similar samples with minimum number of training samples. It turned out some malware families such as Flashback reuse the same piece of code repeatedly across their variants, which subsequently enables the adversarial autoencoder to identify its family effectively. In addition, the model was found to be effective in discovering multiple variants across heterogeneous malware families that share similar instruction-wise characteristics.

If you are a red-teamer, dropped to hitchhike your way through an enterprise’s DevOps galaxy, this briefing is for you!

Enterprise DevOps teams today are set to deliver high-quality products and services to market faster and more efficiently than ever before. That is made possible through the use of DevOps methodologies and tools – such as Jenkins.

Jenkins is an open source automation server used to accelerate the software delivery process. It is widely considered the de facto standard in open source continuous integration tools with more than 165,000 active installations, of which more than 65,000 are publicly accessible on the World Wide Web!

Jenkins needs to interface with a myriad of systems and applications throughout DevOps environments. It needs unabridged access to code and artifacts, and to accomplish its role as the ‘butler,’ Jenkins must have access to considerable breadth of credentials.

In this briefing we will guide your red-team step-by-step through Jenkins recent CVEs and attack vectors, using previously undisclosed exploits.
The demos will guide the hitchhiker on how to recognize and categorize the Jenkins master server in the reconnaissance phase; how to launch unauthenticated attacks on the Jenkins master to drop security barriers and expose credentials; how to escalate your privileges from a low-privileged user, such as a user with Overall/Read permissions all the way to becoming a Jenkins admin; and lastly some tips & tricks for playing with the Jenkins session mechanism and Active Directory integration.

This briefing is based on our Jenkins research which yielded 6 CVEs and 5 blog posts on the subject (see https://www.cyberark.com/threat-research-blog).

Outline:
1. Jenkins' roles in the DevOps environment
- This will detail the special roles a Jenkins automation server has in the context of the DevOps environment
- A brief description of some recent attacks on DevOps infrastructure [data exfiltration and cryptomining in particular]

2. Introduction to key Jenkins concepts
- This will detail the basic Jenkins terminology, such as user’s permissions, CLI, Jenkins RESTful API, Java Web Start Agents and more.

3. Jenkins 'Gems’
- Detailing what would be the key benefits, or ‘Gems’, an attacker may find on a Jenkins server and agents when compromising a Jenkins installation

4. Hitchhiking 1: The Reconnaissance Stage
- This stage will guide the hitchhiker through methods of locating the Jenkins master and extracting relevant details, such as Jenkins version, session ID, which plugins are installed and more.

This stage will include the following demos:
o Demo of exploit for CVE-2018-1000192
o Demo: compile a list of active Jenkins properties: Jenkins CLI, API, Java Web Start, Jenkins users on the People page, Jenkins credential IDs
 
5. Hitchhiking 2: Unauthenticated Attack Vectors
- This stage will guide the hitchhiker through methods of unauthenticated network attacks on Jenkins infrastructure.

This stage will include the following demos:
o Exploit of CVE-2018-1999001, CVE-2018-1999002, CVE-2017-1000353 and more

6. Hitchhiking 3: Privilege Escalations
- This stage will guide the hitchhiker through methods of privilege escalations from users with Overall/Read permissions to admin and Job/Cancel permissions.

This stage will include the following demos:
o Exploit of CVE-2018-6356 and CVE-2018-1999003

7. Hitchhiking 4: Other Tips & Tricks
- This stage will guide the hitchhiker through miscellaneous Jenkins attacks, which include: attacking Jenkins session mechanism to achieve an infinite session [under responsible disclosure], maintaining access to Jenkins after a user has been deleted or disabled on Active Directory [under responsible disclosure] and more.

8. Closing Remarks - Finally, this section summarizes the different attack vectors we presented and offers some mitigations

Functioning as the first-stage in an exploitation, shellcode play an important role in successfully triggering software vulnerability. Since this part of payload is written in low-level machine code, understanding how it works is not trivial for analysis.

This presentation introduces JiuWei, a cross-platform & cross-architecture machine code analyzer. Based on Unicorn emulator, our tool is able to execute & analyze all kind of shellcodes, regardless of Operating System (Windows, Mac, Linux, Android, etc) or CPU architectures (Intel, Arm, Aarch64, Mips). Thanks to a powerful instrumentation engine, the output report can show what the shellcode does inside, in a friendly high-level output format.

In this talk, we will give a brief introduction on the design & implementation of JiuWei, some technical challenges we had to solve, and some cool live demo on some modern shellcode.

Presented at (VXCON)HK with DEMO. As for HITBGSEC we will be doing new live demo and release this tool after the talk.

"In this talk, we will investigate and present on the ways in which to boot a custom firmware image on an iOS device. In order to show this, we will detail how the secure iOS boot process functions, including many of the details of how the low-level component verification works as well as the loading and running of processes at boot time. It's known that iOS devices tightly integrate their software and hardware components in order to secure the system, but how is this done in practice?

We will answer this question and others by focusing on one of these integrations, specifically the boot process for modern iOS devices. The iOS boot process is a critical part of a device's system security as it helps to ensure that each component of the device can be trusted before it is used by the system. Each step of the iOS boot process contains components that are cryptographically signed by Apple to ensure their integrity and verify the chain of trust before allowing the device to continue booting. The chain of trust for iOS includes the system bootloader, XNU kernel, kernel extensions, SEP, Wi-Fi, and the baseband firmware.

From our detailed understanding and explanation of how the boot process functions for iOS we will then discuss ways in which researchers can take these learnings to create and load a custom iOS firmware image on a device, including a custom XNU kernel and system disk image side by side with the device's original iOS firmware image."

In the 1967 television series, the Prisoner, a former British intelligence agent is imprisoned on an island with other former spies who “know too much.” Escape is near impossible for the prisoners, who are only referred to by their numbers.
We’ll assume the role of “Number Six” in this session and engage the audience in a game of escape. The only difference is that instead of a coastal island, our prison is within a Docker container.

We’re trapped in Play-with-Docker, Docker’s training and workshop playground website with more than 270,000 average monthly visits.

We’ll set out and try to escape the Play-with-Docker container in an effort to remotely run code on the Docker host. The impact of container escape is similar to escape from a virtual machine, as both allow access to the underlying server. Running code on the Play-with-Docker host server would allow an attacker unabridged root access to the infrastructure on one hand, and to all students’ containers running on the Play-with-Docker hosts on the other hand. Escaping a container may be regarded as the first step in an attack against an enterprise infrastructure, since many enterprises are running public-facing containers nowadays, which may lead the attackers into the enterprise network.

We’ll show how we attempt to escape the Play-with-Docker container to reach the underlying host. Attendees will see how we use a number of different attack methods, such as loading a Linux kernel module into the Play-with-Docker kernel, exploiting devices present in the container to read and write host’s files, and more.

In this session we present a number of novel concepts and techniques for container escape: (1) we demonstrate how to inject a Linux kernel module from one version kernel to another kernel version through a Linux container. See https://www.cyberark.com/threat-research-blog/how-i-hacked-play-with-docker-and-remotely-ran-code-on-the-host/.
(2) We present three different methods to access the host’s filesystem from a privileged container, demonstrated using the Play-with-Docker container.
(3) We present our idea of ‘privileged’ containers, which widens the current definition, and prompts security researchers to re-think existing approaches to privileged containers.

Who said that bruteforce is not an option?
During the previous years, much effort was spent to create algorithms whose strength was relying on the impossibility to bruteforce all the combinations in due time: this happened mostly because the computational power of traditional von Neumann architectures reached a maximum, due to technological limitations.
One of such algorithms is DES, an old algorithm that is still widely used in our daily life. One of the main examples is probably NetNTLMv1, a Windows authentication protocol that can still be found in working environment and it is still the standard de facto for Wi-Fi enterprise networks all around the world.

That is the reason why DES_CESS (Cracking Environment for Smart Suricates) is born, a simple non-von Neumann hardware tool able to speed up the time to bruteforce a DES key. In the past, multiple attempts have been made to exploit the power of FPGAs to go through the entire DES key space in reasonable amount of time, from Copacobana to PicoCrack and crack.sh. The goal of DES_CESS is to provide an open source, fast and highly scalable tool to bruteforce DES keys on multiple FPGA platforms (from cheap 100$ board to thousands dollars Virtex chips).
The talk will go through what is an FPGA and why, even today, it has advantages over GPU-based cracking, what main challenges have been faced during the development of the project and the next steps for future releases.
Eventually, at the end of the talk we will give away to the attendees free FPGA board(s), so they can start playing with the open source software and, hopefully, be involved in the development!

Outline:
-1- Introduction and WhoAmI
-2- History of FPGA-based cracking
-3- Why FPGA cracking still makes sense today
-3.1- FPGA v/s GPU cracking
-4- Designing an open source, scalable, portable and fast DES cracker
-4.1- The pipelined approach
-4.2- Multi-core and multi-devices
-5- Results
-6- Future steps
-6.1- More optimized algorithms
-6.2- Wider device support
-6.3- hashcat support (?)
-7- Q&A

// [Comment for review board] : The code will be released to the public right after the talk.

Mobile vendors strive to strengthen phone protection on an hourly basis. Currently, even a rooted mobile device is still not fully compromised due to ARM TrustZone and Qualcomm’s Chain Of Trust. That's why we are looking for ways to go even further and bypass this last line of defense in the mobile ecosystem.

We automatically discovered many vulnerabilities in trusted components provided by manufacturers as part of Qualcomm’s Trusted Execution Environment (TEE) backed by ARM TrustZone. Samsung, LG, Motorola and other devices are in the list.

On Application CPU, TrustZone creates an isolated virtual Secure World running on top of a dedicated Qualcomm OS. Secure World’s trusted apps (trustlets) are responsible for the business logic of mobile data security. Those apps must be the most protected part of the mobile device, which makes them crucial and challenging target for security research. In this talk we are going to show that many trustlets are not reliable enough.

We reverse engineered the Qualcomm TrustZone ecosystem and found that trustlets constitute the perfect target for the fuzzing-based vulnerability research due to its internal structure and the TEE architecture itself. In order to be able to fuzz trusted apps, we had to discover ways to execute them in the Normal World (Android OS); to load patched app into the Secure World, bypassing Qualcomm’s Chain Of Trust; to adapt trusted app for running on a device of another manufacturer; and more. We are going to show our way through those challenges to build a workable fuzzer and hunt TrustZone vulnerabilities.

## Title: Fuzzing the Solidity compiler

0. Talk overview

In this talk, we will
1. Introduce the audience to the Solidity compiler and its high-level architecture
2. Present a threat model for the compiler
3. Present a framework for security testing of Solidity for the presented threat model
4. Present results from our internal security audits
5. Conclude the talk with take-away, future work, and implications for testing other compiler-interpreters such as Python, perl, ruby etc.

We will demo the bug discovery process of a real-world optimizer bug for the lulz.

1. Introduction

Solidity is a programming language (PL) for writing distributed applications, so called smart contracts. The Solidity compiler (also called Solidity) is the most popular compiler that is used to compile and optimize smart contracts and generate Ethereum virtual machine (EVM) bytecode. Production EVM bytecode is then deployed on the Ethereum main network.

Since the Solidity programming language does not have a formal specification, testing the compiler implementation is an important way to obtain assurance about the correctness of code generated by the compiler. Fuzz testing is well-suited for this setting. However, applying fuzzing in the traditional manner (random input generation that is coverage-guided) is inefficient for testing compilers because a significant fraction of randomly generated code is syntactically invalid. If the fuzzer does not generate syntactically correct Solidity programs, the compiler will simply reject it. As a consequence, code optimization and generation subsystems of the compiler will not be tested.

The approach adopted by us is to define a grammar for the Solidity programming language and automatically generate inputs based on this grammar. Grammar based fuzzing ensures that generated programs are successfully parsed by the front-end parser. We make use of libProtobuf and libProtobufMutator for defining the grammar and performing grammar-based mutations, and libFuzzer as the underlying fuzzing engine.

2. Threat Model

The Solidity compiler comprises two high-level subsystems, namely the front-end parser and the back-end code optimizer/generator. The class of bugs we would like to find are those introduced by the optimizer. There are two optimizers within the compiler back-end: (1) the legacy optimizer is the optimizer that is used in production, and (2) the new and experimental Yul optimizer that is available since version 0.5.6.

Our focus is on defining a threat model for the new Yul optimizer so that bugs are caught and fixed before it goes into production. To test the yul optimizer, we employ the following strategy
- write an interpreter that can execute yul programs and output an execution trace
- compare execution traces of unoptimized and optimized yul programs
- if the yul optimizer works correctly, these traces should match

An execution trace is essentially a list of side-effects produced by a program. An optimizer must make a program more efficient to run. However, it should not alter its semantics. The bug class of interest is optimizer bugs that alter program semantics post optimization.

3. A Framework for Security Testing of Solidity

3.1 Yul: Solidity intermediate language

Yul is an intermediate language that is designed to be a common denominator for multiple backends such as EVM, EVM1.5, Wasm etc. It has two flavors: typed and untyped. The former is in active development; the latter is part of the experimental release and the focus of our current testing.
In untyped yul, all values are of type u256 i.e., unsigned 256-bit values.

3.2 Yul interpreter

The yul interpreter interprets untyped yul source code for the EVM 1.0 backend. One of the main features of this interpreter is the ability to log execution traces of interpreted source code.

Execution traces comprise sequence of instructions that led to a side-effect. For example,
MSTORE_AT_SIZE(0,32) : 0000000000000000000000000000000000000000000000000000000000000000

says that there is a store to memory location "0" of a 32-byte value that follows the colon. Execution traces allow us to ensure that side-effects of unoptimized and optimized are the same by simply comparing strings.

3.3 Semi-formal specification of target language

Input generation depends on the specification of the target language i.e., untyped Yul. We write a protobuf specification for untyped Yul. It looks like like an ABNF spec found in network protocol RFCs.

Top-down, we define a function to be a statement "Block" and a "Block" to be a sequence of "Statement". A "Statement" can be one of several possible statements such as variable declaration, assignment, if, for etc.

```
message Function {
required Block statements = 1;
}

message Block {
repeated Statement statements = 1;
}

message Statement {
oneof stmt_oneof {
VarDecl decl = 1;
AssignmentStatement assignment = 2;
IfStmt ifstmt = 3;
StoreFunc storage_func = 4;
Block blockstmt = 5;
ForStmt forstmt = 6;
SwitchStmt switchstmt = 7;
}
}
```

The libprotobufmutator leverages this specification to create "trees" representing various statement sequences.

Note: A block can contain multiple "basic blocks" in compiler-speak.

3.4 Specification to input converter

Input generated by the libprotobufmutator looks like an abstract tree. An example is provided below

```
statements {
statements {
decl {
expr {
varref {
varnum: 0
}
}
}
}
}
```

This is not a valid Yul program. To convert this abstract representation into a concrete representation, we need a so called proto converter. A proto converter accepts the abstract representation provided by the fuzzer and "pretty prints" it into a Yul program. We have implemented a simple converter in C++.

3.5 Test harness

Once the input has been converted to a concrete representation, we can feed it to the parser and optimizer subsystems of Solidity. At a high level, the pseudo code for the test harness looks as follows

```
int Fuzz(Proto p)
{
std::string c = convert(p);
ast = solidity::parse(c);
trace_1 = interpret(ast);
ast.optimize();
trace_2 = interpret(ast);
assert(trace_1 == trace_2);
return 0;
}
```

The bugs the fuzzer flags are those programs that have different side-effects with and without optimization.

4. Results from internal security audit

At least four security-critical bugs were found in the Solidity compiler-optimizer. More bugs will be discussed if they are fixed until the day of the talk. For lack of space, only three bugs will be described in detail in the abstract, but all bugs will be presented should the talk be selected.

4.1 Bug 1: Double shift leads to incorrect computation

Consider the following fuzzer generated Solidity assembly program that simply declares a variable "x" and initializes it "1" left shifted by 2^256 (note that a native word is 256 bits and all operations are mod 2^256)
```A
{
let x := shl(1, shl(not(0), 2)) // 2 << (2^256)
mstore(0, x) // mem[0] = x
}
```

Left (or for that matter, right) shifting any 256 bit constant by more than 255 places should yield zero. It follows that the program above should store the value 0 at memory location "0".

However, the compiler actually optimizes the above program to the following:
```A"
{mstore(0,2)}
```

On closer inspection, we found that the optimization rule for double logical shifts (both right and left) contained the following rule

```
Rule 1: shl(a,shl(b,x)) -> shl(min(a+b,256),x)
Rule 2: shl(0,x) -> x
```

For the fuzzer generated test case `a=1` and `b=(2^256 - 1)` for which `a+b=2^256.` Since a native word was used to compute the sum of shift sizes, it overflowed to zero in this case. Consequently, min(0,256) = 0 which meant that the code in the original snippet was transformed to the constant x (="2")

The fix was to use arbitrary precision integer for storing the result of `a+b` before computing the min. However, since this rule is encoded in the legacy optimizer (that has already been used by contracts on the main net), it required a bug fix release and a security advisory. Fortunately, code like this is highly unlikely to be written or generated, so it was treated as a low-severity bug.

4.2 Bug 2: Incorrect byte opcode optimization rule

The `byte` opcode is used for indexing individual bytes in word (32-byte array). byte(i,x) indexes the ith most significant byte of x, the most significant byte of x being assigned an index of 0.

```
byte(0,1) = 0x00
byte(1,1) = 0x00
...
byte(31,1) = 0x01
```

Now, byte(31, x) is equivalent to applying the following bit mask on x: and(x, 0xff). Here's the fuzzer generated program for which the optimizer generated incorrect code

```
{
let x := byte(2,31)
mstore(0,x)
}
```

which was optimized to

```
{
mstore(0, 2)
}
```

This was surprising because byte(2,31) is zero because the second most significant byte of a 256 bit representation of the decimal value "31" is zero. On closer inspection of the byte opcode optimization rule, we found that the rule swapped the order of arguments resulting in the following optimization being applied (-> indicates equivalence)

byte(x,31) -> and(x,0xff)

where as the correct rule should have been
byte(31,x) -> and(x,0xff)

This was a relatively simple fix. However, since this rule is encoded in the legacy optimizer (that has already been used by contracts on the main net), it required a bug fix release and a security advisory. Fortunately, code like this is highly unlikely to be written or generated and even if it is, the bug occurs for a very specific "value" and not the index of what is essentially an array access operation.

4.3 Bug 3: Incorrect code generation for nested arithmetic operations

tl;dr: A bug in the Solidity optimizer led to incorrect computation of basic arithmetic operations.

Context: The Solidity optimizer comprises over 15 different optimization steps. Each step is modular: it accepts code from the previous optimization subsystem, optimizes it further, and outputs the optimized code to be used in the subsequent optimization phase. One such optimization step is the expression simplifier (ES).

The expression simplifier is tasked with simplifying expression statements. Consider the following trivial expression statement that assigns a constant (referenced by a variable `y`) to variable `x`.

```
y = 1
x = y
```

This can be obviously simplified to `x = 1`.

The benefits of the ES are the following
- since it folds constants, it enables further optimizations
- it can replace expressions that directly map to built-in EVM opcodes e.g., `x = y & z` can be replaced by `x = and(y,z)`

Bug Root cause:

The ES makes use of the static single assignment component to make it easier to fold constants. Although this usually works out well, in certain corner cases, it is possible that the value of an SSA variable may reference a non-SSA variable whose value has changed from the time the reference happened. When this happens, the "constant" folded can be different than the correct value. Hence, incorrect code is generated. This is a serious issue since an incorrect value for a program variable can influence the outcome of a contract, leading to program flow that was never intended by the contract developer.

Concrete example of bug:

Consider the following code snippet that triggers this issue in the compiler-optimizer.
```
1. {
2. let a,b := foo()
3. sstore(0, a)
4. sstore(32, b)
5. function foo() -> x, y
6. {
7. y := sub(y,1)
8. x := sub(y,1)
9. }
10. }
```

This contract does the following
- defines a function called foo that returns two values
- assigns variables `a` and `b` to `foo()`
- stores the value of `a` in storage location 0
- stores the value of `b` in storage location 32
- both `a` and `b` hold 256-bit numbers

A correct execution of the above code should result in the following computation steps:
- As `foo` is called, `x` and `y` are initialized to zero
- On line 7, `y = 0 - 1 = -1` OR 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
- On line 8, `x = y - 1 = -1 - 1 = -2 OR 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffe
- On return from foo, `a = x` and `b = y`
- On line 3, the value 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffe is stored in storage location 0
- On line 4, the value 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff is stored in storage location 32

Due to the bug described above, the Solidity compiler-optimizer generates the following (incorrect) code instead

```
sstore(0, 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffd)
sstore(32, 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff)
```

- Note that while the value of `b` (stored in location 32) is correct, the value of `a` is off-by-one
- The optimized version of the program generates the value `-3` for `a` instead of `-2`

Why -3 and not -2?

This is where the bug kicks in. Let us rewind.

We explained that a bug in the Expression simplifier optimization step led to incorrect values being used during constant folding. Let us dig deeper to understand the bug using the above contract as an example.

At the time the ES step is invoked, this is what the program looks like (bear in mind that prior optimization steps have reduced our original program to this stage. Explaining why the program is transformed so is beyond the scope of this talk)

```
1. {
2. let a, b := foo()
3. let _1 := 0
4. sstore(_1, a)
5. let _2 := 32
6. sstore(_2, b)
7. function foo() -> x, y
8. {
9. let _3 := 1
10. let y_5 := sub(y, _3)
11. y := y_5
12. let _4 := 1
13. let x_6 := sub(y_5, _4)
14. x := x_6
15. }
16. }
```

Let us narrow our focus to the computation in the function foo
- On line 9, ssa variable called `_3` is created and assigned a value of one.
- On line 10, ssa var called `y_5` is assigned the expression `sub(y, _3)`
- Note that, at this point, `y_5` is only a reference to the sub expression AND
- The values of `y=0` and `_3=1` are not resolved yet, so they remains references to their values
- On line 11, `y` is assigned the value of `y_5`.
- Now that, since `y` is a non ssa variable, it is further simplified to the value of `y_5`
- Since the value of `y_5` at this point is `-1`, y becomes equal to negative one
- The reference `y_5 = sub(y, _3)` remains intact
- On line 12, ssa var `_4` is assigned a value of one.
- On line 13, ssa var `x_6` is created and assigned the reference `sub(y_5, _4)`
- [BUG!!!] On line 14, `x` is created and assigned the reference `x_6`
- Note that, since `x` is a non SSA variable, it's value needs to be resolved now
- To do this, the compiler resolves the value of the dependent references
- `y_5` references `sub(y, _3)`: At this point, `y=-1` and `_3=1`, therefore `y_5 = sub(-1, 1) = -1 -1 = -2`
- `x_6` references `sub(y_5, _4)`: At this point, `y_5=-2` and `_4=1`, therefore `x_6 = sub(-2, 1) = -2 -1 = -3`
- Therefore x is incorrectly assigned a value of `-3` instead of the correct value of `-2`

The underlying cause of this bug is lazy SSA resolutions of SSAs that reference non-SSA expressions.

The fix is to not depend on lazy SSA resolutions. Specifically, we now depend on the the data flow analyzer subsystem that handles such computation correctly. Since this bug appears in the new optimizer that is still in experimental mode, we treated it as a bug fix and not a security advisory. Nonetheless, it is strongly recommended that users update to the version with the bug fix.

5. Conclusions

The key take-aways are
- Grammar-based fuzzing is useful to find bugs in deep compiler code
- This helped discover multiple security critical bugs in the Solidity compiler
- Assessing impact of bug remains a challenge because bugs don't have bytecode/source code patterns.

Road-map
- Expand language specification. Include multiple function definitions/calls.
- Fuzz legacy optimizer

Speculative execution bugs in modern CPUs popped up out of nowhere, but the worst of the nightmare appears to be over. While Spectre-style attacks will be with us forever, a variety of mitigations have been implemented to protect us against Intel CPU vulnerabilities such as Meltdown and Foreshadow. Browser vendors have implemented process isolation, and Intel even have silicon fixes in their latest CPUs. Do you feel safe?

We destroy these mitigations by taking a skeptical look at their assumptions, and reveal
that unprivileged userspace applications can steal data by simply ignoring security boundaries
-- after all, what do address spaces and privilege levels mean to Intel's CPU pipeline? Using our RIDL attacks (also known under the PG-13 Intel designation: MDS -- Microarchitectural Data Sampling), we'll steal in-flight secrets from SGX using just a bit of JavaScript in a web browser, grab /etc /shadow from another VM without even thinking about the hypervisor in the middle, and despair about our speculatively executed future.

One of the most important part of avionic systems is the communication. Airplanes use mobile communication to connect to stations on the ground. In many cases the connection is base on LTE-Advanced technology and in some cases when an airplane is on the seas or somewhere else that there is no base station on the ground, It uses the satellite as a hub. In this presentation I will explain the architecture of the communication between an airplane and a ground station, after that review the technology used like mobile communications. In the next part I will review the vulnerabilities around the mobile communications particularly in radio segment which used by both airplane and the ground base station. In the last part of the presentation I will cover and show how a hacker or criminal can take advantage from the communication line between airplane and the base station to passive sniffing, manipulate the data, active sniffing, airplane functions disruption, privileged escalation to other avionic system which threaten both airplane and passengers.

In software development, we frequently see the same logical coding mistakes being made repeatedly over the course of a project’s lifetime, and often across multiple projects. When these mistakes lead to security vulnerabilities, the consequences can be severe. No one knows this better than companies like Google and Microsoft, whose software is used by millions of people every day.

With each code vulnerability discovered, we’re presented with an opportunity to investigate how often this mistake is repeated, whether there are any other unknown vulnerabilities as a result, and implement an automated process to prevent it reappearing. In this talk, I’ll be introducing Variant Analysis, a new process being pioneered by security teams at a number of companies including Google and Microsoft, that does just this. I’ll discuss how it can be integrated into your development and security operations, and also share some stories from the trenches.

This talk will cover attacks on popular GSM-devices: GSM-alarms, GSM-controllers for smart homes, industrial GSM-controllers, access control systems, GSM-locks, some communication systems and smartwatches for kids. They are very easy to use. Usually, the user can insert a SIM-card in a controller, then the GSM-device is ready to use. Howewer, the security of these devices is questionable.

This talk will cover attacks on GSM controllers present in the aforementioned devices, as those seem ripe with insecurities.
This talk will also cover different problems that were found during research, as well as critical flaws.

Plan for the talk:

* Which GSM-devices exist, where they can be used, why the successful hack is dangerous.

* I will show and describe some devices, also I will present some statistics about using these devices (based on publicly available data).

* I will tell about the latest attacks (based on attacks, where some information are available).

* Financial attacks: why it can be interesting and useful to hack devices in other countries. Sometimes hackers can use vulnerabilities in different devices to steal money by calls to paid numbers.

* Typical threats, what is the difference between GSM-alarms and other types of alarm systems.

* Calls with spoofed Caller ID (phone number) as an effective method of attacks against GSM-alarm systems: different GSM-systems supports control with calls (they use small IVR-menu with DTMF commands). The main method is to make a call with spoofed Caller ID and bypass authorization. We will discuss different issues: using only Caller ID for authorization, brute-force authorization code, default authorization codes, additional configuration codes. After a successful attack hacker can:

* * GSM-alarms: an attacker can change settings, disable and enable security mode, add new control phone numbers, listen to an environment.
* * Smart homes control systems: an attacker can switch off and switch on devices, get information, listen to an environment.
* * Industrial GSM-control systems: an attacker can switch off and switch on different industrial systems.
* * Access control systems and locks: an attacker can open doors.
* * Smartwatches for kids: an attacker can send fake messages, make fake calls from parents, get location, listen to an environment.

* Also, "locking brute-force" will be discussed. It is a special attack against a few well-protected devices, which will lock authorization for some time after several attempts for authorization. An attacker can use it to disable an ability to control a device for the user.

* Special "incoming call attack" will be discussed. Some devices by different reasons cannot make a call or send SMS when the line is used by another call. An attacker can use it to prevent sending an emergency signal for a long time.

* Financial attacks on devices. In several cases, an attacker can make the device perform paid actions (like sending SMS or making calls). It allows for an attacker to make a device spend all money from the account and prevent communications.

* Attacks on mobile operators: criminals can try to attack different systems of mobile operators to disable communication with a device or to get control on SIM-card (and device too). In this part, different attacks will be discussed. In some cases, an attacker can change tariff, spend money from the user's account, block SIM-card, enable call forwarding. I will tell about different methods, that can be used to do it.

* Attacks with spoofed SMS-messages will be discussed. In several cases, it is possible to send SMS with spoofed phone number (mostly, it is based on different vulnerabilities at mobile operators systems).

* Using different jammers will be discussed: when it can be effective or when it can be useless.

* Problems with DIY-devices will be discussed.

* More difficult attacks against well-protected devices will be discussed.

* Also physical attacks will be discussed, in several cases, a hammer can be more effective than high-technology attack.

* Attacks on mobile applications and personal accounts, which can be used to control devices, will be covered.

* Some ideas for secure exploitations of GSM-devices will be discussed.

If it is possible, I will show some practical demonstrations.

Recent years have seen a flood of novel wireless exploits, from vulnerable medical devices to hacked OT devices, with exploitation moving beyond 802.11 and into more obscure standard and proprietary protocols. While other non-WiFi RF protocols remain a mystery to many security practitioners, exploiting them is easier than one might think. Today, cyber threats have grown not just in its depth (more sophisticated) but also in its breadth (expanded scope). It has grown from threats in Enterprise IT systems to Operation Technologies (OT) and Industrial Control Systems (ICS).

IoT/OT is the backbone of our critical infrastructure and is increasingly under attack. These systems present unique security challenges connecting aging equipment that often predates modern security. The increasing pervasiveness of wireless connectivity has expanded the attack surface of IoT/OT networks by opening them up to those dangers well known and can only be expected to continue to do so. Every device accessible over an electronic network creates another point of attack for malicious operators; every additional connection between information and control networks multiplies the number of attack points that can be addressed. We will be showcasing many of the wireless security and privacy issues.

But is security keeping up with the innovation? The session assesses current IIoT security and discusses how to identify authorized and unauthorized signals in an organization. Smart Homes, Transportations, Communication, and Energy industries are widely considered as the most vulnerable and disruption of their operations to have the greatest and most immediate national impacts. Even Hackers have a new way to profit off our security cameras, smart lighting, and even our fancy new coffee pot, we will show, how can one detect and prevent IoT crypto jacking attacks. The difficulties discussed and the recommendations made are equally applicable to all industries using IoT/OT.

In 2017, the estimated global in-app purchase revenue was projected to exceed $37 billion. Just in the Google Play Store, for 2018, more than 200 000 apps are offering in-app purchases. However, the Google Play Billing API is vulnerable by design and allows an attacker to bypass the payment process. I analyzed several android games and found that it possible to bypass the payment process. This presentation will show real vulnerable applications (Fruit Ninja, Doodle Jump, etc.).
The agenda of the presentation will be divided as follow:
1. Google Play Billing Presentation: Presentation of the workflow and how it works. In addition, a focus will be done on the local validation of the process.
2. Known vulnerabilities: Review of the vulnerabilities found by Dominik Schürmann. Demonstration of why the fixes performed by Google are not enough and how it is still possible to bypass the payment process.
3. Vulnerable applications: Example of vulnerable applications trying to protect the billing process (Doodle Jump, Snoopy Pop, Fruit Ninja, etc.) with different techniques (obfuscation, shared libraries, etc.). The presentation will focus on how the billing process is performed and how by reverse engineering the application, it is still possible to bypass the payment process.
4. Conclusion: Sum up of the numbers of vulnerable applications. Comparison with other billing libraries (Amazon and Samsung).

I’m still working on several Android applications (mainly games) to analyze how the billing process is handled. In my presentation, I’m going to show how different applications implement the process. Different demonstration will be performed regarding the different vulnerable applications.

A preview of my work can be found on the following blogpost: https://www.checkmarx.com/blog/abusing-android-inapp-billing-api/

There are still a lot of ways to manipulate the communication between mobile subscriber and base station from GSM to LTE. An attacker or any surveillance system can run a rogue base station to catch the victim IMSI and sniff the voice or data traffic. In this talk I will illustrate how we can determine the suspicious activity to prevent compromising the radio network.This presentation will completely demonstrate how to build a IMSI Catcher/FakeBTS system to detect the intruders.

Over last few years, Wi-Fi tracking(track your presence via Wi-Fi)raise privacy concerns, because the MAC address can be linked to individual.

To address privacy issues, Apple, Google, Microsoft added a MAC randomization feature on their latest system to hide the real MAC address. But a large number of devices still do not support this technology, and the randomization usually only works in scanning, actually will be break when get connected. So we can set up fake hotspots to induce clients to connect.

To make things worse, these Wi-Fi tracking devices get greatly improved. With the help from third-party data companies, Wi-Fi tracking can even map the MAC addresses to users' phone numbers, then SMS marketing or telemarketing. In this talk, we will discuss the development of Wi-Fi tracking, and propose a new idea to fight against it.

===== Abstract =====

The IoT botnets universe is the fascinating one. With countless of IoT botnets variants emerge in the wild, every bot herder is fighting for marking their territory with insecure devices on the Internet.

In this session, we love to share the interesting stories from single honeypot, lead to discovery of juicy botnet source code repositories on the Internet, and uncover various dramatic scenes within the bot herders behind the curtain.

By tracing the attack trails with OSINT, we discovered multiple source code repositories which surfaced over the Internet for a short duration, with huge collection of IoT botnet source code, exploits, compile tools, screen shots, credential notes, config files, private keys, etc.

During Apr 2019, we came across with recent variant with anti-honeypot technique for evasion purposes. In addition, we stumbled upon various interesting turf war and dramatic territorial battle between the bot herders, e.g takeover and wipe out other's botnet, delivered sneaky backdoor-ed exploit scripts to the peers publicly, 'bashing' well-known IoT botnet security researchers who discovered their botnets in security conference (e.g. HITB 2018).

===== NOTE for CFP reviewers team =====

- Thank you very much for reviewing my submission!
- FYI, I have presented 60% of of these contents in Black Hat Asia March 2019.
- As a HITB crew / volunteer, I feel that this topic could be pretty relevant for our HITB conference, especially we found that the IoT bot herders were watching and discussing HITB GSEC Singapore 2018 Youtube video and 'bashing' the researcher's presentation accents. Pretty interesting.

Thanks again!

Botnets have long been a serious threat for Internet security. In recent years with booming development of cloud technology, botnets have also targeted at millions of hosts on cloud, leading to more problems like DDOS attack, data stealing and cryptojacking, etc.

To combat with botnets and protect users on cloud we first need to track them down. Since many botnets are highly infectious, it is necessary to detect new botnets as soon as they appear and understand their behavior, before they spread and cause more harm. We also need to detect changes in botnet behavior whenever they are updated.

We are faced with following challenges:1. there are hundreds of active botnets at the same time, far beyond the number security experts can analyze. 2. It is hard to pick out the botnet that is in early stage of propagation, yet has potential to wreak havoc. 3. It is labor-consuming to put together pieces of information of a botnet to generate useful intelligence.

To address these challenges, we propose a triage framework on cloud to track botnets. The framework is consisted of three modules:

1. Module for collecting intrusion events and IOCs.

High interaction honeypots on cloud and intrusion detection systems (IDS) are used to collect network and host-based information including malicious traffic, malware md5, mining activity, etc.

Specifically, we extract urls from suspicious HTTP request. Different botnet groups use different urls to download files, including dropper, backdoor, malicious scripts.We also put emphasis on wallet addresses and proxy addresses extracted from mining traffic of cryptojacking botnets, because they distinguish different botnets well.

2. Module for clustering IOCs and building causal relationship among events.

Entities are extracted from collected information to build a knowledge graph. Then we run label propagation algorithm(LPA) to further cluster all the IOCs. This step helps to understand botnets' structure and behavior .

3. Module for filtering out botnets that are worth attention.

Multiple statistical and rule-based models are used to scale down the number of botnets to be analyzed.

This framework helped in successful detection of many new botnets and important botnet updates, about which we have written posts to tell our customers what is going on.

During analysis of botnets, we found following tendencies:

1) Technical threshold for botnet builders is becoming lower due to open source tools and exploits

2) Botnets are starting to use more advanced infrastructure (e.g. bulletproof host, TOR hidden service, threat intelligence from shodan, rootkit…)

3) 0-day and 1-day vulnerabilities are used in botnet propagation, and the time interval between vulnerability publication and use in botnet is short.

4) Some botnets are single-purpose, but most of them combine mass scanning, mining, DDOS to gain most profit.

In sum, we really hope to share with you real-world botnet cases, our methods and models to detect them in early stage of propagation, and other findings in the process.

At first, I'll give the audience a brief walkthrough of the history of input validations against SQL Injection. Then, some classic and practical evasions will be shown with the slide, and I'll explain why these evasions work and how validation functions handle afterward. Of course, those de facto well-known WAFs, like ModSecurity, and some common filters, like libinjection, will also be discussed at the end of the walkthrough.
As I finish the introduction of input validations above, I'll then introduce a novel way utilizing the concept of Polymorphism in order to bypass the limitations. The outline probably looks like following: Go through a brief introduction of the mutation technique, the differences among other evasion techniques, the scheme, the algorithm, and the potential risks it may raise in the future. Some new bypasses against ModSecurity and libinjection will be shown and evaluated at last.
In conclusion, I'll talk about future works and possible improvements to the idea. I'll also discuss why there exist such developer UX/ergonomics problems that stop developers from using true solutions such as parameterized queries, strict HTML templating, strong typing and/or taint-tracking systems, and therefore, might lead to the problem of lexical and syntactic equivalences in many input languages as well.

How many different malwares are there in the wild? Every cracker breaks your system on his own by creating a brilliant piece that will infect all the world and rule them all? Not so easy, not so simple, not so fast!

Android world is crowded with info stealing SDKs, rough advertising libraries, ready examples for spyware, ransomware and exploitation. Malwares are released in many versions. Malware developers steal from other malware developers and repackage result of their sweat. They seek not to develop and to promote an app, but to embed the malware into many well known apps.

Clones can look the same or completely different at the first glance. Still they have similar malicious piece of code. Multiple obfuscation techniques exist to evade signature-based detection. Manual discovery and analysis of all the variants is almost impossible task. How to find all the versions and repackaged instances with minor code modifications? And even better, to detect them automatically.

In this talk we'll show how to compare malicious code, ignoring insignificant changes and legitimate libraries. After that we'll explain how to refrain from expensive pair to pair comparison by employing similarity hashing techniques. We have developed an efficient automatic detector for the clones. And our life got easier.

1.Why ZigBee again?
Not from the perspective of development. This talk will describe how to start from the firmware layer and deeply analyze possible problems of ZigBee protocol.
I: From the bottom firmware, get the secret key and key data, and then reconstruct ZigBee communication;
II: Instrumented and IDA plug-in is going to make ZigBee security research more convenient;
2. What is ZigWasp ?
ZigWasp is an edge tool for analyzing ZigBee firmware.
Within this tool, you can do your ZigBee attack work easily, even you do not have the ability of reversing.
3.Key Features about my tool
--Determine which bytes are CODE and which byte are DATA
--Automatic find and present there IMPORTANT keys in ZMasterKey/defaultKey/defaultTCLinkKey
--Identify system functions
--Identify most static variables
--Detect some sensitive information
4.Using means;
--Decrypt the packet with the secret key;
--According to the disassembly code, find the implementation process of protocol packaging;
--Analyze protocol field design and protocol specific format, and then rewrite zigbee communication module to realize replay attack;
--Extract valuable information from firmware and extract it;

Researchers are always talking about binary vulnerabilities when hacking desktop applications, this time let us try something different. Memory corruptions are always costly to find, mitigations introduced by operating systems make them harder to be exploited. Meanwhile, more and more applications are using hybrid technologies, so we can try web security tricks to pwn them reliably with less effort.

Our presentation will summarize attack surfaces in desktop application and introduce methods to find security issues. In particular, we will explicate some real-world cases, such as chaining multiple vulnerabilities (information leaking, CSP bypass, opened debugging port) to achieve RCE in a specialized IDE, sensitive file leaking in some famous editors, privileged APIs abusing in many IM applications and so on. During our research, we find some issues actually reside in popular libraries. These flaws may affect more applications than we will demonstrate in this talk.

Web security knowledge is usually unfamiliar to desktop application developers. Attacking desktop apps using web security tricks is a non-competitive "blue ocean". Our presentation will focus on many design misconceptions and implementation mistakes in desktop applications. By sharing these representative lessons, we hope to help developers improve the security of their products.

This presentation focused on a novel chained mobile phishing, which operated by two seemingly unconnected mobile malware – XLOADER and FAKESPY – a malicious Gang that caused widespread attention from anti-virus vendors, regional police and Interpol - has been attacked to East Asian countries for nearly 6 years with great fanfare and has reached its peak since last year.

We will present how the criminal gang is playing their mobile phishing techniques, which includes SMS Phishing(Smishing), Web Phishing optimized for Mobile Platforms, Popup/Notification Phishing and Social App Phishing and even Voice Phishing(Vishing) is involved. Also, we can see the criminal gang uses these mobile phishing attack vectors without any difficulty, these technologies can be combined to be seen as an independent phishing circle, so called chained mobile phishing.

The mobile phishing campaign employed SMS senders to send tens of thousands of well prepared text messages to mentioned targets ( Phishing), deployed or cloned thousands of fake famous websites as well as new domains to lure victims into downloading malicious apps or installing malicious iOS profiles (Web Phishing), prepared many fake banking/gaming apps to replace with the installed legitimate ones by alerting victims (Popup/Notification Phishing), occupied many social network profiles to hide the real C2 address, such as Baidu, Sohu, QZone, Kinja, Twitter, Instagram and Tumblr (Mobile malware on social networks). Besides, said attack also used Domain Name System (DNS) cache poisoning/DNS spoofing to distribute and install malicious Android apps, during its attacking, the Social App Phishing was also employed as new attack vector to further lure user into hooking up.

Up to now, the six-year transnational campaign is still very active, with a wealth of infrastructure of infect chain and attack vectors, especially good at mobile phishing attacks, and continue to launch a fierce attack on developed countries or regions in East Asia such as Japan, South Korea, Taiwan and so on.

In the course of our research on this mobile phishing campaign , we have learned mobile phishing is more problematic, which is different from and goes beyond traditional PC's, mobile phishing brings together new features of mobile for phishing individuals, the mobile phishing campaign, with its unexpected attack vectors, and the use of tens of thousands of auxiliary facilities, has achieved good attack effects again and again.

Along the course of our research, we outlined the evolution of both XLOADER and FAKESPY malware families. Our research showed that the infrastructure and the victims have spread from Asia to target many other users in various locations. We also share the connections of the two malware families and the Yanbian gang and provide security tips for vendors, ISP and best practices for mobile device usage .

The captive portal feature are supported by most operating systems(iOS/Android/Windows/MacOS), it will automatically pop up a portal page without user interaction when a device connected to a Wi-FI network. Due to the feature, it's often used as a start point for combined exploits, such as exploiting iPhone7, Samsung Galaxy S9 and Xiaomi Mi6 on Mobile Pwn2Own 2017 and Pwn2Own 2018.

CP toolkit is a collection of captive portal exploitation, which enables a researcher setting up a phishing AP to gain sensitive information from victims or directly attack their devices. Most of functions do not require Internet access.

The most important functions include:
- Create hotspot with captive portal (using Hostapd, Dnsmasq and Iptables).
- Automatically redirect to any unsafe applications using URL Scheme on portal pages.
- Exploitation of system vulnerability , like DoS attack to iOS/Mac devices using CVE-2018-4407.
- Exploitation of application vulnerability, like ES File Explorer Open Port Vulnerability.
- Forging popular social software and emails login web pages.
- Information collection form templates which imitate public Wi-Fi networks.
- Web-based imitation of Windows/Mac network manager in order to defraud password of other Wi-Fi. (Idea from wifiphisher project)

As the IoT market grow larger, various Iot devices has been created. IoT devices made IoT network to communicate with each other more easily. Most of the other tranditional research focus on IoT devices.

However, one of the important point in IoT network environment is the communication between IoT devices. Thus, we choose a topic 'IoT network', not a single IoT device.

And because of the IoT boom, many hackers found the vulnerabilities of the IoT devices. In other words, recently the security level of IoT devices became much higher than before.

We purchased a dozens of IoT hub and devices which has a managed service, and began analysis and hacking them. We acquired almost every firmwares, using firmware provisioning, MITM, desoldering and others. Also we anlaysed the network packet and tried attacking, grasping and reassembling the form used in IoT network. In addition, we found the vulnerable code in U-Boot source code which is usually used in IoT devices, and proved that they can be the cause of side channel attack.

Finally we will show the 'Live Demo' which can got shell or manipulate functions, using some of vulnerabilities we found. Through this talk we will show hacking method with improved security. Conclusionally, we will let you know the importance of the 'IoT Network' security.

I'm sure that this will be one of the most interesting things in this conference.

ps) attachment file is only about IoT hub.

In newer version of Windows (Windows 2016 and 10), various security functions are implemented, so it seems to be difficult to attack.
But if attackers once got Domain Administrator privilege, they can create malicious Kerberos tickets called "Golden Ticket" and "Silver Ticket". By using these tickets, attackers can attack against all version of Windows and disguise themselves as arbitrary administrative accounts for a long period.
Golden Ticket is famous for one of the most threatening attacks, but actually Silver Ticket is more troublesome since no trace is left on the Domain Controller.

We will introduce a real-time detection method for attacks using Golden Ticket and Silver Ticket. We also introduce how to detect attacks using "Eternal Romance": an attack tool leveraging the Remote Code Execution vulnerability fixed in MS17-010. Since it is widely used to get administrator privileges, and the attack is quite easy even if the target is a newer version of Windows.

Our detection method can be available for Windows 2008 R2, 2012, 2016. Furthermore it can be implemented easily at low cost because it utilizes only Domain Controller’s Event Logs and minimum Kerberos packets.

Finally, ATT&CK, a knowledge base of adversary tactics and techniques, is getting common recently.
We also introduce the method to identify the possible tactics for each detected attack activity automatically.

This talk deconstructs the workings of a state-backed influence operation originating from Iran. It weaves the lessons learnt from it into the larger, emerging playbook of cyber-enabled information operations.

Between Aug 2018 and Jan 2019, Twitter and Facebook took down thousands of pages and accounts propagating "inauthentic news."

While rifling through this dataset, the speaker got a peek into the novel and perplexing trade-craft of the actors. From a Russian Business Network-like front in Pakistan to the very actuation of Ayatollah Khomeieni's idea of a 'soft war' in cyberspace -- many nuances skipped the attention of the research community.

Such hybridised templates which combine cyber and information operations open a new facet of warfare where brain becomes the most potent attack surface. By leveraging disciplines like data-driven psychometry and exploiting cognitive vulnerabilities like dissonance and tribalism, it is disrupting the existing notions of cyber offence.

The Western playbook of cyber operations as "deny, disrupt, and degrade" stands upended by this new template.

By incorporating latest research on information weaponisation curated by research groups like SOFWERX, The Credibility Coalition and Misinfosec, the speaker would showcase how we have merely started exploring the brain's attack surfaces. The talk also borrows from the speaker's upcoming book on gluing cyber operations with geo-strategy.

Cognitive vulnerabilities are shockingly predictable and replicable, so data-driven behaviour modelling becomes the future of information weaponisation. The entry barriers to such frameworks are marginally lower compared to contemporary cyber offence while the cost-benefits remain massive. It may encourage its increasing adoption by state and non-state actors.

We may need to write a new set of TTPs (Tools, Tactics & Procedures) from scratch. Information operations may soon fall under the umbrella of conventional cyber defence and threat intelligence – the defenders need to up their game.

Enterprise environments have never been more closely monitored, forcing adversaries – real and simulated alike - to focus on novel approaches to evade detection. Blue team capabilities are ever- improving and increasingly focused on expunging adversaries from their networks before they realise their objective, moving attention up the kill-chain.

At MWR, we don’t just simulate adversary techniques, we complete missions, forcing us to adapt and research new techniques where necessary. This talk will explore one of the persistence mechanisms we have developed while breaking into enterprise networks in Singapore and Hong Kong.

Internet Explorer, ubiquitous with its presence in enterprise environments, poses interesting opportunities for adversaries in the form of reliable, quiet, and adaptive persistence mechanism. In this talk, you’ll learn how we use native Internet Explorer functionality within Browser Helper Object, to maintain access to an environment. To realise this, various inbuilt-protection mechanisms were studied and evaded, resulting in our development of new techniques to fully-weaponise this approach.

By the end of the talk, red teamers will learn to leverage the easily-available browser in the corporate environment as a persistence technique. Blue teams benefit too, as they are able to defend against it through understanding the technique’s process and artefacts left behind.

Bio:
Samuel is a Security Consultant at MWR InfoSecurity, with a background in development. Samuel’s ability to understand and decompose technical hurdles, and then rapidly prototype initial implementations of solutions, has made him invaluable to the fast-paced of world of adversarial simulations.

Whether it involves taking over a car’s steering controls or proving that children’s toys are spying on them, hackers love to share their latest IOT hacks. But the media has amplified these stories even more, creating dangerous myths around these technologies. While Mirai-based attacks have been successful, cybercriminals have yet to heavily monetize IOT vulnerabilities outside the business model of extortion and DDOS attacks.
This presentation shares insights about what IoT attacks will look like 2-3 years from now. Through research into online cybercriminal forums, we have determined what level of interest and possible criminal opportunities there may be for IoT-specific attacks. Our research covers current IoT trends in cybercriminal undergrounds forums for Arabic, Japanese, English, Russian, Portuguese, and Spanish languages. Each language forum will have 1 slide to discuss a summary of findings and 1 slide of sample advertisements. A case study of a successful IOT cybercriminal will also be discussed.
Find out which devices cybercriminals are most interested in hacking. Discover what they are thinking in terms of attacking existing IoT infrastructure. Our research has found hacking methods for routers, webcams and printers, but we have also seen tutorials on the inner workings of commercial gas pumps and PLCs (Programmable Logic Controllers) found in factories and other places with industrial machinery to manage these complex devices remotely.
Finally, before IoT attacks become the norm, we will explain the challenges LEA and forensic professionals should be aware of in order to better protect their organizations. Attendees will walk away with suggestions on how to secure their IoT environments. The bad news is that criminals are refining their business plans to include these online devices and, they are finding certain measure of success.

Over the last decade, governments came to the stark realisation that the contemporary enterprise security architecture actually impedes situational awareness. The commercial product siloes thrive on vendor lock-in, eventually proving detrimental from a national security perspective.

We saw wily APTs crisscrossing enterprise boundaries as if they did not exist. We saw them compromising similar attack surfaces across organisations as governments remained collectively blind.

Mudge pointed out this anomaly way back in 2011, when he declared that we are divergent from the threat [1]. In 2015, he confirmed our suspicions by releasing a DoD study which says that average one-third of vulnerabilities in government systems is in the security software [2].

The enterprise security architecture inherits the human cognitive bias towards spatiality. We created artificial spatial constructs like perimeters, endpoints, DMZs and what not – belying the ‘emergent property’ of networks [3].

Gruqg went at lengths to explain that “the perimeter is not the boundary of your network, but the boundary of your telemetry. [4]” The millions of layers of abstractions are interconnected in ways that we cannot even fathom: what he calls the Shadow Internet [5].

Almost every defensive innovation in the last decade is trying to solve just one problem: security interoperability. The transition from AVs to EDR is fixing it at the instrumentation layer and from SIEMs to SOARs at the decision layer.

Yet, the proverbial defensive blind spots can only be bridged with shared taxonomies and ontologies. It is for this reason that we saw the emergence of machine-to-machine standards like YARA, OpenIoC, MISP, STIX-TAXII, OpenC2, ATT&CK, and CAR. And the standardisation process – much to the chagrin of vendors – is irreversible.

At the very top of CTI’s pyramid of pain lies the geopolitical ontology of the threat actor [6]. JA Guerro-Saade, too, recently hinted at Chronicle/Google’s efforts to derive similar capabilities [7].

This presentation would study the evolution and future of such shared ontologies. We would deconstruct it from the ambit of cross-organisational security response, by briefly understanding how the national ‘cyber shields’ of the US, the UK, Germany, France, Israel, Japan, and South Korea actually operate.

https://youtu.be/uK5MUg9gEmA?t=621
https://twitter.com/dotmudge/status/642758829697056768?lang=en
http://geer.tinho.net/geer.rsa.28ii14.txt
https://www.blackhat.com/docs/webcast/12142017-the-triple-a-threat.pdf
https://medium.com/@thegrugq/internet-of-wilderness-of-mirrors-9eaa24bd99d8
http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html
https://twitter.com/RungRage/status/1115484761001222144

With the advent of all new technologies, there will always be malicious actors creating a new attack surface. According to Kromtech Docker has been consistently failing to be able to keep up with security. The talk will cover three major breaches and vulnerabilities in docker.

One is the crypto-jacking that happened on cloud container docker123321 which lead to almost 5 million pulls which means 5 million+ affected end users. The focus of this attack is not only the vulnerabilities of docker registries but also the importance of source verification.

The second is a more plain-in-sight attack and is based on a research article performed on the Play with Docker site. This allows a user to get access to the host from within the container. A PoC can be performed as well if time permits.

The final section will talk about the doomsday docker container vulnerability which triggered a patch in almost 2 days from docker. This will talk about how similar to the play with docker scenario where we modified kernel files , the runc binary can be modified and forced to run arbitrary code on the host. (CVE-2019-5736)

The student will take away some key concepts in docker security and using the existing use cases they will understand possible problems in docker and how we can solve them out with secure hardening principles.The talk will also cover some important hardening principles including but not limited to hardening of daemons, container privilege, network isolation, image trust etc which we will see exploited as part of the two use cases we will talk about.

In the past years, the most impressive logical trick to bypass UAC (User Account Control) protection is "Elevated COM Object" method leaked from CIA. It abused the privilege of explorer with arbitrarily writing files, and caused *.dll side-loading. However, Microsoft strips off the privilege after Windows 10. It seems that DLL side-loading cannot be used to bypass UAC protection anymore. Is that true? No, there is another way!

In this session, we are going to talk about UAC design concepts and Windows implementation logic flaws. The UAC concepts are (1) Windows redistributes privileges in Windows Process, (2) Directory permission is the last Maginot Line against DLL side-loading. Besides, two logic flaws in Windows are also mentioned, i.e., (3) the path resolution asymmetry problem between handling symbolic link in Kernel layer and Win32 API design in User layer, and (4) the implementation problem inside Windows application loader verifing third-party modules only instead of all system modules.

Through the above flaws, we can use (3) to bypass the protection of directory permissions, and create a tricky attack vector in (4) to accomplish DLL side-loading on most present applications. This Duplicate Paths Attack allows us to make injection on Windows system service, and get UAC elevation.

At the end of this session, a PoC of automated analysis tool will be displayed. This tool can help red-team to can use Duplicate Paths Attack to scan all identities can be forged in Windows, neither destroying any service signature nor changing the program path. Then, hackers can arbitrarily forge their identities into any application, and even achieve universal injections in system services.

GSM-devices become more popular. Users can setup them fast, use without landline internet and Wi-Fi, control them remotely. But now they are an interesting target for hackers. Usually, GSM-devices have a menu for calls (IVR menu with DTMF commands). This talk will cover the question of mass attacks on those devices. There are some main questions:

1) Which devices are in danger?
2) How hackers can attack them?
3) What about mass attacks and botnets?
4) What hacker can do after successful hack?
5) How you can protect yourself?

1) There are several popular types of GSM-devices:

* GSM-alarms
* Smart homes control systems
* Industrial GSM-control systems
* Access control systems and locks
* Some communication systems
* Smartwatches for kids

Exists different models for every type of devices. I will tell about several models, which are more secure, which are insecure.

2) I will make a short introduction in attacks on GSM-devices:

The main idea of attacks is easy: make a call to a device, bypass an authorization, perform actions.
Main questions of this chapter:
* When it is necessary to spoof Caller ID? When an attacker can make a call with a random number?
* How to bypass authorization? Security of Caller ID check.
* Brute-force attacks: typical rules for passwords (several popular GSM-alarms allow to use 4-digit password only). An attacker can silently find it less than 24 hours.

Those methods (spoofing Caller ID and brute-force) allows to hack most of GSM-alarms and some other GSM-devices fast.

3) The hacking of one device is easy. So, is it possible to perform a mass attack and create a botnet? This question will be covered in this chapter.

There are two main steps for mass attack:
* Find devices.
* Hack found devices.

I will tell, how attackers can find devices: from scanning all phone numbers to a more effective combination of OSINT methods, data leakages and small vulnerabilities at mobile operators systems.

For example, an attacker can scan all live mobile numbers in Russia (my country) and spend less than 10 000 USD.

After successful scanning attacker can hack most devices with methods from the previous chapter.

I will show estimated time for attacks, estimated costs and an estimated amount of victims. Those results show, that it is faster and less expensive than it can be expected. So, this problem of security of GSM-devices should be considered.

Also, I will show a more fast method of mass hacking of GSM-devices. It based on data leakages of contact lists from people. The main idea is to check data leakages (for example, applications like GetContact) and try to find contacts with titles, related with devices (like "home", "door", "car", "village", "alarm", "pump"). This method allows to find devices fast, but the results are not so full.

4) After a successful mass hack, an attacker will control thousands of GSM-devices. I will tell in this chapter, what he can do.

There are some different effective and dangerous methods of exploitation:
* Firstly, an attacker can control thousands GSM-alarms. He can do anything: switch on and switch off an alarm, listen to rooms, switch on ad switch off connected devices. This can be used to collect confidential data (such as conversations in an apartment or office). Also, an attacker can use it for effective burglary (he can listen to rooms to find a moment, when everybody leaves home, disable the alarm and do anything). Also, he can sell this information to other burglars.
* He can hack some smart home system and perform all available actions.
* An attacker can attack some industrial GSM-controllers, It allows to destroy business process in some cases or can cause an emergency.
* An attacker can use it to scare people. What about an alert of alarm every night?
* Some devices are locks. An attacker can remotely open or close doors.
* An attacker can use a botnet of GSM-devices to perform DDOS attacks with SMS or calls.
* Finally, some devices allow to perform USSD or SMS commands. An attacker can use it to gain access to an account at mobile operator site, steal money.

5) In the last chapter, I will tell, how you can protect yourself or your company when you use GSM-systems. Also, I will tell, what you should consider, if you want to create your own device.

Short brief: those attacks methods allows to gain full access to thousands GSM-devices, use it to get private data, hack user's accounts, use as botnet, and perform dangerous actions in a real world.

Abstract:

For years, we at Countercept have seen adversaries across the threat pyramid make use of PowerShell tool-kits for lateral movement, data exfiltration and persistence over different environments. As defenders, we have done a pretty good job – PowerShell is a fading threat in time. Mimikatz execution through PowerShell? AMSI and PowerShell logging can handle that relatively well.

However, adversaries being adversaries don’t just give up. They have migrated tool-kits to areas where visibility is still limited – such as .NET. Favoured by adversaries due to its wide range of functionalities, ease of development, and default presence on modern Windows platforms, we have seen a significant increase in exploitation toolkits leveraging .NET to perform usual activities - but in an area where they are relatively hidden.

First, we’ll take a look at these tools - what they do, and how they work. Techniques such as DCOM object abuse run-time code compilation and in-memory assembly loading (performed by the DotNetToJscript project) would be examine in detail. These techniques are used by exploitation tool-kits such as GhostPack, SharpShooter, and SilentTrinity, and thus are very relevant to defenders. We’ll then focus on detection. We’ll examine the indicators such toolkits and techniques leave behind, and how we can detect them utilising various sources of telemetry, collected via open-source tooling, such as process logging, DLLs imports and ETW tracing of JIT compilation or Interop events.

At the end of the day, attendees will walk away with an understanding of the inner workings of various .NET techniques as well as how they can be used to compromise a windows machine stealthily. Additionally, attendees will learn how a defender can leverage on open source tooling to detect and hunt for .NET attacks.

Speaker’s Bio
Aden performs hand to hand detection and response combat, with real world adversaries as part of his life as a Threat Hunter at Countercept. Armed with a rainbow colored keyboard, ensuring no activity is left undetected is Aden’s focus, regardless of toolkit, geographical origin, or sophistication.

In the modern world exist different types of IoT devices. Some are used in local networks, some are available on the public Internet, but there is a special type of devices - GSM devices. I will mostly tell about GSM-only devices, which are not available via the Internet (eg GSM-alarms, smart home GSM-controllers, industrial GSM-controllers, access control systems, smartwatches for kids, etc).

In this talk I will cover different questions:

1) Which GSM-devices exist now? How many devices exist? Which type of devices we can expect in the future?

2) How OSINT techniques can help for hackers (and for researchers too) fo find thousands of hidden devices?

3) What hackers can do after finding devices? And how and why it can become a nightmare?

GSM methods of communications (I mean SMS-commands, calls and mobile internet) allows to connect, send commands and get information from different devices, which are not connected to the landline internet. For example, anybody can buy GMS-alarm system, install it in his home in the village (or in a car) and get SMS or calls about an emergency.

There are a lot of different types of GSM-devices:

* GSM-alarm systems
* Smart homes GSM-controllers
* Industrial GSM-controllers
* Access control GSM-systems
* Locks (some electronic locks can be controlled with SMS or calls)
* Some communication systems
* Smartwatches for kids (yes, it is GSM-device too, because it is a small device, which can be controlled with SMS or calls)

Hackers or other criminals are interested in attacks on these devices (there are different reasons, I will show them below). There are two main steps of a successful attack:

1) Find the target device (and some additional information about the owner)
2) Hack it and use for something

Now the second step is easy (because most GSM-devices are insecure and can be easily hacked), but the first step is hard:

* Devices use GSM for communication, so an attacker should know the phone number of the device to do something.
* Exist billions of phone numbers (mostly they are not related with GSM-devices), I think, that not more the 1% of phone numbers are used for GSM-devices.
* It is hard to "scan" all phone numbers for some reasons: it is slow, it is expensive, it is not effective.

During this talk I will share some ideas, how hackers can use OSINT techniques to find GSM-devices:

* How to create a big set of numbers for research.

* Some mobile operators allow to select "pretty" mobile number at the site (for example, a user can select new number with a favorite combination of digits). It allows to select numbers which will be bought and track it.

* Sometimes it is possible to check at mobile operator site if this number used now, if it is business or individuals number (it based on authorization problems).

* How to use search engines, different catalogs of companies, social networks to find numbers, that are in use of companies or individual persons. That numbers will not be used in GSM-devices.

* Searching at sites with a rating of phone numbers: spam numbers, numbers for companies will not be used in GSM-devices.

* Searching in applications like TrueCaller, GetContact to find numbers of individuals or companies and remove this numbers from the set.

* Special trick: searching name and number of a contact in leaked contact lists. If the name is "Alarm", "Home", "Car", "Controller" etc, it can be GSM-device. This method allows you to find some devices very fast. Also, applications like GetContact can be used too.

* Different methods of searching in social networks or messengers. If exist some accounts with this number, it can means, that this is an active personal number, not a number of the GSM-device. You can delete it from the set.

Set with phone numbers becomes very short after all previous steps. Now it contains "unknown" phone numbers (numbers which are not related with any publicly available information from the internet or from any data leakage). Now hacker can check every number and try to understand, does this phone number used in GSM-device? Or is the owner of this number an uncommunicative person?

There are two main methods:

* Call to this number. If you will get an answer with a human voice, it is not a GSM-device. If the subscriber is not available, it is not a GSM-device.

* Make a spoofed call to the support with this phone number in Caller ID and try to get information. I will tell about some methods.

Then it is necessary to create a list of patterns (based on reaction to call) of different GSM devices. It allows to select a type of device, model. Then criminals can hack devices, I will tell some information about it.

How criminals can hack devices: in this short chapter, I will tell about effective attacks on GSM-devices (mostly, they based on attacks with calls with spoofed Caller ID).

What criminals can do after successful finding devices:

* Hacking devices to use in "botnet": SMS and DDOS-attacks with calls, making calls to paid numbers, sending SMS.

* Collecting information (eg listen to rooms, get the location of kids, get other types of information)

* Target attacks: eg find GSM-alarm, switch off it, steal something. Or just make a call and open a lock.

* Attacks on industrial systems: it can destroy everything.

* Hack smart homes.

* Massive attacks: perform random actions to make panic.

* Disable control of the device for an owner, it can be terrible, if the device is far from the user.

In final I will tell, what users (individual users or companies) can do to prevent these attacks.

Short results:

Combination of OSINT and simple attacks allows for criminals to find thousands of hidden GSM-devices. Then they can easily hack them. This allows to bypass the main problem of attacks on GSM-devices: it is hard to find phone numbers of a device.

This talk is about car passionate tuning their jewel over years since adoption of electronic in cars. It will present some car tuner popular tools and methodology to get more
horsepower only with ECU reprogramation. This subject will briefly present OBD programmation hardware and software tools using standard CAN/Kline buses.

The choosen car is an Honda civic from 1987, a year where OBD port was not widly used. Goal is to bring this toy, which has not OBD or programmation port, into modern world.
As we want more horsepower, the car will be tuned to run E85(ethanol) which provide more higher octane rating.

The ECU used on this car is one of the first to provide electronic injection coming from honda F1 development team and still used today in cars and bikes : the PGM-FI.
But in this car version, it is Read-Only and not programmable, no luck to run E85 with this guy.

The solution is to Swap ECU, using a programmable version. We will present here, ECU chipping, engine mapping, and basic ethanol engine theory to wrap things together.

Talk walkthrough :

- Introduction to car tuning.
- Presentation of ECUTek, Open Flash Tablet, OBD port, race-datalogging
- Presentation of softwares (ROMRaider, ECUtek, CANclip, ...)
- Getting power E85

Getting into Honda World :

- Presentation of PGM-FI
- ECU chipping (Raw ROM hex-editing and ROM editors)
- ECU swap (soldering/desoldering the right one and add logging if applicable)
- Running E85 !

More modern world :

- ECUtek closed world
- Introduction to Roborace and Tesla
- More power with OTA update !

The majority of threat actors build their custom malware to keep themselves under the radar for a considerable period of time, allowing them to operate unrestricted in the victim's environment. To achieve stealthy communication, multiple stage attack will also be developed and included. The tactics, techniques and procedures (TTPs) which they used became more and more complicate.

In this session we are going to discuss what attackers will do before setup final backdoor in victim’s host, along with various case studies and incidents we have investigated. As an example, we will analyze the details of anti-research and anti-security products techniques such as anti-reversing, anti-sandbox, white-listing for target IPs on C2 server, steganography techniques, encrypted C2 configuration. Moreover, we will talk about recent attack trends. For instance, process hollowing and application whitelist bypasses, shellcode, encrypted payloads, macro use of PowerShell, macro use of VB script, in memory execution.

Following this, we will break apart each TTPs and category them with their purpose. We will explain some of the purpose found in their attack scenario, and why attacker tries to compose them. On the other hand, this talk will more focus on reconnaissance behavior instead of what attacker’s backdoor can achieve. In addition, demonstration of several attacker groups’ (ex: BLACKGEAR, REDBALDNIGHT(TICK), TROPIC TROOPER(KEYBOY), DARKHOTEL, etc.) new tools, builders and controllers that are not yet public.

We will share our experience of the cutting-edge target attack, and improve the skills and tools that the threat actors adopt. In the end, attendees will leave with a suitable defense strategy.

The following topics will be covered:
 Overview of recently well-known threat attack how they deploy backdoor
 Anatomy of each attack chain and separate into different stages
 Analysis different download mechanism and how they bypass network AV product
 Macro use of windows command, PowerShell and VB script
 Load other encrypted file/data which store malicious content
 Creative ways of anti-research and anti-security products
 Demonstrate the attack to the audience by video
 Present some defense proposals

Public warning system (PWS) based on mobile communication system is used to alert the public to emergency events such as earthquakes, tsunamis, hurricanes, etc. We carefully study the PWS in LTE network and uncover the vulnerability of PWS in LTE air interface, i.e., the warning messages of the PWS are not encrypted or signed when they are transmitted over the air. Thus, it is possible that malicious PWS warning messages can be transmitted.

We simply use a low cost soft define radio (SDR) device and modify not much code of the LTE open source project srsLTE in order to forge the warning messages. Both Apple and Android test mobile phones are affected by our forged warning messages.

Fake PWS warning messages will cause serious panics among the population, they also could be used to send advertising or spam messages. The public warning system may become paralyzed and useless under the threat of the abuse of fake warning messages.

The full demo video can be viewed from https://youtu.be/B1RVA01g3Bg

Timing attacks are a known technique of gaining access to the part of private information. The main idea is easy: an attacker creates a page with a script, that should measure the time for downloading 2 (or more) pages. Usually, the first page is a control page (usually with predicted content), second - is a target. Then hacker can compare downloading time: if the downloading time for target page is more then time for control page (usually used multiple measures), there are some content at target page, that is available for a user.

For example, if the attacker knows, that company uses an internal system for documents, he can try to find the structure of the system without direct access. He should create a page with special code, then he can check, that https://company.internal/VerySecretFile.doc exist and https://company.internal/test.pdf does not exist. An attacker will not able to gain access to file, but he can check, if they exist or not (sometimes it can be useful).

Also, you can find some good examples of timing attack here: https://tom.vg/2016/08/browser-based-timing-attacks/

Exist some other types of timing attacks, they will be considered too.

At this talk, I offer to discuss using timing attacks as a fingerprinting method, effective clusterization method and veapon against security. Users and developers should consider this because hackers and other criminals can use it.

Main points for presentations and why it is important:

* An attacker can easily detect good victims for other attacks. For example, user, who visits Gmail, bank services, internal company services, and social networks, is a more interesting victim, than a person, who just reads news sites.

* An criminal can use different methods to find an identity of an actual person. I will tell about different methods:
* * Intersection sets: an attacker can select some users, use different sets (does this user use the special site or no), intersect all set and find one person, who is in all sets.
* * Files in direct messages: an attacker can send different files (eg images) to thousands of users (it looks like it is necessary to use different accounts for is), then he can explicitly find an actual user by checking all URL of files. It can be used to find an account in the social network of the visitor of the website, also it allows to combine profile from the social network and other visited sites.
* * Social actions, like "share" or "like". An attacker can motivate a victim to like a post in a social network (for example, to get discount), it allows to find an identity and to combine with other data.
* * Some others methods

* An attacker can find other contacts and interests of the employee. For example, criminal can find internal services of the company, then he can find popular sites, the employee visits that. Then he can use it for a more effective attack.

* An attacker can use those methods to find peoples from hidden and unprotected communities. For example, if an attacker can find somebody from religion community or LGBT community in special countries (the methods, that can be used to find an identity of this person will be discussed below), he can use it make threats and blackmail.

* In some cases, an attacker can check, if this user with the account at site 1 have the account at site 2. It allows for criminals to break the privacy of users. I will offer some practical examples.

* In some cases an attacker can find the account in a social network for every visitor of the site. It can be used for dark marketing, crimes, and blackmail

I will discuss threats, ideas for protection and basic methods of self-protection.

Bypass cloud host security detection - how to safely reverse shell
1. Introduction&History
Current cloud host security product research and classification
More and more users or businesses will place their servers in the cloud service provider's host. Common cloud service providers include Google, AWS, Vultr, Digital Ocean, and Alibaba Cloud, which all provide security products that can be used for assets, vulnerability management, and other security features.

2. How do cloud hosts implement security detection?
Cloud hosts usually have intrusion detection capabilities, so how do they implement them? I discovered that several products were mainly implemented in several ways.
A. bash syslog history
B. proc file system detection
C. bash open event
D. Netlink Socket notification
E. Kernel code modification, hook command execution function.
I will explain how these technologies are implemented one by one.

3. How to bypass the security detection?
I will show you how to perform security detection bypassing with the demo. Bypassing the process extends, binary execution, php infrastructure execution ways, etc.I will show you how to perform security detection bypassing with the demo.
A. Bypassing the process extends,
B. Binary execution,
C. php infrastructure execution ways, etc.
Typically, most host security detection software will detect the progress of a process or connection in a user control. At the same time, some detection software in the kernel space to modify some of the execution flow functions in the kernel, and then notify the user space to achieve the monitoring effect. Let me give you an example of how most of the current situations can be bypassed. It is to use a binary program to bypass, the binary program is connected to the remote hacker machine after uploading and executing, bash is inherited under the binary program, although it can be viewed through the connection, but according to the results of my test, There is no security software to report this alarm. Of course, I have written such a binary program that can be provided to my audience. Other bypass methods can be shared with everyone at the conference.

4. Conclusion
A. What methods should we use to bypass during the actual penetration test?
B. Recommended tool for pentest.
C. Suggestions for continuing research.

"Ring ring, who is there? I am controlling your VoIP phone!" - Have you ever thought about the security of the phone on your desk, or how hard it would be for an attacker to hijack it? Spoiler: It's trivial. A quick internet scan reveald hundreds of vulnerable devices which can easily be compromised and might as well be vulnerable forever due to user unawareness and bad update mechanisms. Desktop phones are a very promising target for attackers. Besides being able to eavesdrop on all of your phone calls, malicious actors can also use the phones as stepping stones into your home or enterprise network.

In this talk, we will present our results of pentesting dozens of VoIP phones from 21 different manufacturers.
Our analysis focuses on the configuration and management interfaces of those devices, which are usually implemented as web applications running on the phones. The vulnerabilities we discovered can be separated into two categories: firstly, vulnerabilities in the web applications itself, and secondly, vulnerabilities in the web server hosting the web applications.
We found a lot of classical web based vulnerabilities like XSS, CRSF and also session hijacking. Further, missing input sanitization issues that allowed us to compromise half of the devices. As we show, without proper input validation, attackers can inject and execute system commands. They can finally gain a root shell, giving the attacker full control over the device. She can eavesdrop on the whole communication (SIP, RDP) even if it is encrypted. Further, she can use the compromised phone as a pivot point for further attacks into the enterprise network.

With an extracted firmware, device emulation, live debugging and fuzzing, we discovered that some web server implementations are vulnerable to memory corruptions which can be abused for Denial of Service attacks and remote code execution in order to establish a root shell as well.
We will share our strategies of how to find these kind of vulnerabilities and present methods for avoiding been vulnerable in the first place.

As everyone knows Adobe will stop updating and distributing the Flash Player at the end of 2020.But in recent years, more hacker attack(APT) for Adobe Flash Player have taken in the wild.This may be the last feast of hackers about Adobe Flash Player.

In the past few years, Adobe Flash manufacturers have higher security requirements,Various of mitigation were added. But as long as there are suitable vulnerabilities, hackers can still bypass these mitigations.So proper vulnerabilities and bypassing techniques are important.

In this talk I will carefully explain a few of the representative vulnerabilities that I have discovered first.And analyzes the root cause of this vulnerabilities, and how the patches are patched.

And then I will talk about the major mitigations that Flash have added in recent years, including memory protect, isolators of heaps, CFG and more.
So in order to bypass these mitigation the exploitation becomes more and more complicated, And I will share a method of memory layout that is still feasible to bypass the isolators of heaps.Because this will be a crucial step in the entire exploitation chain.

While auditing a system administration tool, I spotted what appeared to be a clear vulnerability when skimming some code. What I believed was a command injection flaw failed to execute when tested against a lab system, but it did exhibit behaviour that was somewhat consistent with injection flaws.

This talk describes the pursuit of this bug, from initial discovery, incorrect analysis and how chasing this deeper lead to a number of generic attacks against the common graphing tool (RRDTool), which is in wide use. I then used these attacks to achieve remote code execution where the command injection had failed. The next step was naturally to leverage these attacks against other solutions and collect a number of CVEs.

Outline:
- Introduction
- Background
- "The flaw"
* Source code
* Misdiagnosis
* Testing
* Root cause analysis
* Re-diagnosis
- Searching for a new vector
- RRDTool introductions
- RRDTool operations
- Generic RRDTool attacks
* SSRF
* DoS
* Information disclosure
* File read
* File write1
* File write2
- Validating attacks
- Bringing it all together
* Chaining with other bugs
* RCE demo
- Further work
* Patch assessment
* Adoption for post patch exploitation
- Future work
- Conclusion
- Q&A

Please check the materials,updating
https://paper.dropbox.com/doc/Hackers-New-Bank-EOS--AeIuOlptk6GrH7ddtdKfT_pbAQ-FnK8oaTI4V0y9Uo4N6F3x

EOS is a blockchain network and platform for decentralized applications built on Ethereum. It performs many of the same functions, but with much greater capacity — up to millions of transactions per second. EOS stands for Ethereum Operating System – unofficially. The EOS cryptocurrency token sale raised $4 billion over a year-long ICO.
Ethereum was the first blockchain to support development of decentralized applications. It sounds great in theory, but it was plagued by scalability issues once released into the wild. EOSIO is colloquially known as the “Ethereum Operating System,” because it adds a layer on top of Ethereum to make this dream of a dApp community a reality.
From 2018 to 2019 , Several Attacks cause EOS loss 900K EOS token. Hackers aimed Smart contract and EOS vulnerabilities,become rich men in Blockchain world.

- Fake EOS Attack
- Ramble Table Attack
- CVE-2018–20163 inlineReflex loophole
- Predictable Random number
- CVE-2019-6199 Transaction Congestion Attack

Please check the materials
https://paper.dropbox.com/doc/Hackers-New-Bank-EOS--AeIuOlptk6GrH7ddtdKfT_pbAQ-FnK8oaTI4V0y9Uo4N6F3x