The 14th edition (!) of hack.lu
is ongoing in Luxembourg. I arrived yesterday to attend the MISP summit
which was a success. It’s great to see that more and more people are using this information sharing platform to fight bad guys! Today, the conference officially started with the regular talk. I spent my day in the main room to follow most of the scheduled talks. Here is my quick recap…
There was no official keynote speaker this year, the first ones to come on stage where
Ankit Gangwal and Eireann Leverett with a talk about ransomware: “”Come to the dark side! We have radical insurance groups & ransomware”. But it was a different one with an interesting approach. Yesterday Eireann already presented the results of his research based on MISP: “Logistical Budget: Can we quantitatively compare APTs with MISP”. It was on the same topic today: How to quantify the impact of ransomware attacks. Cyber insurance likes quantifiable risks. How to put some numbers (read: the amount of money) on this threat? They reviewed the ransomware life cycle as well as some popular malware families and estimated the financial impact when a company gets infected. It was an interesting approach. Also the analysis of cryptocurrency used to pay the ransom (how often, when – weekend vs week ays). Note that also developed a set of script to help to extract IOCs from ransomware sample (the code is available here).
Back to the technical side with the next talk presented by Matthieu Tarral
. He presented his solution to debug malware in a virtualized environment. What are the problems related to classic debuggers? They are noisy, they alter the environment, they can affect what the analyst sees or the system view can be incomplete. For Matthieu, a better approach is to put the debugger at level -1 to be stealthier and be able to perform a full analysis of the malware. Another benefit is that the guest is unmodified (no extra process, no serial connection, … Debuggers working at hypervisor level are not new, he mentioned HyperDBG (from 2010!), virtdgb and PulseDBG. For the second part, Matthieu presented his own project based on LibVMI
which is a VMI abstraction layer library independent of any hypervisor. At the moment, Xen is fully supported and KVM is coming. He showed a nice demo (video) about a malware analysis. Very nice project!
The next slide was again less technical but quite interesting. It was presented by Fabien Mathey and was focussing on problems related to performing risks assessment in a company (time constraints, budgets, motivated people and lack of proper tool). The second part was a presented of MONARC
, a tool developed in Luxembourg and dedicated to performing risks assessment through a nice web interface.
And the series of non-technical talks continued with the one of Elle Armageddon about threat intelligence. The first part of the talk was a comparison between medical and infosec environment. If you check them carefully, you’ll quickly spot many common ideas like:
Take preventive measures
Listen to users
Get details before recommending strategies and tools
Be good stewards of user data
Threat users with respect and dignity
The second part was too long and less interesting (IMHO) and focused on the different types of threats like stalkers, state repression, etc. What they have in common, what are the differences, etc. I really like the comparison of medical/infosec environments!
After the lunch break (we get always good food at hack.lu!), Dan Demeter
came on stage to talk about YARA and particularly the tools he developed: “Let me Yara that for you!
“. YARA is a well-known tool for security researchers. It helps to spot malicious files but it may also become quickly very difficult to manage all the rules that you collected here and there or that you developed by yourself. Klara is the tool developed by Dan which helps to automate this. It can be described as a distributed YARA scanner. It offers a web interface, users groups, email notifications and more useful options. The idea is to be able to manager rules but also to (re)apply them to a set of samples in a quick way (for retro-search purposes). About performances, Klara
is able to scan 10TB in 30 mins!
I skipped the next talk – “The (not so profitable) path towards automated heap exploitation
“. It looked to be a technical one. The next slop was assigned to Emmanual Nicaise
who presented a talk about “Neuro Hacking
” or “The science behind social engineering and an effective security culture
“. Everybody knows what is social engineering and the goal to convince the victim to perform actions or to disclose sensitive information. But to achieve an efficient social engineering, it is mandatory to understand how the human brain is working and Emmanuel has a deep knowledge about this topic. Our brain is very complex and it can be compared to a computer with inputs/outputs, a bus, a firewall etc. Compared to computers, humans do not perform multi-tasking but time-sharing. He explained what are neurotransmitters and how they can be excitatory (ex: glutamate) or inhibitory (GABA). Hormones were also covered. Our brains have two main functions:
- To make sense
- To make pattern analysis
Emmanual demonstrated with several examples of how our brain put a picture in a category or another one just based on the context. Some people might look good or bad depending on the way the brain see the pictures. The way we process information is also important (fast vs slow mode). For the social engineer, it’s best to keep the brain in fast mode to make it easier to manipulate or predict. As a conclusion, to perform efficient social engineering:
- Define a frame / context
- Be consistent, respect the pattern
- Pick a motivation
- Use emotion accordingly
- Redefine the norm
The next talk was about Turla
or Snake: “The Snake keeps reinventing itself
” by Jean-Ian Boutin and Matthieu Faou. This is a group very active for a long time that targeted governments and diplomats. It has a large toolset targetting all major platforms. What is the infection vector? Mosquito
was a backdoor distributed via a fake Flash installer via the URL admdownload[.]adobe[.]com. It was pointing to an IP in the Akamai CDN used by Adobe. How did it work? Mitm? BGP hijack? Based on the location of the infected computers, it was via a compromised ISP. Once installed, Mosquito used many tools to perform lateral movement:
- Sniffing network for port 21, 22, 110, 143, 22, 80, 389)
- Cliproxy (a reverse shell)
- Quarks PwDump
- NirSoft tools
- ComRat (a keylogger and recent file scrapper)
A particular attention was discovered to cover all the tracks (deletion of all files, logs, etc). Then, the speakers presented the Outlook backdoor used to interact with the compromised computer (via the MAPI protocol). All received emails were exfiltrated to a remote address and commands received via attached PDF files in emails. They finished the presentation with a nice demo of a compromised Outlook which popped up a calc.exe via a malicious email received.
The next presentation was (for me) the best one of this first day. Not only because the content was technically great but the way it was presented by funny. The title was “What the fax?
” by Eyal Itkin
, Yaniv Balmas
. Their research started last year at the hotel bar with a joke. Is it possible to compromise a company just be sending a fax? Challenge accepted! Fax machines are old devices (1966) and the ITU standard was defined in 1980 but, still today, many companies accept faxes as a communication channel. Today, fax machines disappeared and are replaced by MFPs (“Multi-Functions Printers”). And such devices are usually connected to the corporate network. They focused their research on an HP printer due to the popularity of the brand. They explained how to grad the firmware, how to discovered the compression protocol used. Step by step, the explained how they discovered vulnerabilities (CVE-2018-5925 & CVE-2018-5925). Guess what? They made a demo: a printer received a fax and, using EternalBlue, they compromised a computer connected on the same LAN. Awesome to see how an old technology can still be (ab)used today!
I skipped the last two talks: One about the SS7 set of protocols and how it can be abused to collect information about mobile users or intercept SMS message. The last one was about DDoS attacks based on IoT devices.
There is already a Youtube channel
with all the presentations (added as soon as possible) and slides will be uploaded on the archive
website. That’s all for today folks, stay tuned for another wrap-up tomorrow!