[Edit: Sorry for the “bullet-point” style, it was a lot of details to compile in this blog post]
We were back at the Alvisse Parc Hotel after a break of four years! In 2022, only a light CTI summit was organized (see my wrap-up), but this year, hack.lu was back with a new format: Two days dedicated to CTI and two other days dedicated to normal talks around security. The proposed format for the talks was a 30-minute slot per speaker. This means more presentations but also a strong flow of information to collect. Here is a quick wrap-up of the four days.
The very first speaker was Ange Albertini with “SBud: Infovis in infosec”. As infosec professionals, we have to prepare slides, reports, and often we have to display high-technical information. It’s essential for readers to understand it. Ange presented his tool called « SBud » which helps to display technical information (like he dumps) within a nice layout with arrows, colors, etc. The tool is available online, but you can just clone it to run your local instance.
Then, Emmanuel Seemann presented “Detecting VPNs/proxies by analyzing their attack patterns over time”. Crowdstrike is known to provide a block list of malicious IP addresses (approximately 60K entries). They detected that more and more IP addresses are only used for the « anonymization » of attackers (via Tor exit nodes or proxies). Emmanuel explained how they improved the detection of such usage using a machine-learning model.
Philippe Ombredanne said: “SBoMs: are they a threat or a menace?”. SBoM means “Software Bill of Material”. Everything software relies on pieces of existing code (why reinvent the wheel?), and it’s the same for FOSS. Philippe explained how SBOM can be used for good but also for bad purposes.
After the lunch break, we had a first shoot of interesting lightning talks. Personally, I liked the presentation of MMDB-Server. It’s an open-source fact API server to look up IP addresses for their geographic details, AS name, etc. Another one was about PyOTI, a Python framework to query multiple APIs for information about IOCs. Think about a Python version of Cortex.
David Rufenacht gave a presentation about “CTI is dead, long live CTI!”. The idea of the presentation was to extend the classic CTI operations (reading reports, digesting IOCs & TTPs) by collecting more data present in the organization and analyzing it.
JJ Josing continued with “FOSStering an ISAC: Enabling a Community with Open-Source Tools” and explained how FOSS can be beneficial to build powerful CTI platforms. He explained how they use MISP as a central sharing point for Retail & Hospitality ISAC members.
Quentin Jérôme presented his new project, Kunai. The idea is to write a tool like Sysmon for Linux to increase the visibility of operations performed by processes. Sysmon for Linux has existed for a while but seems to be a dead project in Github. Quentin explained why he doesn’t like Sysmon (I agree with him on some points, like the fact that Linux & Windows are two different OS and should map the event IDs). He explained how it started and what he had to learn to develop the kernel and user-land code. The tool is still under development but looks promising.
Then, Ondra Rojcik presented “Why does the CTI industry struggle with communicating uncertainties?”. WEP does not only mean “Wireless Encryption Protocol” but, in the context of CTI, “Words of Estimative Probability”. Link with confidence levels. They help to convey uncertainties. Indeed, it’s sometimes difficult to understand what’s behind “could”, “would”, “can” or to differentiate terms such as “likely” and “highly likely.”.
Victor Barrault presented “Ensuring IoC quality at CERT-FR”. The idea of the talk was to explain how to handle the daily flood of IOCs that we receive and have to digest. How to be sure to spot the most interesting ones, reduce the noise, false positives, etc. They use a set of tools to perform this task. The tools are based on an internal library, itself based on pymisp. It provides a set of functions, superseding pymisp’s ones, to create, update, and delete attributes and tags in MISP.
Cocomelonc presented « Malware AV Evasion – Cryptography & Malware » to wrap up the first day. Crypto is used everywhere in the malware landscape today and for multiple reasons: Function call obfuscation, Windows API function call hashing, String obfuscation and encryption, Payload encryption, Syscalls, … Several crypto algorithms were reviewed with practical examples of how the VT score of sample can be reduced thanks to them.
The second day dedicated to CTI started with a presentation of Cratos – “Use your bloody indicators” by Dennis Rant. The tool has been designed to solve problems that some of you might have in complex infrastructure with multiple MISP instances (by example). Cratos acts as a proxy between MISP instances and 3rd-party tools. It adds a security control layer so people don’t need to access the full instance. It utilizes the FastAPI framework to build a REST API and has a Memcached in the backend to speed up operations.
The next presentation focused on IPFS: “IPFS Unveiled – Exploring Data Collection, Analysis and security”. IPFS means “Inter-Planetary File System” and is a peer-to-peer network storing files across multiple locations. It is used for good purposes but, today, many attackers use it to store phishing components or payloads (malware). The speakers explained in detail how IPFS works and how they started to monitor it to get access to exciting content.
After the coffee break, we had another run of talks. We had a review of the Lazarus group: “A Tale of Lazarus and His Family” by JeongGak Lyu. Andras Iklody presented Cerebrate, a new OSS community management and orchestration tool. The next one was “Unraveling cyber battle between UKR-RUS” presented by Ondrej Nekovar. Finally, before the lunch break, Melanie Niethammer presented “How to operationalize CTI – A real-world example”.
The lunch break was followed by a new session of lightning talks. Pawe? Pawli?ski and Alexandre Dulaunoy presented “JTAN – Data Sharing Network”. JTAN means “Joint Threat Analysis Network” and its goal is to help share information between organizations in EU. MISP is, of course, the core component but other tools are also used, like AIL, MWDB, Graphoscope or Taranis NG.
Then, Arwa Alomari presented “Turbocharging IOCs Validation – Become a more efficient CTI Analyst”. The goal is to reduce the volume of IOCs and process them faster. The model presented was “Low Regret Scoring“
The next presented was “Modern IOC matching with Suricata” by Eric Leblond and Peter Manev. Suricata is a great tool and much more than an IDS/IPS. Eric & Peter explained how Suricata can be linked to a MISP instance and fed with IOCs to increase its detection capabilities.
The three next talks are not covered because two of them were flagged as TLP:Amber and the third one (about Pyrrha) was presented at Pass-The-Salt in July (see my wrap-up).
The next slot was assigned to Crowdstrike. They explained how to maintain their IP address block-list. From a CTI point of view, it must be reliable (no false positive), updated regularly, comprehensive and automated. Their current list has 60K IP addresses with a 7-day expiration. 4% of daily renewal.
The day ended with two presentations about interesting tools: “MISP42” by Rémi Seguy. This tools is a Splunk application that interconnects with MISP instances to get IOCs directly in Splunk. Finally, “Yeti” by presented by Thomas Chopitea.
On Wednesday, the first day of the conference started with “How Digital Technologies are Redefining Warfare and Why It Matters” by Mauro Vignati. The “cyber” component was added to the regular ones for a while but, if it remained related to military activities, today we can see a slightly move to civilian people. They have all the tools and devices to attack military targets. On the opposite, military operations against infrastructure can have a significant impact on civilians.
The next talk was presented by Paul Rascagnères: “Ongoing EvilEye Campaigns Targeting CCP Adversaries”. The threat actor is “EvilBamboo” or “EvilEye”. It started in 2019 with a Google blog post about an iOS 0-day. A timeline was presented with many discoveries and articles about this actor. The bad trilogy: BadBazaar, BadSignal, BadSolar. Their TTPs were reviewed. BadSignal has the capability to silently to interact with a Signal app. Whoscall is a legit app that was backdoored by EvilBamboo.
Take a famous app, add a backdoor and rename it “MyApp+”
Fake websites with malicious JS payload (victim profiling)
Apps link posted in forums
iOS implant?
Flygram is a fake Telegram app
Apple removed the app TibetOne a few days after being published. The existence of the app was also revealed even by the API help (same calls with with « Ios » in the name)
The next presentation was “Defeating VPN Always-On” by Maxime Clementz. This was presented at DEFCON. But slides have been updated after a discussion with Palo Alto. The idea of always-on VPN: No access to the LAN, only connection to the corporate environment via a tunnel. When the tunnel is down, restricted network access is applied, and user can’t disable the feature.
Two key concepts:
- Trusted network detection (TND)
- Captive portal detection (CPD)
It is interesting to understand how captive portals are detected by different solutions…
Ex: Google performs an HTTP GET clients3.google.com/generate_204 and expects a “204 No Content”.
“The Renaissance of Cyber-Physical Offensive Capabilities” by Daniel Kapellmann Zafra. Evolution of threats related to OT: 2010: Stuxnet, 2014; Black Energy, 2023:CosmicEnergy
CosmicEnergy? Malware develops to disrupt electric power. Interacts with IEC-104 devices. It’s likely a red-teaming tool.
“Introduction to cyberwarfare: theory and practice” by Lukasz Olejnik. ,
After lunch, we had another round of interesting lightning talks. I’d like to mention The integration of Veloricaptor and Tenzir to speed up investigations. TIDeMEC is a project from the European Commission to automate the deployment of detection rules. (« Threat-Informed Detection Modeling and Engineering as Code.
The first talk of the afternoon was “Embedded Threats: A Deep Dive into the eSIM World” from Markus Vervier. The idea was: How to use an eSIM as C2 channel? How eSIMs work? The main idea is to switch operators without changing the physical SIM card. Security concerns are similar to the old system (privacy, cloning, spoofing, …). Attacks explained here were deployed on an eSIM with a desktop computer application. Nice demo of a C2 communication via SMS… Slow, but it worked!
The next talk was “Building an Evil Phone Charging Station” by Stef van Dop & Tomas Philippart.
USB(-C) is not only helpful for charging a phone. USB Ethernet, HID devices, …
Lightning: proprietary connector by Apple
Basic PoC: Victim’s phone -> Charger slot -> Power/HDMI -> HDMI capture -> Mirror
Extracting sensitive info: PIN codes/ passwords
Extracting passwords automatically? When typed, the last character is displayed.
Awareness: don’t plug your phone into an unknown port
Ange Albertini came back with “Do’s and don’ts in file formats”. Ange covered the MP3 file format. The original format was developed in 1994 and contained just data, no metadata (author, song name, …)
Christophe Brocas presented “ACME: benefits of deploying an Internet Security protocol inside your corporate network”. The ACME protocol is pretty well known these days, thanks to Let’s Encrypt. But, how do you generate certificates for internal hosts? You can always use some kind of reverse proxy and request a Let’s Encrypt certificate but your (internal) host names will be published on the Certificate Transparency List! Many people use ACME but don’t know its internal (I’m raising my hand here I admit). Today, HTTPS is mandatory in many organizations even for internal apps. The default process is a pain: CSR -> Approval -> Generation -> Download cert -> Install.
After a coffee break, “Your unknown Twins: Identity in the era of Deepfakes, AI and mass Biometrics exposure” was presented by Vladimir Kropotov. Ransomware double extorsion business model:
- Expose lot of data as a side effect (PII,…)
- Boosts the underground scans for these info.
What do we leak in the wild? Sound recordings (voice), photos & videoed, 3D models,
Even fingerprints can be detected on Instagram pictures!
The last of the day was “PHP filter chains: How to use it” by Rémi Matasse. It was presented at PTS
The last day started with Patrice Auffrets, who presented “Internet exposure of satellite modems, and their vulnerabilities”. It started with the Russia intrusion into the ViaSat network. In Feb 2022, thousands of modems were offline. The attack life-cycle: IP addresses recon, attacking found IP, exploit the VPN vulnerability. The satellite ecosystem is growing (and the market) because satellite size is pretty small these days. (Star link is a perfect example) Each found device had a state: Secure, Vulnerable or “not security at all”. Patrice made a live demo of looking for compromised or sensitive devices.
Then FrédériqueD presented “Almost 2 years after log4j .. if your PSIRT has survived, Are the Lessons learned or not learned on security incident & vulnerability management?”. Do you remember the famous Log4j vulnerability? Frederique did a wrap-up about the vulnerability. Then she explained how to detect it based on scoring and methodology (that must be identified upfront). To be prepared to handle such incidents in the future, you must be prepared and, in the case of a popular software component, SBOM could be the solution.
The next talk was “Avoiding the basilisk’s fangs: State-of-the-art in AI LLM detection” by Jacobs Torrey. If more and more people (ab)use of the LLM tools, it becomes also critical to be able to detect data produced by such tools. LLMs are language models that don’t understand the text. They just process data, that’s why we can try to detect their usage.
Some tools:
- OpenAI has a LLN detector
- GLTR
- GPTZero, CrossPlag
Jacobs presented ZipPy is a compression-based estimator tool able to detect LLM usage on text files.
Dimitrios Valsamaras presented “Permissionless Universal Overlays”. He started with basic concepts of the Android user interface. Applications have « Surfaces » -> SurfaceFlinger. The idea is that Windows are displayed depending on their type (ex: TYPE_SYSTEM_ALERT). They are other flogs like « FLAG_NOT_TOUCHABLE ». You can also have floating windows. As you can expect, these « features » are used by malware. Any app can fake the look of another app and claim to be the original app.
Stefan Hager presented “Raiders of the Lost Arts”. In the early days, trust was there, crime not an issue and slow Internet speeds as well as availability. Protocols were unencrypted and unauthenticated: DNS, SNMP, NTP, TFTP, Syslog, … UDP amplification attacks. No real flow of details… lost?
After the lunch break, we had a last round of lightning talks:
- Fraudulent smart contracts
- Suricata language server
- Wintermute (an LLM based pen-tester buddy)
- SLP (Service Location Provider) protocol amplification (DDoS)
- DER editing with asn1template
- Supply chain issues
Then, Xeno Kovah presented “Open Wounds: The last 5 years have left Bluetooth to bleed”. Question: What BT chip we have in devices? Are they vulnerable? BT is everywhere. He reviewed tools and techniques used by many researchers to assess BT implementations. darkmentors.com/bt.html
“The rise of malicious MSIX file” was presented by Shogo Hayashi & Rintaro Kokie. MSIX files are the successor of MSI files (Windows package files). They are supported since Windows 10 and allow people to install apps. Instead of being based on OLE format, the new files are, like Microsoft Office documents, ZIP archives with XML files. They explained the internal structure of these files and how it can be abused by attackers. In the next part of the presentation, they demonstrated a real case of malware deployed via a MSIX file.
“Reviving our oldest Tool – Using Bayesian inference to detect cyber attacks” by Emanuel Seemann.
“Using Apple Sysdiagnose for mobile forensics and integrity checks” was presented by David Durvaux & Aaron Kaplan. The idea is to not (jail)break the device to access interesting data. Sysdiagnose is a tool provided by Apple for support reason. Information collected by the tool is enormous, with plenty of file types, etc. It’s a mess to analyze. So, they developed a framework to parse the data. The main issue is that Apple manages its tool and can change the format or add/remove some data without notifications.
After the coffee break, Jacq presented “A deep dive into Maritime Cybersecurity”.
The maritime sector is pretty complex, with many components. This sector is part of NISv2 («critical infrastructure), but ships are not in scope. They are also an essential element of the supply chain. These days, 80% of worldwide goods are carried by the sea. Like any domain, we are facing a maritime digitalization. Jacq explained the issues and challenges related to this specific topic. It was a great talk. Note the ADMIRAL dataset which reports all incidents.
“Operation Duck Hunt – A peak behind the curtain of DuckTail” by Pol Thill. This was a review of the malware campaign based on .Net. This malware uses Telegram for C2 communications. A funny live demo with Telegram was performed… Pol explained how the malware works but also who was behind it. The author made some OPSEC mistakes and it was easy to reveal his operations. More and more malware samples are using Telegram as a C2. If you can, block access to api.telegram.com from your network.
That’s all for this edition! A lot of speakers, a lot of slides, a lot of information to compile. Hopefully, all talks (if accepted by the speaker) have been recorded and are already available on Cooper’s Youtube page. Great job!