When Governments Attack
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Title of Series | ||
| Part Number | 17 | |
| Number of Parts | 20 | |
| Author | ||
| License | CC Attribution 4.0 International: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/32750 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
REcon 201617 / 20
3
5
6
9
10
13
15
17
20
00:00
JSONXMLUMLComputer animation
00:41
TelecommunicationMalwareClient (computing)AuthorizationPublic key certificateFreewareProjective planeHypermediaAuthenticationGame controllerMessage passingBlogHacker (term)InternetworkingRight angleInformation securityGoogolMobile WebInformation privacyImplementationUser interfaceInsertion lossMereologyData storage deviceProcess (computing)WebsiteBlock (periodic table)Connected spaceExtension (kinesiology)FamilyWeb browserWave packetNeuroinformatikInternet service providerSoftware testingFast Fourier transformReverse engineeringVulnerability (computing)SoftwareComputer fileBand matrixDependent and independent variablesSelf-organizationMathematical analysisMathematicsProfil (magazine)GodAddress spaceWeb 2.0Condition numberTraffic reportingPasswordInformationInterface (computing)Default (computer science)TelnetState of matterBuildingExtreme programmingInheritance (object-oriented programming)TrailQuicksortTouch typingServer (computing)3 (number)SpywareTwitterSlide ruleEncryptionKey (cryptography)Service (economics)Materialization (paranormal)Goodness of fitRobotData centerXMLComputer animation
09:01
Group actionVideo gameSystem callProcess (computing)State of matterIncidence algebraMetropolitan area networkNumberComputer fileBootingMathematicsConnected spaceError messageEmailAddress spaceLink (knot theory)Reading (process)Domain nameTraffic reportingWeb 2.0Game controllerServer (computing)Physical systemBlogHypermediaMalwareWindowIndependence (probability theory)Single-precision floating-point formatLocal ringWindows RegistryElectronic visual displayMetadataFlow separationMedical imagingInternetworkingFreewareAuthorizationSelf-organizationSampling (statistics)Price indexCartesian coordinate systemNatural numberAdditionMultiplication signBit rateComputer-assisted translationUniform resource locatorBoltzmann equationContext awarenessMessage passingCASE <Informatik>Analytic setMaterialization (paranormal)Different (Kate Ryan album)Computer virusCore dumpLiquidDemosceneRight angleTime zoneSpacetimeComputer animation
16:48
Prisoner's dilemmaStaff (military)Interface (computing)MereologyService (economics)ImplementationSystem callSocial classSimilarity (geometry)NumberHypermediaJava appletIndependence (probability theory)BlogTime zoneRight angleArithmetic progressionSelf-organizationDomain nameMetadataExpressionInformation securityFreewareBinary fileTraffic reportingTwitterCASE <Informatik>Directory serviceDecision theoryMultiplication signElectronic visual displayPower (physics)QuicksortGroup actionProcess (computing)Object (grammar)PseudonymizationMathematical analysisBitData managementOnline helpInformation privacyStandard deviationComputer fileMathematicsPhysical lawClient (computing)PhysicalismCartesian coordinate systemCommunications protocolLink (knot theory)Web browserRemote procedure callServer (computing)Web 2.0Forcing (mathematics)Context awarenessExploit (computer security)Projective planeWeb pageLine (geometry)Interior (topology)Wireless LANParameter (computer programming)Serial portAttribute grammarSampling (statistics)Instance (computer science)SoftwareKeyboard shortcutRun time (program lifecycle phase)Automatic differentiationMalwareVulnerability (computing)RobotTelecommunicationFisher's exact test2 (number)Structural loadDrop (liquid)HoaxBinary codeComputer animation
24:34
Vulnerability (computing)Attribute grammarSocial classObject (grammar)Type theoryJava appletMobile app2 (number)Serial portOnline helpAtomic numberSemiconductor memoryCodeSource code
25:15
Object (grammar)String (computer science)Atomic numberSocial classCodePhysical systemBootingChainWindowData managementSampling (statistics)Letterpress printingInterpreter (computing)Event horizonExploit (computer security)Mobile appJava appletMultiplication signLine (geometry)Computer wormOnline helpLevel (video gaming)Information securityProcess (computing)Quantum stateDevice driverSet (mathematics)Source code
26:25
Physical systemWindows RegistryDebuggerLevel (video gaming)MalwareCore dumpExploit (computer security)Local ringExplosionRight angleProfil (magazine)CASE <Informatik>CodeComputer animationSource code
27:05
Core dumpHacker (term)String (computer science)Group actionHexagonServer (computing)ResultantLink (knot theory)Power (physics)Source codeExploit (computer security)Computer fontBinary codeMathematical analysisReverse engineeringService (economics)Hecke operatorIdeal (ethics)Drop (liquid)Source code
28:59
CalculusBinary codeExploit (computer security)WindowProof theoryLocal ringHexagonCore dumpSeries (mathematics)Uniform resource locatorSheaf (mathematics)String (computer science)CalculationIdeal (ethics)Source codeBootingComputer animation
29:46
Structural loadAssembly languageTheoryLink (knot theory)Theory of relativityAreaInformation securityMultiplication signOperator (mathematics)FreewareLine (geometry)VacuumAdditionLeakSampling (statistics)Attribute grammarBuildingGreatest elementTwitterInternetworkingConnected spaceFile formatCompilation albumTimestampSource codeOpen setHacker (term)Right angleReverse engineeringComputer virusLibrary (computing)Electronic signatureBusiness modelTraffic reportingInformationProcess (computing)MalwareCodeNP-hardBootingProof theoryAntivirus softwareExploit (computer security)Order (biology)Computer animation
35:10
Mathematical analysisInformation securityPosition operatorInclusion mapRight angleStaff (military)AuthenticationPoint (geometry)Task (computing)Electronic program guideWave packetTraffic reportingMereologyMultiplication signFitness functionHacker (term)Service (economics)Order (biology)Computer virusSelf-organizationHexagonInformation privacyGame theoryDisk read-and-write headInternetworkingMathematicsDescriptive statisticsCuboidType theoryDependent and independent variablesTotal S.A.Virtual machineVulnerability (computing)InformationLaptopTwitterLink (knot theory)BuildingWritingState of matterReverse engineeringSoftwareQuantum stateIncidence algebraMalwareServer (computing)CollaborationismCausalityComputer animation
40:25
Descriptive statisticsNumberPlastikkarteArithmetic meanSampling (statistics)Revision controlCuboidLiquidMultiplication signComputer hardwareSlide rulePoint (geometry)Functional (mathematics)Copyright infringementWeb 2.0Hacker (term)Identity managementStandard deviationMereologyComputer configurationBitSet (mathematics)Closed setTheory of relativityRight angleProduct (business)Core dumpReverse engineeringMalwareArmBus (computing)Goodness of fitComputer-assisted translationPersonal identification numberLecture/Conference
45:37
Computer animation
Transcript: English(auto-generated)
00:29
So we're gonna have our next talk before lunch. I'll ask that folks stick around for a second after Cooper here gives his talk because Hugo wants to say something
00:41
So those who attended recon 2014 will remember that Eva Galperin of the electronic frontier foundation gave a Really interesting talk to open the conference and Cooper is here Somewhat as an extension of that I think to talk about targeted malware campaigns
01:00
Great. Thank you very much Hi, so I'm Cooper and this talk is called one government's attack and I'm gonna talk about some of the targeted malware campaigns That EFF and our clients have received This is a picture of me. I Have technologist and I'm a security researcher at the electronic frontier foundation
01:21
I work on our privacy badger project as well as our efforts to stop third-party tracking online I've given security trainings to activists and journalists and I've done security research on street-level surveillance devices for EFF I've also recently begun learning the art and science of reverse engineering and I'm loving it so far and I'm honored to be here at Recon these last few days been some of the most amazing talks I've seen in a hacker conference
01:45
This is my colleague Eva Galperin. You probably remember her from two years ago. Unfortunately, she couldn't be here today But she gave a talk of recon two years ago She's a international policy analyst at EFF and she does research on malware and targeted attacks and trains vulnerable
02:01
populations like journalists activists and lawyers in surveillance self-defense She also covers policy that affects security researchers such as export controls like the Vassanaar arrangement So what is the EFF who here hasn't heard of EFF?
02:20
I'm gonna pretend that I see a hand because otherwise I have to skip like 20 slides So I Think the best way to answer who is EFF is through this earlier this year My colleague Jeremy Galula did some tests that proved the t-mobile was throttling bandwidth for all video files Which were sent over the t-mobile network if the user had to binge on service enabled
02:42
We asked the t-mobile CEO Jean Legere about it and he had this lovely response for us I want to take a minute to address John's questions because I think they're actually important so First question who the fuck are you anyway EFF?
03:02
Well, I guess he didn't bother to look at our Twitter profile or our website or use Google. Oh Well, I suppose I'll have to explain it for him We're a nonprofit that's been around for 25 years and our mission is to make sure that when you get online Your rights come with you We're probably most notorious for our legal work such as are the many lawsuits against the NSA for unconstitutional spying
03:25
Which we're involved in This is something we've been doing since 2006 and we're kind of hipsters. We were doing it before it was cool We also defend hackers in court when they get into trouble for doing security research Ideally, we advise them when they have questions about their research so that they don't get into trouble in the first place. I
03:48
Know that I am certainly not your lawyer So nothing in this talk constitutes or the questions and answer constitutes legal advice If you have any legal questions find me after the talk and I'll put you in touch with the people who do that sort
04:01
of thing So the second question, why are you stirring up so much trouble? Well, it's our job. That's why we're stirring up so much trouble. It's literally what we get paid to do We have an amazing activism team that spends all day thinking of new ways to stir up trouble Last year along with Green police
04:20
We flew a blimp over the NSA Utah data center to let everybody know the purpose of the giant mysterious building in the desert We also were to reform the draconian computer fraud and abuse act which punishes security researchers with extreme sentences for their research We helped defeat the SOPA and PIPA bills in the u.s
04:41
Which would have censored the internet in the name of protecting copyright Generally, if there's legislation out there that's bad for the internet. We are there to provide analysis and organized opposition and We actively opposed the 2013 changes to the Vassanaar arrangement Which would punish security researchers and classify security tools as weapons as well as the u.s
05:04
Proposal for its implementation, which was even broader and more dangerous This actually came out of discussions that Eva had two years ago with security researchers and academics while she was here at recon So thank you for that. Good job recon and the final question who pays us
05:23
Well, we're lucky enough to be paid by our 25,000 members Amazing members who make donations and make up that make up the largest part of our yearly budget Our members launched a Twitter campaign letting John Legere know the fact and let him know that they would pick EFF or over t-mobile any day
05:41
Thanks to the show of support John quickly backpedaled and Admitted that he does know who EFF is and in fact has no problem with us. So good EFF also works on some technology projects This is the logo for privacy badger Which is our browser add-on that blocks third-party trackers from spying on your browser browsing habits
06:02
Privacy Badger currently has over half a million users. We also have you've probably heard of HTTPS everywhere This is our browser extension which encrypts your connection using HTTPS to websites whenever possible It currently has more than 2 million active users and is also millions more via the Tor project
06:20
We also really recently started a free certificate authority called let's encrypt and wrote a client to automatically create SSL certificates Which is called cert bot so far. We've issued 4 million free certificates So it's less well known that EFF also does security research mainly focused on vulnerable populations
06:43
We've published research on the ways in which the Vietnamese government is targeting opposition activists and their supporters as Well as research into malware campaigns by pro-asad hackers in Syria My colleague Dave Moss and I researched vulnerabilities in automatic license plate readers
07:02
After we received a tip that should end could be used to find them on the internet We discovered hundreds of ALPR devices all over the US that were open to the internet with no authentication at all You could use the web interface to view vehicles as they drove by and the scanned license plates
07:21
You can even download the information if you wanted to You could tell net into the devices without a password if the web interface did have a password you could view it in plain text over telnet and And Reset it or do whatever you wanted
07:41
Many of the passwords were reused across devices or left as their defaults. So we wrote a report on our findings and The report can help to convince the governor of Louisiana to veto a bill which would have spent millions on more ALPR devices for the state And Jeremy Galula and Dave Moss also worked together to analyze the computer cop software
08:01
This was software which was being distributed by law enforcement agencies to parents as the first step to protecting their children online Turned out computer cop was nothing more than spyware which sent data including key logger data Unencrypted to a third-party server owned by the company that makes computer cop
08:22
We published our findings and also instructions on how to remove computer cop so Along with so us and along with some of our clients have also been targeted by persistent malware campaigns So In Vietnam the communist government which has very tight control over traditional media
08:44
So the people who oppose the government often rely on social media and blogs to get their message out In response the Vietnamese government started to crack down on bloggers imprisoning them under inhumane conditions For everything ranging from tax evasion to disseminating anti-state materials
09:05
The FF campaigned for the release of several Vietnamese bloggers over the years Including prominent dissidents D UK and liquid Kwan Shown up here Most of this campaigning was done by my colleague Eva
09:20
which led to a comical situation in which the Vietnamese government sent malware directly to the person at EFF who writes malware reports This is a really good way to get samples The Vietnamese government also targeted an EFF activist who had worked at the organization for only a few months and was the author of a single
09:41
blog post related to our campaigns to release Vietnamese bloggers This led us to the disturbing conclusion that it only takes a single blog post to get on the Vietnamese government's radar So the campaign targeting EFF employees looked like this. We have an invitation to the Oxfam conference from Andrew Oxfam
10:03
The Same malware was also sent to an Associated Press reporter Masquerading as a human rights watch paper sent by HRW agent human rights watch is another NGO So the targeting shows a really strong understanding of what motivates activists in the internet freedom scene
10:22
We really like being invited to conferences in exotic places like Montreal and brand new research papers If the attackers really wanted us to get to open the document they would have also offered free flights and hotels Protip for any of you who are gonna try to phish me later As you can see from the email the two attachments
10:43
invitation dot HTA and location dot HTA are exactly the same The detection rate for this malware was very low in virus total We only saw one AV vendor out of 47 detecting this when we wrote the report in 2014 In the attack clicking the link on the email takes the user to the malicious HTML application file this
11:06
Is a super old attack and it only works on older Windows systems But it works because so much of the population of Vietnam has older Windows systems So these attacks don't need to be very sophisticated
11:22
The file metadata is in the image here The HTML application contains an encoded executable and also contains a Microsoft Word document called by bobby et doc When the recipient runs the attachment it drops the bobby et doc It opens the bobby et doc file and a randomly named executable
11:44
When bobby et doc is displayed and the executable is run it installs the following files Several Registry changes are made to enable the malicious implant to persist After reboot and the file API MS win core X state is written into the process space of explorer dot exe
12:04
Which then instantiates an outbound connection on port 443 to Yelp dot web hop org When we wrote the report the domain these were the other domains that were hosted on the CNC server It's been used as a we found that was used as a command-and-control server for other Vietnamese affiliated malware
12:24
And examining the malware revealed a relationship to earlier campaigns which targeted Vietnamese activists in February of 2013 a Vietnamese blogger and mathematics professor received this email Like the malware that targeted EFF and Associated Press the attachment was an HTML application in this case
12:46
The attachment was compressed with 7-zip And you can see the metadata here as well as with the EFF and AP attacks the HTML application contains an encoded executable and a document doc Lloyd doc
13:02
Running the HTML file displays the document and once again drops a bunch of files Values are inserted into the Windows registry for persistence and the implant contacts a remote command-and-control domain again on port 443 The prominent Vietnamese pro-democracy blogger living in California was successfully targeted by this attack
13:24
Which led to the compromise of her blog and invasion of her private life? So the group behind these attacks appears to have been operating since 2009 They've been very active in targeting Vietnamese dissidents that people writing on Vietnam and the Vietnamese diaspora
13:44
The attack appears to be the work of a group commonly known as I'm gonna mispronounce this since you learn and Well, it's been anecdotally claimed to be the work of Chinese actors We think that it seems much more likely to be the works of somebody associated with the Vietnamese government Who's targeting Vietnamese people in another incident?
14:06
My colleague Jillian York was woken early in the morning by a phone call from a number in the UK The man calling her said he was a journalist with Reuters And he began with small talk which indicated that he was familiar with her work
14:20
The connection wasn't good and the caller hung up a me and immediately called back He said there was something he wanted to discuss and verified that he had the correct email address for her Immediately after the phone calls Jillian received an email masquerading a sent from the Reuters news agencies tech department and Asking for an interview the spoofed email contains some errors including the misspelling
14:45
Reutuers Clicking on the link in the email would take you to this phishing URL, which is disguised with a Google redirect Luckily Jillian is smart and she recognizes a phishing attack when she sees one Since she didn't click the link the attacker got impatient and called her back insisting that she opened the document
15:08
At this point aware of what was going on Jillian decided to have a little fun with the attacker and requested that he include the text of the message in the body of his email Knowing of course that he wouldn't
15:21
The attacker sent the same email again This time from a different email address He then called Jillian continuing to insist that the open that she opened the document Saying that was from his personal email address, so it must be okay Jillian of course refused The attacker then called her 30 more times that day
15:45
Which didn't do anything to increase his credibility? the angry ex-boyfriend approach The attack wasn't successful Sorry, so citizen lab researchers John Scott railton and Katie Clemola researched and wrote a report on these attacks
16:12
Which in addition to Jillian had targeted Iranian activists Due to the nature of the targets and other indicators the researchers concluded that the attacks were likely of Iranian origin
16:23
We think that Jillian was targeted because of her work with Iranian activists Meanwhile in Ethiopia we saw a political situation unfolding that was very similar to Vietnam an increasingly repressive government exercising control over all local media Independent media relying heavily on social media and blogs to get their message out and a crackdown on bloggers
16:47
Probably the best-known Ethiopian dissidents are the zone 9 bloggers Who've recently been released and acquitted after years of physical threats intimidation and legal battles The zone 9 blog gets its name from Kaladi prison outside of Addis Adaba
17:03
Which is divided into zones with journalists and political prisoners being held in zone 8 The bloggers have been vocal in their critique of the government policy and practice Especially the growing role of government surveillance and ever worsening crackdowns on independent media and on free expression
17:23
For years, they fought a protracted legal battle in which the government charged them with working with foreign organizations that claim to be human rights activists and agreeing an idea and Receiving finance to incite public violence through social media. That was the charge that one that's a mouthful
17:43
The Ethiopian government has the power to intimidate and imprison bloggers dissidents and journalists within its own borders But it's harder for them to reach influential dissidents who are part of Ethiopia's diaspora community outside of the country For this capability the Ethiopian government turned to rats
18:03
Significantly, the Ethiopian government is one of the few governments that can boast having purchased both fin fisher and hacking team Implants, this is sort of a belt and suspenders approach to government spying And I suppose neither one of them worked out very well in the end This report by citizen lab includes an analysis of the fin spy campaign in
18:24
Ethiopia that used pictures of the opposition group gin bot 7 as Bait to infect users in the spear phishing campaign One of the victims of this campaign was an activist who was living in Washington DC who goes by the pseudonym Kidani
18:41
So EFF represented Kidani and a lawsuit against the Ethiopian government With the help of researcher Bill Marchek, we were able to demonstrate that the Ethiopian government had used fin spy to spy on Mr. Kidani's Skype calls and Google searches Since they did so without a warrant
19:01
We argued that the Ethiopian government illegally wiretaps and invaded the privacy of our client a US citizen on US soil If you're going to spy on Americans on American soil, we think that you should have to follow US law The federal court recently dismissed the case unfortunately, and we're currently drafting our appeal and then there was pond storm
19:26
Also known as dancing bear So we used to own the electronic frontier foundation org But we'd apparently let it expire a few years ago and it fell into the hands of domain squatters
19:41
In August 2015. We got a call from some friends on the Google security team Letting us know that they had observed electronic frontier foundation org being used as part of a targeted malware campaign We began looking into it and we noticed a large number of similarities to the pond storm attack campaign Which was going on around that same time?
20:02
Trend micro had done a report on the pond storm campaign a month before and in it they described how a spearfishing campaign Was directing users to a Java exploit which then downloaded and executed a dropper for the sednip malware Trend micro rolled the attribution dice and
20:21
Linked the pond storm campaign to dancing bear apt-28 Citing the fact that they were using the same custom malware and have similar targets In 2014 paper fire I linked apt-28 with the Russian government Based on technical evidence technical sophistication and the targets chosen
20:40
You already heard all about dancing bear or apt-28, but from the excellent talk on Friday by John Jesse and Thomas from ESET So I'm not going to get into detail about them here Those guys did way more research than I have and it was a fantastic talk So is the fake domain really apt-28 well, let's go through the evidence
21:03
We have electronic frontier foundation org, which is an excellent domain for spearfishing. So I think we can check that off We have a Java exploit, which is the same as the one reportedly used by pond storm So I think we can check that off We have a dropper which is named Cormac dot MCR. This is the same name that was observed to be used in the pond storm campaign
21:24
Unfortunately, we weren't able to recover a copy of the drop sednet file though. We did find a sample later But despite that drawing from these conclusions It seems likely that the organization that behind the fake EFF fishing attack is Likely the same one as pond storm and also therefore has ties to the Russian government
21:44
Past attacks have targeted Russian dissidents and journalists US defense contractors NATO forces and White House staff We don't know who the targets were for this particular attack, but it doesn't appear that it was anyone in the EFF staff
22:00
So let's talk about the exploits Because this is recon There were two job exploits at work here. Both of which were a day when the pond storm attacks began The first zero-day disabled click to play protections that Java has in place Allowing for an unsigned Java applet to run automatically in the browser as soon as you click the link
22:21
The second was a object Deserialization vulnerability which allowed the attacker to modify an attribute on an unrelated object In this case the attacker used it to turn off the Java security manager Which then allowed them to download and execute the binary file? So trend micro led already did quite a bit of research on the Java exploits
22:42
So I'm only going to briefly explain them here The click to play exploit takes advantage of the Java Network Launch Protocol or JNLP JNLP lets applications launched on the client desktop use resources from a hosted hosted on a remote web server It can be used to inline a base64 encoded Java applet in a web page to speed up launch time
23:05
Which you can see up here Normally, this would get some metadata from the init JNLP file and then launch the applet encoded in the JNLP embedded parameter with click to play protection But that's not what happens in this case
23:21
So Java provides a directory service that allows Java software clients to discover and look up objects via a name It's called Java naming a directory interface or JNDI For the for this exploit the attacker crafts a standard init JNLP file with one important change The file contains metadata about the applet and can also contain a progress class attribute
23:46
Which should contain an implementation of the download service listener interface This is a Java interface to display a essentially a loading bar for the applet Instead in this case, it contains the class Java X dot naming dot initial context
24:01
Which starts a JNDI request for an object of the attackers choosing? Java runtime should have ensured that progress class was an instance of download service listener But they didn't and that's what allows for this exploit Java X dot naming dot initial context gets a JNDI file from the malicious server
24:22
Which then uses JNDI to request and run an arbitrary class of the attackers choosing without any click to play protections In this case, the attacker loads the go class from the malicious server Go dot class is then used to launch app dot class, which is seen above This brings us to the second Java exploit, which is the vulnerability in object deserialization
24:46
The vulnerability allows an attacker to craft a serialized object Which then when unserialized contains as one of its attributes the private attribute of another object outside of the serialized object type And this is the crafted serialized object. Don't bother trying to read it
25:04
After the objects deserialized, this is what it looks like in memory We have an atomic reference array object, which contains an array of help objects Which is another class that was defined by the attacker Here's the code that implements the exploit. In step one We deserialize the crafted objects, which sets up the atomic reference array that you saw earlier
25:25
Deserializing the object sets up a chain of events in two and three which let us trick the Java interpreter into typecasting a class loader object into a help object Allowing the attacker to call the protected method class loader dot define class Calling define class lets us redefine the system dot security manager objects
25:44
Thus disabling it and allowing the code to download and execute the stage to dropper It's worth noting here that the Java code contained facilities to download code for Windows and for Unix like systems We were unfortunately not able to find any samples of the Unix payload. Although maybe the ESET guys have some
26:05
There may be some out there It's also worth noting the decompiled app dot class contained a lot of debugging strings This suggests that the attackers were in a hurry to deploy this code or they're sloppy. You can see there There's some system dot out dot print lines
26:22
And didn't have time to remove the debugging strings So the stage 2 dropper is called core Mac dot MCR and it's given a randomly chosen name once it's on the system And it's a dropper for the sednet malware The dropper checks if a debugger is present and then decrypts the data using RC for writes registry keys and
26:44
Does a local privilege exploit escalate or attempts a local privilege escalation exploit and then drops and starts setting it? setting it in this case is internally called the API ms win down level profile it registers five exports and
27:02
Of which only two of them contain any interesting code I'm not going to get into detail on sednet because it's been used in other pondstorm campaigns and there's already plenty of research Including the excellent talk on Friday But core Mac dot MCR is new for the pondstorm group So we decided it would be worth taking a closer look at that. So doing the analysis
27:27
We started to find some interesting strings. You can see some maybe like command-line UI Exploit font forge foo a Link to something called elevator dot DLL and a user agent for Mozilla
27:44
Also, the hex string OX dead beef kind of suspicious and we also found this What the hell is this? This is one single string in the binary It looks like maybe a concatenation of a bunch of HTML character entities. I don't know what's going on here anyway
28:05
So These are some interesting strings and we figured that we could learn more about if we could learn more about where they had come from We this would probably give us some good insights into the dropper and what all it was doing Maybe even some links back to other campaigns. So I fired up the most powerful reverse engineering tool of all
28:26
Google and I had searched for the strings and it turns out I got some pretty interesting results so
28:40
About a year ago the notorious mercenary hacking group hacking team had their servers completely owned The hacker Phineas Fisher dropped about 400 gigabytes of documents email source codes exploits and binaries One of the binaries contained many of the same interesting strings from the dropper The binary is calc elevator exe which appears to be a proof of concept for a local privilege escalation exploit for Windows
29:08
Here you can see a hex dump of the data section of calc elevator exe in Cormac dot MCR and Note that they both contain the hex string. Oh, I said beef followed by the URL for elevator dot DLL and then a series of null bytes until they get to what appears to be a
29:25
bunch of DLL import strings The two sections of the binary are identical Here's the source file Which was also in the hacking team dump called loader dot C And as you can see it contains the string pointing to elevator as well as many of the same other strings
29:43
That we saw in our binary And it also contains some some assembly code which loads the privilege escalation exploit that I mentioned earlier So there's an interesting timeline here The hacking team leaks happened on June 6th around 1 30 a.m. UTC plus 1
30:07
The earliest sample of Cormac dot MCR that I was able to find online Has a compilation timestamp of June 7th at 13 42 UTC plus 1. This is just 36 hours later
30:20
No other samples on the internet contain the any of these libraries until One that's compiled on June 29th So What does this mean? Why are these guys so fast? How did they? Recompile, how did they get this in 36 hours? Right? It seems pretty significant. I have two theories about this
30:46
Theory one Dancing bear sees the hack team leaks on Monday morning when they get into work They download the torrent they look through the source code They find the privilege escalation exploit loader dot C. They decided it's interesting they get it compiling
31:02
They integrated into their new dropper they test it and they pull the trigger on the operation 36 hours. Later There's some holes in this theory one. That's a shitload of work Why would a team that is professional right And presumably testing their exploits include brand new untested code that was leaked onto the internet in their operation
31:26
Which is about to go live I'm not sure it makes a whole lot of sense given what we know about them Another theory is that perhaps Dancing bear already had access to the particular hacking team source code and we're in the process of integrating it into their dropper
31:42
Theoretically, they saw the hacking team leaks realize that signatures would soon end up in antivirus and decided to execute the operation within 36 hours It makes about as much sense as the last theory But we have to ask ourselves how they got the source code in the first place They could have bought it from hacking team, but it doesn't seem like that's hacking teams business model and it's also not a very good one
32:07
They could have also owned hacking team previous to the leaks and I already had access to the source code that way None of these theories are great and I have no proof for either one of them
32:24
So in my opinion, it's worth researching further to discover if The pawn storm dancing bear campaign has any other links to hacking team from before the leaks or If they how they've been using it since the attack, I think it's also interesting and worthwhile to
32:42
Research how the hacking team our has spread and been used since the hacking team leaks happened and I want to mention here what a boon the hacking team links were for Researchers who are investigating hacking team malware There were a ton of reports and attribution that were made possible by the leaking of this information
33:05
There was a lot of hard attribution which just wouldn't have been possible. Otherwise In my opinion this illustrates just how useful leaks can be for reverse engineers and malware researchers Not just for investigative journalists
33:22
So Thanks to the leaks in addition to the research that trend micro had done and the fact that it targeted us We were able to draw some interesting connections and attributes that we wouldn't have otherwise been able to so What lessons can we take away from the attacks that I demonstrated here today?
33:42
One lesson is that the attacks don't need to be sophisticated to work Most of these attacks were pretty bog-standard spear phishing attacks Trying to convince people to click malicious links or open malicious documents Governments are rarely using zero days in this situation and it seems like governments mostly save their zero days for other governments
34:04
Sometimes they're not even using particularly sophisticated rats that stuff costs money Having said that attacks don't need to be sophisticated to work And the targeting that we see often is very sophisticated Attackers know what interests their targets
34:21
Human rights reports news relevant to their work and free trips to conferences So two years ago my colleague Eva Galperin embarked on a campaign to get security professionals More involved in this particular kind of security research Which we felt was typically overlooked because it's often not technically sophisticated
34:44
We discovered that there were a lot of reversers who were interested in helping But integrating them into our workflow proved to be quite difficult Our work in the area has a lot of aspects and some of the things we do are community relations and trust building Eva travels all over the world and
35:04
Other of my colleagues and work directly with vulnerable populations on the ground This helps us to build the kind of trust relationship that you need in order to convince an activist Who's being spied on by her government to give you full access to their devices full of potentially sensitive information
35:23
We also do incident response malware analysis and write reports about the malware that we find We work to educate vulnerable populations about the specific threats that they face In doing in-person trainings as well as through our internet privacy and security guide the surveillance self-defense guide
35:44
Sometimes the work that we do has implications for policy or for law enforcement in which we write policy papers or We do activism around these issues Such as our work opposing the changes to the Vassanaar arrangement We also work to convince companies to change their practices or policies in ways that help protect users
36:05
especially vulnerable populations like activists and journalists and Last of all, we do follow-up Sometimes that means alerting a company that one of their machines has been compromised and used to host a CNC server sometimes that means
36:22
Shutting that means sitting down with a victim and getting their laptop back into a state where they can use it for their everyday work You know holding their hand and telling them that everything is going to be okay as it turns out security research communities Mostly interested in doing the actual malware analysis because that's the fun part and that's what we're good at
36:43
Prepared to give their time But they want to be presented with a finite task that they can complete in a couple of hours because you know You have other work to do Only a small portion of the work that we do fits this description and which made collaboration tricky We made a lot of great contacts
37:00
But few of them ended up being able to contribute to our research because it mostly Wasn't the type of or scope of work that they were prepared to commit to. So what do we do now? Eva's Russian, that's the fixation on Stalin The AV industry is in a unique position to see many types of attacks
37:24
We would like them to issue the kinds of warnings to people They think are being targeted by nation-states that Google and Twitter do It would also be good for these warnings to actually be useful When Twitter started sending out warnings to its users Telling them that they thought they're they might be targeted before a nation-state attack
37:45
They advised users to use Tor and included a link to EFF's guide to the safety of social networks Neither one of which would actually protect you from a state-sponsored attack Google advises victims to change their passwords and turn on two-factor authentication
38:02
Which might actually help mitigate attacks So what can you do? Pick an organization that you care about and offer them your services There are a bunch of great organizations in the world Amnesty International Human Rights Watch
38:20
freedom of the press foundation fight for the future, etc, etc, and Most of them have small to no technical budget and zero security budget when you go to these organizations Realize that you're not going to be hailed as a magical rock star unicorn
38:42
Which a lot of us are used to being treated like in Fact they might not even understand what the hell it is that you do. What is this reverse engineering nonsense? But if it's a cause that you care about It's more likely that you want to engage in the hand-holding and the trust building that it takes to get vulnerable
39:03
Populations to a point where you can start helping them with their security problems All of you at recon are some of the most talented reversers malware analysts and hackers in the world at shaking his head
39:21
At EFF, we're still new to this game and our time and monetary budgets are relatively small With your skills and with your resources Imagine all of the amazing work you could do to protect vulnerable Populations such as journalists activists and human rights lawyers all around the world So I urge you to go forth and do that
39:46
In conclusion some thanks to my fellow researchers Morgan Marquis Boire postmodern Claudio bill trend micro and all of my colleagues at EFF were the most amazing people I've ever gotten to work with Also huge thanks to hex rays virus total passive total Joe sandbox and cuckoo sandbox
40:05
For donating their software to us, which we couldn't afford otherwise Thanks to the recon staff and a final huge Thanks to Eva who I couldn't have done this talk without and who was sad she couldn't be here today And that's it thank you very much so
40:29
Yeah, I think we have time Excellent question. So Hugo asked if you don't have time to help us directly. What can you do to help?
40:45
And I think some good things said it's good ways to help are if you Have samples of malware that's targeting people like activists or human rights lawyers. Please send them our way Another important thing that you can do to help is of course donate because we are a
41:04
Nonprofit and our donations make up most of our budget. We don't ever want to be beholden to Government or corporate money because we want to keep fighting all of those guys How can you donate today? I feel like you're leading somewhere so come on up come on up
41:34
Hello, sorry, I don't have any voice anymore since all the party
41:40
So One of the question many people have asked me during the weekend is like I want more swag I have friends that want it. They couldn't make it. Okay. Can I buy swag? The thing is we don't sell Swag, we don't sell t-shirt. We don't sell died that I can This one is going to go
42:01
in a special way, we're going to do a silent auction for this wonderful board It's version 1.0. Is Dimitri in the room or Thurston? Where are they how do we pronounce died that I can
42:23
That and cracking Can you give a bit of description of what this can do
42:44
It's probably best described as a bus pirate on steroids We have an arm core and an FPGA to do hardware hacking and reverse engineering So this is one of the last one that we produce for recon 2013, so it's going to go for a silent auction
43:04
If you want other swag and we have sweat from the past year like you see There's a donation box you need to give a donation Don't be cheap but you ask what you want if they have it in your size or we have like towels and stuff and like
43:23
We have a bunch of swag or like the ODS So you put money in the nation box and You get this like this is again like they're going to be I have a sheet of paper and
43:41
You put your name the amount You don't need to put your name Anything that we can that we can authenticate on During the closing ceremony. Oh Your private key if you want and which currency do you guys accept all of them?
44:11
Can I put my credit card in there? Yeah, definitely credit card numbers. Do I need to put the pin number as well? Yeah, no, it's super important to have the pin number. Oh, yeah
44:20
Also, if you're gonna donate via Bitcoin be sure to submit your pro ed Can I put like a physical Bitcoin if I can find any yeah, no physical bitcoins. Definitely. You're cool, right? Yeah, they're awesome. Oh and by the way, if you don't oh we got that coin yet I'm sure you can find some at the Bitcoin Embassy not far from here and if you don't have money
44:47
In your pocket and you have plastic, but you don't want to put the whole thing in There's a bank over there, you know, oh We don't accept those coin What's wrong with those coin? I
45:02
Love memes, but I have no way to turn dogecoin in these are those great guy here Cat coin, okay What about yeah, I don't know what to say after that's jokes dying We got to work on our standard routine any other question any other questions
45:30
Looks like no. Okay. Thank you very much