DC9723 April 2018 Meeting

DC9723 April 2018 Meeting
When: Monday 23 of April, 2018 from 18:45 to 22:00 (NOTE IS IN MONDAY!)
Where: Checkpoint Offices in Tel-Aviv (Ha’Solelim Street 5, Tel Aviv)

Agenda:

Brief Introduction
Deep hooks: monitoring native execution in WoW64 processes – Yarden Shaffir, Assaf Carlsbad
When Virtual Hell Freezes Over – Reversing C++ Code – Gal Zaban

As always, the talks are free and there is no need to register. Come and bring your friends.
The talks will be uploaded to youtube a week after the meeting.
You can watch the previous talks at https://www.dc9723.org

*We need more talks, please consider submitting a talk for the next DC9723 meeting. For more details and questions, please contact cfp@dc9723.org

Title
Deep hooks: monitoring native execution in WoW64 processes – Yarden Shaffir, Assaf Carlsbad

Abstract

WoW64 processes have a complete 32-bit subsystem inside of them, in charge of supplying the 32-bit application with everything it needs to execute. But eventually, the communication with the 64-bit environment itself is done by the 64-bit portion of the process, often ignored by security products and malware alike. Mostly, only monitoring the 32-bit subsystem is enough, but attacks such as the notorious “Heaven’s Gate” technique prove that this approach is far from perfect.
In this talk, we wish to present the possibility of hooking 64-bit API calls inside of WoW64 processes. These can serve various purposes – either intercepting the normal flow of the process execution or gaining better visibility into the process actions – while taking advantage of a “blind spot” and being virtually invisible to the normal security product and confusing to many security researchers.
The task of hooking 64-bit APIs in WoW64 processes introduces some unique challenges, which we will discuss in detail. We will present several injection methods, including a couple of novel modifications for existing ones, that enable injecting a 64-bit DLL into a WoW64 process. We will then demonstrate the adjustments we made to an out-of-the-box hooking engine to make it able to hook 64-bit APIs in the process. Some changes in new Windows versions, such as the introducing of CFG and the changes to some API functions, made this task more challenging, and we will show how we researched these and solved these issues, making this hooking technique useful on all currently available Windows versions.

Title
When Virtual Hell Freezes Over – Reversing C++ Code – Gal Zaban

Abstract
The capabilities that C++ programming provides with the use of polymorphism are also obstacles when reverse engineering these programs.
Dynamic reverse engineering of C++ code is potentially extremely time-consuming and resource-intensive. So, what if we could automate parts of this process and even customize it to the behavior of each individual program?
C++ is known to be a knotty language, templates, lambdas, and smart and unique pointers. All of these features create a jungle of objects intended to make life easier for the programmer. But once the program is compiled, the target program is no longer what it once seemed.
Reversing C++ programs is tedious and demanding, and requires rebuilding inheritance, identifying templates and tainting program flow in order to combat the ties of function overloading and class utilization.
In my presentation I will show how we can use smart and automated tracing to shorten the process in reverse engineering C++ programs.
Rebuilding automatic vtables and virtual function calls are strong capabilities that could be easily achieved with IDAPython, as I’ll explain in my talk, in which I will also show examples for a framework created especially for this purpose.
In my presentation I present “Virtuailor”: a tailor-made framework that helps rebuild the relationships of C++ classes in the program and sew together all of the loose ends.

DC9723 March Meeting – Notice Location Change!

DC9723 March 2018 Meeting
When: 13 of March, 2018 from 18:45 to 22:00
Where: Checkpoint Offices in Tel-Aviv (Ha’Solelim Street 5, Tel Aviv)

Agenda:

Brief Introduction
Stories and Tips from the Dark Side of Managing a Security Research Department in a Start-Up – Irena Damsky & Omri Moyal
Unblockable Chains – Is Blockchain the ultimate malicious infrastructure? – Omer Zohar

As always, the talks are free and there is no need to register. Come and bring your friends.
The talks will be uploaded to youtube a week after the meeting.
You can watch the previous talks at https://www.dc9723.org

*We need more talks, please consider submitting a talk for the next DC9723 meeting. For more details and questions, please contact cfp@dc9723.org

Title
Unblockable Chains – Is Blockchain the ultimate malicious infrastructure? – Omer Zohar

Abstract
In this principal research, we investigate the possibilities blockchain technologies pose as an infrastructure for malicious operations. We will demonstrate a POC of a fully functional C&C infrastructure on top of the Ethereum network – the second largest public blockchain which also acts as a distributed computing platform featuring a smart contract functionality.

As Blockchain technologies gain more traction in recent years, it brings promise of creating a decentralized, distributed and transparent economy which aim to disrupt our current centric organizational structures and reduce middlemen.
Notoriously, crypto coins have been the currency of choice on the dark web for conducting illegal transactions. But what about the underlying technology, the Blockchain? Could a distributed, public, popular, global ledger be [ab]used as the infrastructure for the ultimate command and control mechanism?

Managing a botnet is a problem in distributed computing. Once infected, a host must be able to discover, reach and maintain communication with its operator over long periods. Over the years much effort has been made to perfect these capabilities to avoiding detection, maintain anonymity and resist take downs. From plain old HTTP requests, through DIY TCP protocols and encryption, up to fancy P2P networks, DGAs, Fast Flux and cloud service use. While all these techniques have varying degree of resilience and covertness, all are vulnerable to take down once network topology has been determined. Can blockchain turn this around?

In this talk, which will include many code examples and a live demo, we will discuss:

How can the blockchain solves the ‘first contact’ problem?
How to cope with the fact that all data, code and transactions are publicly visible on the blockchain?
What is the footprint of running a blockchain node on the client and how to minimize resources?
Cost analysis: Is it feasible financially to run a botnet at scale on top of a blockchain?
Is it takedown resilient? Can an adversary interrupt or take over the network? Or cause its resources (ether) to deplete? What are the design pitfalls to mitigate such concerns?
What information will be revealed to someone tracking the bot? how do you deal with it?
Does it scale?

Finally, we will try to offer possible mitigations and detection methods.

Title
Stories and Tips from the Dark Side of Managing a Security Research Department in a Start-Up – Irena Damsky & Omri Moyal

Abstract
TBD

DC9723 February 2018 Meeting

DC9723 February 2018 Meeting
When: 27 of February, 2018 from 18:45 to 22:00
Where: SafeBreach Offices in Tel-Aviv (Yosef Karo 18, 4th floor, Tel Aviv.)

Agenda:

Brief Introduction
No Win32_Process Needed: Expanding the WMI Lateral Movement Arsenal – Phillip Tsukerman
Get Rich or Die Trying – Mark Lechtik, Or Eshed

As always, the talks are free and there is no need to register. Come and bring your friends.
The talks will be uploaded to youtube a week after the meeting.
You can watch the previous talks at https://www.dc9723.org

*We need more talks, please consider submitting a talk for the next DC9723 meeting. For more details and questions, please contact cfp@dc9723.org

Title:
No Win32_Process Needed: Expanding the WMI Lateral Movement Arsenal – Phillip Tsukerman

Abstract:

For quite some time now, WMI has resided in the main roster of techniques used by threat actors to perform lateral movement between endpoints. Despite the vast scope of classes and methods available through WMI, attackers moving laterally seem to rely almost exclusively on the “Create” method of the “Win32_Process” class , diving further into the depths of the WMI model only to perform reconnaissance and establish persistence.

This talk will exhibit various never-before-seen techniques for authenticated (file-based and fileless) remote execution, using only pure-WMI methods, along with stealthier enhancements of known techniques, all of which subvert many host and network-based methods of detection without using the notorious Win32_Process class.

The talk will also describe the strengths and weaknesses and provide detection methods for every technique described.

Title:
Get Rich or Die Trying – Mark Lechtik, Or Eshed

Abstract:

In a World where oil is scarce and people click mail attachments they really shouldn’t, One Man sets out on an epic journey for glory, conquest, and other people’s money. So begins the amazing tale of the “Oil bot” campaign: a tale of a single man who ran a sting operation on a good share of the industrial sector, armed with nothing but his supply of off-the-shelf RATs, his very subpar OPSEC standards, and his Nigerian hutzpah. The talk will follow the entire course of Check Point’s investigation into this affair – from the few emails that didn’t add up, through the campaign’s not-so-intricate C&C infrastructure, to the point where we were inside the campaign, looking at all the incredulous details. How do you scam people into scamming other people? What leads a fraudster to leave a trail of incriminating footprints?

And what does a Nigerian scammer want with an energy company, anyway? One thing’s for sure: In this brave new world, the Nigerian prince is no longer happily calling to inform you that you should transfer your money to them; it is you who is angrily calling your bulk provider, asking where all your money went.

DC9723 January 2018 Meeting, in collaboration with OWASP IL

DC9723/OWASPIL January 2018 Meeting
When: 28 of January, 2018 from 18:30 to 22:00
Where: SafeBreach Offices in Tel-Aviv (Yosef Karo 18, 4th floor, Tel Aviv.)

This month we are doing a joint meeting with OWASP IL.

Agenda:

Brief Introduction
OWASP IL updates
Jumping into Heaven’s Gate – Yarden Shafir
Breaking obfuscations – Tomer Zait

As always, the talks are free and there is no need to register. Come and bring your friends.
The talks will be uploaded to youtube a week after the meeting.
You can watch the previous talks at https://www.dc9723.org

*We need more talks, please consider submitting a talk for the next DC9723 meeting. For more details and questions, please contact cfp@dc9723.org

Title:
Jumping into Heaven’s Gate – Yarden Shafir

Abstract:

The old days of 32bit applications are long bygone, nowadays most Operating Systems are running in a 64bit environment, requiring 64bit applications.
So how can a 64bit Operating System run a 32bit legacy Application?
The native 64bit environment cannot directly support the execution of a 32bit Application.
32bit Applications expect several surrounding pillars which help it perform necessary actions,
and those no longer exist in a 64bit environment.
However, in practice Windows contains many secrets, and one of those secrets is the WoW64
subsystem.
The Wow64 Subsystem supplies a natural environment for the legacy 32bit Application and enables anyone to run them on newer 64bit Operating Systems without any trouble.
How the subsystem actually does this remains a question to many.
Any Application, whatever its type, begins its execution in 64bit mode.
The Operating System then relentlessly moves forward to the 32bit world by loading the WoW64 Subsystem, in order to let the 32bit Application execute freely.
In this talk we will dive into the WoW64 Subsystem and explain how a 32bit Application performs 64bit (native) system calls.

We will also see how it is possible to exploit this mechanism in order to create smarter malware that evade Next-Generation and Previous-Generation AV products.

Title:
Breaking obfuscations – Tomer Zait

Abstract:
During my journey in deobfuscating malicious scripts, such as JavaScript and PowerShell, I have realized that there is a lack of good one-stop-shop solution. Researchers still perform this tedious task manually while encountering exploit kits, web injects, PowerShell and python post exploitation agents as well as different legitimate JavaScript products.
During this Session I will demonstrate working with deobfuscation tools I created, of-the-shelf tools and how to create similar tools on your own . In addition, I will touch Android deobfuscation in practice and the obfuscation attack surface each language provides.

DC9723 December Meeting

DC9723 December Meeting
When: 19 of December, 2017 from 19:00 to 22:00
Where: SafeBreach Offices in Tel-Aviv (Yosef Karo 18, 4th floor, Tel Aviv.)
Agenda:

Mystique & Automating Infection Marker Extraction – Dana Yosifovich

From 0 to Infinity – Guy

As always, the talks are free and there is no need to register. Come and bring your friends.
The talks will be uploaded to youtube a week after the meeting.
You can watch the previous talks at https://www.dc9723.org

*We need more talks, please consider submitting a talk for the next DC9723 meeting. For more details and questions, please contact cfp@dc9723.org

Title:
Mystique & Automating Infection Marker Extraction – Dana Yosifovich

Abstract:

It is quite common for malware to mark their territory on the endpoint; leaving a sign to avoid infecting the system more than once. If the malicious program notices this infection marker, it will usually terminate. In this talk, I will explain how this behavior can be used to prevent the malware from attacking the machine. I will also show a demo of a tool that automatically generates a list of mutexes that could be used as “vaccines” against the sample (if there are any).

Extended Abstract:

Many organizations already have a process for obtaining IOCs when performing incident response or malware forensics. This talk focuses on techniques for employing indicators for not only detecting infections, but preventing the compromise in the first place. This approach, which entails vaccinating systems against malware on endpoints, can help incident response and threat hunting teams to contain infections.

While malware can implement the marker using many methods, including generating specific files or registry keys, a common approach to marking the machine involves abusing mutex objects. While legitimate processes use mutexes to synchronize access to shared resources on the endpoint, malware can use them to determine whether it is already present on the endpoint.

It’s possible to vaccinate endpoints against infections that involve infection markers by fooling malware into believing that it’s already on the system. However, how could organizations determine whether the specimen relies on infection markers and, what these markers are? This is where Mystique comes in. This open source tool automatically determines the likely mutex-based markers that might be used to immunize endpoints against the malware specimen. Mystique begins by initially executing the user-supplied sample in an analysis sandbox, retrieves the created mutex objects. Then it runs the malware again, this time generating the extracted mutexes, and checks whether generated mutex objects were effective at changing the sample’s execution flow. Mystique’s output is the list of mutexes that can be used to vaccinate endpoints against the malware. Developers can import Mystique and use in other scripts. For example, the user can create a script that downloads malware from a malware repository and automatically feeds those files to mystique.
Mystique is written in Python and integrates with the Cuckoo Sandbox to “detonate” the user-supplied specimen in a controlled environment to observe active mutex objects and their effects on the malicious program.

 

Title:

From 0 to Infinity – Guy

Abstract:

The Baseband Processor in modern Cellhpones remains one of the least understood elements, yet is incredibly trusted in order to interact with the Cellular Network as well as with the Application Processor.

This talk aims to shed some light on these dark corner, and provide advice for other reverse engineers trying to explore this area.

This talk focuses on Apple’s iPhone Platform, since their recent move back to the Infineon chipset makes research a lot easier, compared to the previous dominating Hexagon chipset.

I will start by describing the preliminary firmware analysis, during which I created rudimentary map of its different parts and their respective role.
I will proceed revealing the secrets hidden inside the Baseband.
I will conclude by presenting a research environment that I have developed that great simplifies the process of diffing, interacting and fuzzing the Infineon SoC.

Side note: Not dropping any 0days, this is a methodology and process talk.

DC9723 November 2017 Meeting

DC9723 November Meeting
When: 14 of November, 2017 from 19:00 to 22:00
Where: SafeBreach Offices in Tel-Aviv (Yosef Karo 18, 4th floor, Tel Aviv.) NOTICE DIFFERENT LOCATION!
Agenda:
From “One Country – One Floppy” to “Startup Nation” – Inbar Raz & Eden Shochat
As always, the talks are free and there is no need to register. Come and bring your friends.
The talks will be uploaded to youtube a week after the meeting.
You can watch the previous talks at https://www.dc9723.org
*We need more talks, please consider submitting a talk for the next DC9723 meeting. For more details and questions, please contact cfp@dc9723.org
Title:
New Techniques to Exploit NTLM Flaws for Privilege Escalation – Yaron Zinar
Abstract:
Millions of networks are relying on Windows authentication protocols to secure their logins, and consequently the network’s integrity. As these protocols are a popular target for attacks, such as NTLM-Relay, Microsoft went through great efforts to mitigate and secure them. However, they didn’t go far enough. In this talk we will show how NTLM continues to be the weakest link in Windows authentication and poses a serious security threat to enterprise security. We’ll shed new perspectives and discoveries on the NTLM-Relay attack, explore its anatomy, the wide variety of protocols that are vulnerable and how they are exploited in the wild. We will provide an overview of the security enhancements and configuration options implemented by Microsoft in order to thwart attacks. We will present and demonstrate CVE-2017-8563 and explain why it can be used bypass all existing security mitigations and why you are all still exposed to this vulnerability. Finally, we will suggest different detection and protection methods that can be used to overcome NTLM flaws in order to monitor and prevent potential credential theft.
Title:
From “One Country – One Floppy” to “Startup Nation” – the story of the early days of the Israeli hacking community, and the journey towards today’s vibrant startup scene – Inbar Raz & Eden Shochat
Abstract:
The late 80’s and early 90’s played a pivotal role in the forming of the Israeli tech scene as we know it today, producing companies like Checkpoint, Waze, Wix, Mobileye, Viber and billions of dollars in fundraising and exits. The people who would later build that industry were in anywhere from elementary school to high school, and their paths included some of the best hacking stories of the time (certainly in the eyes of the locals). The combination of extremely expensive Internet and international dial system, non-existent legal enforcement and a lagging national phone company could not prevent dozens of hungry-for-knowledge kids from teaching themselves the dark arts of reversing, hacking, cracking, phreaking and even carding. The world looked completely different back then and we have some great stories for you. We will cover the evolution of the many-years-later-to-be-named-Cyber community, including personal stories from nearly all categories. Come listen how the Israeli Cyber “empire” was born, 25 years ago, from the perspectives of 2:401/100 and 2:401/100.1.

DC9723 October 2017 Meeting

NOTICE DIFFERENT LOCATION (SafeBreach)!
DC9723 October 2017 Meeting

When: 24 of October, 2017 from 19:00 to 22:00
Where: SafeBreach Offices in Tel-Aviv (Yosef Karo 18, 4th floor, Tel Aviv.) NOTICE DIFFERENT LOCATION!
Agenda:

“Review of the Ukraine cyber attack 2015” – Guy Barnhart-Magen SLIDES
 “Tales from the Dark Side” – Dor Tumarkin SLIDES
"NATO war games, updating crypto vulns in IDs, and other stuff" - Hillar Aarelaid

As always, the talks are free and there is no need to register. Come and bring your friends.

*We need more talks, please consider submitting a talk for the next DC9723 meeting. For more details and questions, please contact cfp@dc9723.org

Abstracts:
Review of the Ukraine cyber attack 2015 – Guy Barnhart-Magen
The cyber-attack on the Ukraine power grid was unique in that it was public, and not that it happened.
In this talk, I will discuss some unique characteristics of the attack, its structure, and the possible ramifications.
As this attack was attributed as a “cyber” act of war, the interest in the techniques and the methodology used is considerable.

Tales from the Dark Side – Dor Tumarkin
Information Security is a battle fought on many varied fronts.
Join Dor, a researcher and former consultant, as he shares stories of his team’s astounding victories against the feeble forces of good in “Tales from the Dark Side”.

NATO war games, updating crypto vulns in IDs, and other stuff – Hillar Aarelaid

Hillar is visiting from abroad. He has a lot to share with us. This is last minute so we don’t have a full abstract, but he will speak about planning security around online elections, patching physical IDs for SHA256, and running war games for NATO

DC9723 September 2017 Meeting

DC9723 September 2017 Meeting

When: 25 of September, 2017 from 19:00 to 22:00
Where: Checkpoint Offices in Tel-Aviv (HaSolelim 5 St, Tel Aviv.)
Agenda:

“Writing Malware without Writing Code”Gal Bitensky
“The evolution of credential hijacking”Tomer Zait

As always, the talks are free and there is no need to register. Come and bring your friends.

*We need more talks, please consider submitting a talk for the next DC9723 meeting. For more details and questions, please contact cfp@dc9723.org

Abstracts:
Writing Malware without Writing Code – Gal Bitensky
What are the motivations and mechanics of code re-use by malware coders?
To understand that the talk will start with few in-the-wild examples of bad guys re-using existing source code.
Afterwards, an experimental “malware” written from scratch almost purely by copy pasting code snippets will be displayed.
A unique glimpse to its development process and how it performed against leading AVs will be discussed in detail.

The evolution of credential hijacking – Tomer Zait
The login interfaces haven’t changed much over the years, at least not on the client side. Many companies have been breached including some well-known ones like myspace, dropbox and linkedin.
Brute-force attacks have improved, both through statistics and by manipulating & bypassing the defense systems implemented. This talk will present the various attacks, the logic behind them, the possible results of these attacks and conclude with some tools and ideas to mitigate them.

 

August Meeting 2017

DC9723 Next Meeting (we are back!):
When: 22 of August, 2017 from 19:00 to 22:00
Where: Checkpoint Offices in Tel-Aviv (HaSolelim 5 St, Tel Aviv.)
Agenda:

“Passive fingerprinting of HTTP/2 clients” – Elad Shuster
“Hacked in Translation” – Omri Herscovici and Omer Gull

As always, the talks are free and there is no need to register. Come and bring your friends.

*Update – The presentations will be linked here soon.

*We need more talks, please consider submitting a talk for the next DC9723 meeting. For more details and questions, please contact cfp@dc9723.org