Behind LockerGoga – A walk through a ransomware attack worth 40m$
by: Magda Lilia Chelly, CISSP, PhD

This speech is technically describing the attack vectors of LockerGoga and how the ransomware could have penetrated the network of the Norwegian aluminium manufacturer Norsk Hydro. With 31 variations and continuous improvements, LockerGoga has powerful characteristics to ensure evasion from traditional security tools. Unlike NotPetya and WannaCry, LockerGoga doesn’t follow the same propagation method, but rather is being copied manually. Researches are publicly discussing RDP stolen credentials or brute force attacks as the initial attack for the ransomware to get on to the network. The speech will describe the LockerGoga technical variants as well as will focus on the latest attack, including the possible scenarios, as per the use of tools for red teaming and standard penetration testing operations. The speech will as well practically demonstrate how variants of ransomware can evade traditional anti-malware solutions and attack the systems. Showcasing processes like Doppelgänging and hollowing with a focus on the code injection and heavy binary obfuscation methods that takes advantage of NTFS transactions used in Windows to run a malicious executable code hidden under a legitimate process. The goals of the speech are understanding ransomware variations, and evasion methodologies.

Dissecting APT Malware against Taiwan in 2019
by: Bletchley Chen & Inndy Lin

Due to the special political situation in Taiwan, Taiwan receives many APT attacks every year, including different sectors from government, IT to financial. Up to the first-half year in 2019, we have already discovered several APT attacks, and investigating in several APTs, such as: Shadow Hammer, ASUS web storage. In this presentation, we will share tactics as well as detailed malware technique. In the tactic level, these APT attacks first compromise lower-security level, but trusted third party as the vector to reach the targets. Or utilize normal system administration tools, and cloud services to achieve their intent and avoid investigating. In the malware technique, the more sophisticated dropper and downloader are used. These malware are widely equipped with anti-analysis technique as well as file-less memory module. Meanwhile, the investigation and reversing tool and technique will also be included in this talk.

    APT against Taiwan in 2019
        ASUS Shadow hammer
        ASUS WebStorage 
    APT Tactics
        Supply chain attacks
        Synthesis normal program for malicious intent 
    Malware Techniques
        Stealth method
        Multi-stage dropper
        File-less Memory Module 
    Investigating Procedure
        Threat Hunting System
        Threat Intellegence System
        Defeating common obfuscation technique by IDAPython

Farewell, WAF - Exploiting SQL Injection from Mutation to Polymorphism
by: Boik Su @qazbnm456

At first, I'll give the audience a brief walkthrough of the history of input validations against SQL Injection. Then, some classic and practical evasions will be shown with the slide, and I'll explain why these evasions work and how validation functions handle afterward. Of course, those de facto well-known WAFs, like ModSecurity, and some common filters, like libinjection, will also be discussed at the end of the walkthrough.

As I finish the introduction of input validations above, I'll then introduce a novel way utilizing the concept of Polymorphism in order to bypass the limitations. The outline probably looks like following: Go through a brief introduction of the mutation technique, the differences among other evasion techniques, the scheme, the algorithm, and the potential risks it may raise in the future. Some new bypasses against ModSecurity and libinjection will be shown and evaluated at last. In conclusion, I'll talk about future works and possible improvements to the idea. I'll also discuss why there exist such developer UX/ergonomics problems that stop developers from using true solutions such as parameterized queries, strict HTML templating, strong typing and/or taint-tracking systems, and therefore, might lead to the problem of lexical and syntactic equivalences in many input languages as well.

Hacking ICS devices/PLC's for Fun - ICS and IOT Hacking
by: Arun Mane

New generation malware and attacks have been targeting ICS and systems causing huge monetary and human life losses. ICS system still vulnerable in nature because it’s poorly understood. As ICS industries is old and functioning from a long time, there is no considering of security aspect since they started. Apart from PLC, RTU, DCS and SCADA system, there are third party vendors devices available in the market which can talk or convert one protocol to another, sometimes they called serial servers or couplers. These devices still in a vulnerable state as per their HMI, Protocols and hardware point of view. In this talk, we will demonstrate about these devices vulnerability as well as some well-known plc vulnerabilities.

Hunting Threats with Wireshark Plugins
by: Nishant Sharma, Jeswin Mathai, & Shivam Bathla

Network traffic dumps can be very valuable when processed with proper tools. There are various open source and paid tools to analyse the traffic but most of them either have predefined functionality or scalability issues or one of dozen other problems. But, what if we can convert our favourite traffic analysis tool Wireshark, to an extensible, free platform independent threat/signature/attack hunter tool? In this presentation, we will talk about developing wireshark plugins to do security analysis of live and stored packets. We will use examples of older and newer protocols (including non-standard ones) to explain the plugin workflow and development.

Identity crisis: war stories from authentication failures
by: Vishal Chauhan

Your online identity has become one of your most valuable assets. Identity vulnerabilities can let attackers completely masquerade as you online: access your personal information, your social media, online banking, and more.

In this talk, we will explore some of the vulnerabilities that Microsoft has observed related to online identity compromise and the approaches we’ve taken to address these issues. These examples will demonstrate how you might approach searching for other vulnerabilities in the identity space and the bug bounty programs that exist to support these efforts.

Making Anomaly Detection system(ADS) for Vehicles (Automotive Hacking)
by: Arun Mane & Nikhil Bogam

Today all vehicles are connected through V2X technologies. All manufacturers are coming with new technologies which can be added technologies for Vehicle industries like Fleet management systems, diagnosis toolset etc. These systems are from third-party vendors which are still in a vulnerable state. So addressing their weakness requires specific skillset in cybersecurity as well as attack mitigation of vehicle industries. Mitigation part (Making ADS) requires huge and niche expertise in vehicle industries. No one show, how to mitigate these vehicle attacks through ADS systems in any conference. In this talk will show you how to mke ADS (Anomaly detection system) to mitigate vehicle cybersecurity attacks.

CANBus attacks

- Introduction and protocol Overview

- Firehose attack

- Replay Attacks

- Right-After and Right-Before Attacks

- Denial of Service
Making an ADS (Anomaly Detection system)

- To mitigate Firehose attack:- The expected CAN message reception frequency is checked with actual. If it is not in range, then the message is discarded and will not be processed. If expected CAN message is not received with expected frequency the system transit to a safe/secure state. (CAN message frequency checking)

- To mitigate Replay Attacks: - Transmitter ECU sends an encrypted message, which includes monotonic counter and data and at the receiver end, after decryption receiver checks received monotonic counter is equal to last received counter plus the incremental value of the monotonic counter. In case of mismatch, receiver discard the message, which in turn prevents replay attack.

- To Mitigate Right-After and Right-Before Attack: - The receiver ECU CAN message circular buffer shall check if buffer is filled. So if Last in First out circular buffer is implemented and Right - After attack is executed then checking of buffer full will prevent the over-riding of malicious CAN message on intended CAN message. Similarly, if First in First out circular buffer is implemented and Right-Before attack is executed then checking of buffer full will prevent the over-riding of malicious CAN message on intended CAN message

- To mitigate Denial of Service:- All expected CAN message is filtered and unexpected messages are discarded. In case of DOS attack is executed, then the filter will not have allowed processing this unexpected messages. Frequency Checker of CAN frame

Navigating the Shift from Opportunistic to Targeted Ransomware
by: Christopher Elisan

CryptoLocker, WannaCry, and the hundreds of other ransomware families that indiscriminately infected businesses and government agencies worldwide have been studied and in some cases neutralized by researchers who figured out how to decrypt data locked down by the respective malware.

Nimble threat actors, however, have lately focused on a much more targeted approach to potential profits. While still largely relying on commodity exploits for known vulnerabilities or configuration weaknesses to gain access to a network, rather than dropping malware on certain machines, attackers have been hitting organizations hard by flooding ransomware onto endpoints and network shares and demanding drastically high ransoms in return for decrypted data.

This is an abrupt turn from what had been the norm for more than two years. Already, state and local government operations have suffered major incursions, with one of the biggest being the attack against the city of Atlanta one year ago. Victims in other industries, notably financial services, telecommunications, and health care, have also felt the brunt of these new targeted ransomware attacks.

Pilot Study on Semi-Automated Patch Diffing by Applying Machine-Learning Techniques
by: Asuka Nakajima

When developing a 1-day exploit code, patch diffing (binary diffing) is one of the major techniques to identify the part that security fixes are applied. This technique is well-known since long ago among reverse engineers, and thus to support the diffing, various tools such as BinDiff, TurboDiff, and Diaphora have been developed. However, although those fantastic tools greatly support the analysis, patch diffing is still a difficult task because it requires deep knowledge and experience. In order to address this issue, we conducted a pilot study with the goal to achieve a semi-automated patch diffing by applying machine-learning techniques. Based on the hypothesis that “similar types of vulnerabilities will be fixed in a similar manner,” we have applied the unsupervised machine learning technique to extract those patterns and considered the way to achieve semi-automated patch diffing. In the talk, we will show the details of our pilot study and share the insights that we have gained it. We believe that our insights will help other researchers who will conduct similar research in the future.

SAML Assailant
by: Narayan Gowraj

Application developers have started transitioning to SSO (Single Sign On) from conventional username/password systems for authentication and authorization purposes. SSO can be great for both productivity and security controls since it provides a centralized user authentication service in which one set of login credentials can be used to access multiple applications. SSO built on top of SAML (Security Assertion Markup Language) provides rapid provisioning for cloud-first applications with increased security (multi factor authentication). On the flip side, SAML which includes digital signatures along with other user metadata expressed in the form of XML has a lot of security issues and vulnerabilities, if not implemented properly. Some of them include XXE (XML External Entity), cryptographic signing issues, XML signature wrapping attacks and many more. In this presentation, we will be discussing an automated way to identify these attacks at scale and provide mitigation guidelines.

The Man-In-The-Middle attack against a certain password manager
by: Soya Aoyama

How many sites do you use? Is the password long enough and secure? Do not tell me you reused it. Unfortunately, we have not a memory good enough to remember so many passwords long and secure. For this reason, there are several companies providing password management applications. However, are they really secure?

I have executed a man-in-the-middle attack against a certain password management application. Surprisingly, the password was exchanged in plain text between .exe and .dll, and it was very easy to steal it. The program I created is generic and, under certain conditions, can steal information between all .exe and .dll in Windows. In this talk, I will demonstrate the actual attack, and provide technical explanations to enable this attack. And finally, I suggest ways to protect other apps from this attack.

z3r0 to h3r0 - Targeting Crown Jewels over the Internet
by: Viral Maniar

It is very common nowadays to hear about company X been pwned by a hacker. But, have you ever wondered how hackers can get into these companies’ network? Are they really utilising precious 0–days to get inside these networks? Even after installing and managing all the latest flashy “cyber” products which detects and blocks unknown threats - why are we still vulnerable?

As a penetration tester, I perform plenty of external penetration tests which includes open source intelligence (OSINT) gathering techniques such as subdomain enumeration, Email addresses dictionary creation and password spraying. Information gathered through such techniques are very crucial for a targeted attacker to perform preliminary reconnaissance on the company and its employees. The presentation will also cover how malicious actors use the exposed information and correlate these in a short span of time to obtain access to the internal host. Once an attacker gains the initial foothold, it is a matter of time to perform a privilege escalation and gain complete access over the domain. In short, this talk will demonstrate a number of techniques hacker uses to profile a company and gain access to the crown jewels aka from z3r0 to H3r0. Attendees will leave with detailed information on how they can better protect their infrastructure.

Talks Index

Behind LockerGoga – A walk through a ransomware attack worth 40m$

Dissecting APT Malware against Taiwan in 2019

Farewell, WAF - Exploiting SQL Injection from Mutation to Polymorphism

Hacking ICS devices/PLC's for Fun - ICS and IOT Hacking

Hunting Threats with Wireshark Plugins

Identity crisis: war stories from authentication failures

Making Anomaly Detection system(ADS) for Vehicles (Automotive Hacking)

Navigating the Shift from Opportunistic to Targeted Ransomware

Pilot Study on Semi-Automated Patch Diffing by Applying Machine-Learning Techniques

SAML Assailant

The Man-In-The-Middle attack against a certain password manager

z3r0 to h3r0 - Targeting Crown Jewels over the Internet