BSides Prishtina Live Stream
Show transcript [en]
foreign
good morning
okay good morning messages
good morning and welcome to the second and final day of besides Pristina 2023 I hope you have enjoyed yesterday's session and you have learned new things for those that were yesterday we had some incredible speakers who have touched on different uh compelling topics today as well we have a range wide of speakers there are workshops and also the capture the flag competition that is taking place outside on a hall I would like to take a moment to thank the organizers of besides Christina this is the second edition and each year is getting better and better I would also like to thank University of Pristina our host for providing this venue to us to our team speakers thank you for being
here I know that few of you guys flew from Europe even from U.S uh also thank you to our sponsors you can see over here some of them have been with us for the second year thanks to those as well and then thank you for being here for taking your time this is our last day of this Edition before we dive in into our program just let me go through some like household rules I would ask you please to turn your mobiles your cell phones into a silent mode also if you need to move around please do so in between the breaks it's so disturbing like going in and out when there's a speaker presenting also I would like to ask you
something if you need to go out and if you're standing make sure that your chair leg doesn't do this as you can see we have a streaming going on uh we have like YouTube channel so we want to avoid any like background noise and so on emergency exits on this way across the hall uh you have it on your left restrooms and then on the hall you have two desks one on the far end on the left hand side there are workshops taking place you need to be registered for those and then on your right hand side there's another desk for the CTF competition and for those also you need to be registered without further Ado let me introduce you
the first Speaker or first Speaker it's Max and he's going to be talking about building chat box in Java Max floor is yours
foreign
good morning uh thank you for coming to this talk and today we'll be discussing building Bots for Java Games a beginner's guide um before I start one common pattern you'll see throughout this talk is me tying it back to security somehow as this is a security conference at the end of the day um so moving forward here's the agenda for today's talk first we'll talk about the disclaimers we'll introduce the game that we'll be writing the bot for we'll talk about some of the techniques we'll be using and finally we'll get into building the bot so quick disclaimers um as we are writing Bots you know it can the legal territory is questionable so whatever
you learn here just do it at your own risk and I don't do this for my day job so this is a pure hobby of mine so it's not affiliated with my employer in any way shape or form if my employer is listening to this talk um so let's start off with the meme to kind of light in the mood so um some of you may have seen this meme it's how to draw an owl so step one just draw two circles and then step two draw the rest of the owl so the purpose of this meme is to kind of convey the challenges that speakers face when talking about you know such dense topics
as this you can break a lot of the topics in this talk out into their own sections that will be hours long though my goal is for this talk to be of all levels and while you may not understand what is happening under the hood you will understand or sorry while you may not understand why we're doing something in the hood you will understand what is happening
so let's introduce the game um so the game that we're gonna be working with is RuneScape some of you may be familiar with this game if not I'll give a quick tldr so RuneScape was released in 2001 um it's been regularly updated to this point in fact 10 years ago it was split into two there's the more modern version which has you know what you expect the modern games such as graphics and you know gameplay mechanics and there's the old school version um so RuneScape itself is point and click meaning that to interact with the game you basically point at the screen and you click what you want to do so for example if you want to interact with the
monster you click on the monster if you want to interact with the player you click on it this is a little bit different from your typical games where you use the wasd keys to move while on RuneScape the only time you really use the keyboard is to move the camera or to speak with other people or I guess type to other people so the reason it's actually point and click is the history behind RuneScape is that actually started off as a browser game and that's what gained so much popularity is because back then you could actually run it on low end machines and have a fully fledged game in the browser you know typically you
have these browser games which are just like mini games but this is an actual full MMO in the browser and this is where it gained its reputation as being the gamer people played at the library or people played it at school um the game itself is written in Java there's an asterisk because the old school version is written in Java while the newer version is obviously written in C plus plus and the game itself follows the client server architecture pattern meaning for every one server there's many clients and but the quick caveat is that we're actually not going to be writing a bot for the real RuneScape we're going to be writing about for what's known as a
RuneScape private server so let's talk about what RuneScape private servers are so rsps is an acronym for RuneScape private server and really what it is it's a version of RuneScape that's not ran by the official developers but rather individuals who basically reverse the game and were able to write their own version of the game um it typically features custom content and a different style of gameplay so that's what makes these games so alluring is that for example in RuneScape it was one of the first I think concepts of a freemium game which means that you it's free to play but eventually you hit a paywall and if you want to continue you have to buy
membership the difference between RuneScape private servers though is that typically they would actually give you all the membership content and all the features for free the pay model was sorry the revenue model was a little bit different in the sense that you could pay for like custom items you know because people value exclusivity and as proven by nfts in the recent past you know people want to have one of one of everything there were lots of different private servers like actually they've been dying recently but in the past there have been thousands on the left you see some of the more popular private servers back in the day some of these are from like 2007 all the
way to now and um so RuneScape itself had I think around 100 I had actually hundreds of thousands of players but the difference between RuneScape and RuneScape private servers is that private servers actually only had like around a thousand players but the games felt more populated because RuneScape would split these players across different worlds so you would have maybe 100 worlds with a thousand players on each of them while on RuneScape private servers you would only have one world with a thousand players so you felt you know it was a little bit it was a lot more dense and last but not least there's different revisions AKA versions of RuneScape private servers so a revision is RuneScape a version of
RuneScape so for example maybe you like the version of RuneScape in 2007 maybe you like it in 2009 so that's what's known as revisions so moving forward so let's discuss some of the techniques we will be using today that will allow us to write the bot so first and foremost is reflection so reflection there's Reflections in other languages so for example a language may have its own variant of reflection so go laying python Ruby has reflection as well um basically what it is is a technique allowing runtime inspection and manipulation of objects methods and Fields basically what this mean is that while the program is running you could get the value of whatever you want at
the current time and you can actually modify it reflection has a close cousin called introspection and I think introspection is what python has is basically why are you not able to modify the value you're able to actually see the value you'll see reflection commonly used in Frameworks and libraries that deal with you know serialization testing and you know stuff along those lines one limitation to know about reflection is that new logic cannot be introduced what that means is that I can't inject entirely New Logic into the client so I can only use what's there and this will come in handy later and last not but least sorry last but not least um um reflection may cause some performance
overhead so really based on the number of values you're trying to access with reflection it the performance the more you're trying to get the more it can be impact your performance and an extension of the last point is that anytime you use reflection to access a value of something you're only accessing the value at that current state and time you're only getting that state at the current time meaning if the value does change for example like a player's Health in the game constantly changes then you'll have to use reflection to retrieve it again so you're basically um having to keep constantly reusing it and reflection will be the technique that we actually will use to write the bot today
um so here's an example of reflection so in the first case you see that we're instantiating an instance of the runtime exact class and what this will allow you to do is just execute a method or sorry execute execute a command and as shown in Rio's wonderful talk yesterday about hacking Cobalt um they if you took a close look Cobalt actually uses reflection to instantiate the objects um the arbitrary objects that he would pass using the object HTML tag so so let's talk about where you may see reflection in the real world so if you've ever had a deal with deserialization leveraging deserialization in Java you may have most likely used the tool called why so
serial if you're not familiar with why so cereal it's basically a tool that you can use to generate deserialization payloads that when evaluated by the Target will result in active exploitation so here's a gadget for Commons collections five so common collections is a popular set of Library published by the Apache Foundation that just adds like utility and helper methods to Java and so the one thing you should note about here is that on line six oops sorry we're instantiating an instance of the bad attribute value exception class and then on line seven we're getting the declared field vowel you can see there and then finally we're setting a value using it so you may be
wondering why are we using reflection to do this right it's a little bit of an Overkill it seems like well if we take a closer look at the actual class definition of bad attribute value exception you'll see on line 11 that the um the value actually has the private modifier meaning if you're familiar with object oriented programming it means you're not able to access this value directly and this value can only outside of this class so the value can only be accessed inside the class unless there's mutator methods like headers and Setters but that's out of scope for this talk um a second technique we'll be using um that you will commonly come across is
called instrumentation um so what instrumentation really allows you to do is add new logic to whatever you're instrumenting and like I mentioned earlier one of the limitations of Reflections is that you're only able to reuse existing logic well here you're actually just able to add any arbitrary logic you want into the application um so instrumentation is commonly used for monitoring tracing and profiling so for example if you want to you know Trace um sorry like trace the metrics of your app how long does you know a specific method run for example you will be using instrumentation for this um it's you'll commonly come across this as called injection because you are injecting code essentially and one of the most popular forms of
instrumentation are actually Java agents which itself is another topic that can have its own talk and basically what you just need to know is that you're able to attach a Java agent to an existing Java program and it's able to inject into that program and in our case the most common use case to use instrumentation is to inject mutators such as the Getters and cider methods so for example if the class has a field that's only private we can inject a getter method that can now return that object and one last thing to leave off about in instrumentation is that it's typically faster than reflection and that's because when you are injecting getter insiders you're
able now you're directly you have direct access to the fields rather than using reflection to get them and um so today we actually won't be demonstrating reflection um or sorry we won't be using injection to write the bot due to time constraints so let's examine a real world um example of instrumentation so hopefully everyone can see this so oops
so basically here's a basic Java program all it does is print hello besides Christina to standard out and let's see the code it's or let's see it run so here we are compiling it and we're running it so right like I said it's going to just print besides Christina and I ran it twice just to show you there's nothing happening under the hood so now let's look at the agent that we're going to use so the first thing you should examine the only thing we're going to use with this agent is we're going to connect to the main method and then what we're going to do is insert the last line goodbye Pristina 2023 and we
prepend this agent tag to it just so you can for visibility just so you can see that this is the agent that's actually doing it so and then obviously we um then it manipulates the by code and all that stuff so let's run it um so actually now I show the original code again so this is the main method that we're going to be instrumenting and we're just going to insert that system.out.printline goodbye besides Christina so let's do this um so here's how we run the Java agent we pass it an argument called Java agent and we point it to our agent and as soon as it executes you now see it insert goodbye besides Christina 2023 and I
think I'm going to run the pro the original Pro oh no that's it so that's an example use case of using a Java agent um so let's get into building the bot so what is the client itself so the client is a picture of it you see to the left and it's essentially a graphical user interface that the player interacts with in order to play the game so if you think about it in a way the client constrains what the player is able to do and what they're not able to do and what I mean by this is that for example if the player doesn't have an item in their inventory they are not able to equip
that item or if the player is not able to you know the view distance of what they're able to see if something's happening far off they're not able to see that because they're only able to play the game the way that the client wants them to play the game and because of this the client can be thought as an intermediary basically a middleman between the player and the game so let's talk about oops I didn't realize it was not a full screen
so let's talk about maybe let me provide an analogy that maybe a lot of people some people may understand is that essentially the browser like your web browser is a client and the website that you're interacting with can be considered the server so in the same sense the browser comes with the engine which is able to render JavaScript and because of that you're now able to have client-side code and what's happening is for example there are cases where the client side is able to control what how the user is able to interact with the website so in this example this is a simple HTML form and basically it has one input field and what it does is before the
player or sorry before the user submits the form it will check if the input field has a single quote and basically what this is is the ultimate SQL injection protection right who needs sanitization or prepared statements when you can do something like this because if we're talking in the sense where the client has full control that means the player like in RuneScape they're not able to directly interface with the server they have to go through the client but just like many of you may know that it's so here's an example like where I type in test with a single quote and it tells me single quotes are not allowed so would this protect against SQL
injection no and that's because what you're able to do is maybe use a lower level like curl for example which doesn't support JavaScript you send data directly to the server or if you really wanted to you could just send raw HTTP requests you can get really really low on how you get around this and we're actually going to be using this to be able to interface with the client all right sorry interface with the server and just like with any other client server communication that exchanges user input always trust but verify the data so let's talk about how the actual Runescape or RuneScape private server client Works under the hood so the game itself is a Java applet which is bound
to a dream frame a jframe and the jframe itself is a container which contains all the interface components of the game so you like your health for example it draws the Sprites in it and so here is an ex and last but not least um the jframe is also able to receive events such as like Mouse clicks or keyboard input and so here's an example of how it may work under the hood at a very simplified level So within the client I want to equip an item so in this case the Santa hat and what happens is that a listener is invoked when I click it which then processes the action it checks hey what action do you want to
process each action has a code associated with it an integer so in this case it's going to be a quip item and then it's going to run a series of tracks first it's going to say okay if you want a crypt item we'll remove your item from the inventory and then we'll update your the player's appearance to show the equipped item what's actually happening is before these checks are ran the client sends a packet to the server and this is how the package structure looks like so the first value here is the op code so opcode 41 means equip item the second value is the item ID so what item do you want to equip so in this case the
item id you may see it here it says 1050. right there and then the last two values are not important it's just basically the interface ID you can ignore them and what happens is the server receives that packet it then says okay the player wants to equip the item cool so then we're going to perform some checks does the player have an item in the inventory um Can the player wear the item like you know maybe there's some stats associated with the item that the player may need like requirements and if so okay cool let's send the packet back to the client telling everything is okay and now we'll update every other player to show that
you've equipped the item
so let's talk about some of the layers that we'll be writing about for so we'll be writing a bot for each of these layers today so you may have heard the term if you're familiar with game hacking uh you may have turned heard the terms of external and internal in the context of C plus plus game hacking it's not the same here as in like using right process memory reprocess memory for external or injecting a dll for internal but rather what external is is we'll we'll explore each of these Avenues but just understand that we'll be working on three layers so let's actually start with the last layer which is um the packet aka the network layer so this bot
will be known as a headless spot so let's kind of talk about what that means so a headless spot doesn't have a graphical user interface um and because of that it's able to run on machines that are lacking desktop environments and typically these machines are like Ubuntu servers you know Windows servers and due to having no desktop environment and no graphical user interface this will actually conserve resources even if it's a one percent performance Improvement you have to remember that majority of people who write Bots are typically using it to make like money and they're known as gold Farmers so and that means they're running like maybe thousands if not tens of thousands of bots so if you
extrapolate a one percent performance increase across you know several thousands of bots it can actually make a big impact the one thing about writing headless spots or network is that you need to have extensive knowledge about how the client operates under the hood so for example if the server sends you a packet of 41 do you know what that means and you really need to understand what's going on and one of the Beauties though is that you can write this in other languages so it's interoperable since you're working at such a low level like you're working literally with bytes at this point you can write it in any language you want and to prove this
let's um actually before that here's how you would originally log in using the client or the graphical universe so notice that first you click there then you type in your username and your password and then you click login so this can be considered very manual and tedious if you're trying to run thousands and thousands of bots and the reason for this is first and foremost is that copy and paste is disabled so you're not just able to copy username and password and you have to click twice as you've seen and one of the other things that we'll talk about is that the client in this case like I said it has constraints and you're not able to use special
characters apart from alphanumeric which are forbidden and this will become important in um the next slide
so let's see what's happening so we just saw the login happen this is what's actually happening under the hood so in red are the packets that the client sends and in blue are what the server sends so you see that the client sends um I think in 140x0e um basically telling the client it's like a magic buy to start the handshake and then the server sends back a sequence of bytes and this is the server key and then finally the client sends back a large buffer and finally the server sends back a response and one thing you should notice about this um large buffer uh you may not see it yeah the big buffer right here is that there
is no um you don't see my plain text username or my plain text password so my username was maximum my password is Maxim you don't see that here and that means that something some form of encoding is happening under the hood so that can either be compression can be encryption could be both could be something entirely else in a lot of cases for games like this login handshake is already documented by people who've already reversed it and if not um just take a look at yourself as what's happening in the code so we'll see the code here on the left don't worry if you can't read it it's not supposed to be read um but rather what's happening is that
um the TCP TCP is used as a transport mechanism to send data between a client and server Isaac is actually the cipher used for encryption and if you don't know what um Isaac is sorry
so sorry as I was saying Isaac is using the encryption Cipher and the way it works is that the cipher is seated with a combination of random values generated by the client and it's concatenated with this server key that's sent back by the server in the original handshake and then the seed and the credentials so my username and password are exchanged using RSA and then um between a client and server but as I mentioned Isaac has used the encryption Cipher so where does RSA come in so stream ciphers such as Isaac are typically way quicker than something like RSA which is compute heavy especially if you're having high data throughput so if this handshake looks
familiar it should because this is actually how TLS Works under the hood so the way TLS works is essentially once the client so the client will use RSA to send this an encrypt a random value using the server's public key it will send that value to the server the server will then decrypt that value and then finally it will um then they will switch to another encryption algorithm that's the stream Cipher most likely AES and then they'll be able to encrypt and send data back and forth to each other so like I mentioned um we're able now to basically write this login handshake in any language and something that can come out of this is
actually a login brute forcer for example so that's one of the security impacts so here I'll play the video so basically what I did is I re-implemented the logic and golang and so you can see here basically I'm just quickly scrolling through the code and again it's you're not really meant to read and understand the code basically what it shows it sends a login request one of the most important things that I'll highlight here is showing I'm using the server seats so one of the things that I noticed that this server in particular did was that it never verified that this the server CD sent it is the one that it sent you it's not
really a security impact it was just kind of interesting it makes it way easier to write this so essentially what this is happening is now it's going to try a username and passwords and try to Brute Force accounts and one thing is look in the bottom left corner and the reason I say this is because if it's login is successful you'll see it say player has logged in so let's try so it's attempting to use the credentials Sparkle 7 Sparkle gem 79 with the password maximum and if you look in the bottom left it says a player has logged in and therefore you know we know it's valid credentials and it keeps going through until it eventually finds it
exhausts the word list cool another thing you could write with this is a server is a server flutter so essentially you can um you know flood the server with a bunch of arbitrary logins and fill up the queue and prevent legitimate uh players from logging in and as I mentioned earlier you're now able to send the server unexpected data so for example the client didn't allow you to use Alpha numerical characters in your name well using this way we're able to send the server whatever we want and what if during the login process there's a bunch of SQL transactions happening under the hood well if there is no you know form of SQL injection protection implemented you're
now able to you know potentially leverage something like SQL injection or another use case is for example now what if you send the server unexpected data that doesn't know how to deal with this can result in a layer 7 denial of service essentially crashing the server oh sorry I didn't looks like every time I go into full screen
cool um let's move on to internal Bots um so internal Bots are really achieved using reflection injection and a combination of both which is why I showed you a quick tldr of each in the earlier slides um the cool thing about internal Bots it saves you a lot of time because you're able to reuse existing code like I mentioned earlier like with a packet bot or like one that works at the network layer you really need to know what's happening between the client and server well in this case you're just able to reuse existing code and see what's happening and typically this using um this is the most popular form of Bot written for Java Games because of the
reasons above
so let's talk about what client.java is so a lot of RuneScape drivers follow very similar boilerplate and the reason for that is because the majority of people who write these servers their whole intention is to my apologies their whole intention is not to really because the game itself works well so really what they're trying to do is add custom content so they're not really trying to change anything under the hood so you'll find the majority of servers will follow the same boilerplate and the client.java itself is you can think of it as a centralized component that works as a controller and what you'll see to the left here is a bunch of values declared that hold references to objects
of Interest especially if you're writing a bot so to the instance of your local player um NPCs other player instances as well as like The Current player's location and so on and the client class itself inherits from the game Apple class which you can see right here on the first line extends game applet which in turn inherits from the Apple class so the client is able to be cast as an applet and if you're not really from familiar with I just said don't worry about it it doesn't make a big difference until you actually start writing the bot so let me show you how we'll use reflection to um write the spot so first and foremost we
have to discover how the real client is scaffolded and what that means is how it's built so in red you'll see here it says original client which means this is the code from the original client so first and foremost we need to find the main method which is invoked whenever a Java program is started so we see what happens and for context this main method actually lives in client.java which is why I mentioned it's such a vital aspect of this whole process so you'll see the first things that happen is that we assign a value of 10 or sorry we initialize the node ID field as a value of 10 pour it offset zero this none of
it's important and you know essentially you see a call well it's important if you're writing the bot it's not important in this case it calls a method and then you know it further goes on and finally and instantiates a new instance of the client and then lastly it invokes the create client frame method passing in the frame width and frame height on the instance and the reason this is important is because we'll need to replicate this process using reflection so let me show you how that would look using reflection so this is our reflected client as denoted by the green text here so first we get an ins we get the client class from the
class loader we then grab the Constructor from this class and the Constructor is the method that's executed when you instantiate a new object in Java and what we do is we instantiate the applet whenever you use reflection to instantiate an object or get a value it'll always return the object of type of type object which is a generic object in Java in which every um object I keep saying object I'm sorry um inherits from and we then cast it as an applet because if we never casted it it would just treat it as an object and we wouldn't be able to have all the methods that the typical applet would have and lastly like I shown you earlier you can
see the node ID set to 10 here well this is how we would do it in reflection we use reflection to get the node ID declared field we set it accessible to true if it's private I don't remember if it's private in this case it doesn't make a difference if it is and you just call it and then finally we set the value ec10 and the first argument we pass in is actually the class itself and then we do the same thing with the port and so on so you can if you look back and forth it's basically we're doing everything the same up to here this part so now let's examine how this part Works
line tens and 11. so um line 10 calls create client frame and the create client frame method lives in the game applet class and the game applet extends the applet like I mentioned earlier so it inherits from applet and you see it implements a bunch of interfaces such as like Mouse motion listener Mouse wheel listener and this is what allows you this is what allows it to receive events so if you click something in the game you're invoking the mouse listener for example or if you move your mouse you're invoking the mouse motion listener so that's why it does it so let's see how the create client Frame Works so again it does similar stuff it assigns a bunch of
values or initializes a bunch of values but once one important thing what it does is it instantiates a new game frame and let's look at this game frame class so the game frame extends inherits from the frame so this is itself a J frame an extension of A J frame and first thing it does is initializes the applet it then sets the title of the frame of whatever is defined in the configuration file it sets the resizable it sets whether it could be full screen and then finally it's set visible is true so you can actually see the frame so now let's see how we would do this in reflection so what we need to do is use
reflection to get the create client frame method and then what we do is we invoke it on the applet that we instantiated earlier and one of the interesting things what we could do is now that we can access the game frame field from the client and what we do here is you see we use reflection to grab an instance of it and we set the title of the frame to b-sides 2023 demo reflection client and
exactly so that means that this boat will be shown as an object or it will still be run at console so you you can run on a system with no uh GUI interface now so um that's a good question and I should have mentioned this is so this will actually invoke the GUI so what we do is we take over the GUI and now we have full control over the GUI so this is you playing with the GUI and when I mean internal basically it means you can access the internal code that the client encapsulates so if the client has like a method you want to call you're now able to do that because before when you click
the GUI it locks you out like the GUI runs and you can just only you know play with it as a game now we have full control of it okay okay thanks thank you for the question so like I said we set the title and if this is successful now you see the client load and now it has B size 2023 demo reflection client as the title so with the applet now under our control we can now achieve the following things so first and foremost one of the most important things for a bot is that we can read and modify values that will influence gameplay and what I mean influence gameplay for example now we
can read our health you know if our health is lower than a specific threshold we set we can now you know eat food or drink a potion whatever the case may be if we're fighting a monster now we can see hey we're finding a monster what's the monster's you know Health level and stuff like that we're able to call existing logic defining the code so there's several helpers spread throughout this project throughout the code base such as like the send packet method which basically does exactly the same as our internal batas but at a higher level so now instead of having to send raw bytes we can now call helper with some predefined op codes that will
be able to you know achieve the same thing and this is what I mentioned by reusing the code in the earlier slide um finally we can simulate interaction in the client such as sending Mouse events to mimic clicking or key events to mimic keyboard inputs and this is important for a bot because at this stage you have two ways to use the Bots you can still be sending packets throughout using the send packet method or you can be actually using Mouse events in Java to simulate clicks and whichever you use is up to you both of them may invoke some anti-cheat but again that's there's no anti-cheat in This Server so so let me show you some of the things we
could do with reflection so here's a funny quote dance is the hidden language of the Soul and so what you'll see here is my client and my clip player and you'll see that here are some non-playable characters like NPCs and on the left here is a j shell and what that basically means is you can think of it as like a rebel or an idol like Python's Idol where or Ruby's IRB um we're basically able to execute code in the context of this and the way you get the J shell to work and this is not a scope for the talk is basically J shell is launched into its own isolated process so you have to share the class
loader and again if you're not really too sure what that means don't focus on it you can always look it up later in the bottom left here's the code that we're going to be executing so first we get the NPCs field which is defined in the client and you see that it's private and means it has the private modifier so then we call set accessible true on it cool and finally we get the actual NPCs themselves which returns an array of NPCs so you see a bunch of them are null because the array is a predefined size but some of you see some instances right here because these are these guys instances finally we'll iterate through
each NPC and we'll set an animation and now you can we can make them all dance so we have like full control of the client um take a sip of water
so let me show you excuse me let me show you something else we could do so another quote the only way to do the impossible is to believe it's impossible so in my case I want to run through walls in the game but the game doesn't allow me to run through walls so anytime I click you see it automatically pass me the like across the wall and what we could do is what we do very similar what we just did in the last slide or is we grab the Collision Maps we set them to accessible because you can see that they're private or sorry we grabbed the field and now we actually grab the actual Collision map
so you can see it's an array of initialized with the Collision maps and we'll iterate through each Collision map and we'll basically set it through zero so now I'm able to no clip through walls and if the server didn't have any um logic that will validate your location you would essentially be able to no clip anywhere and um here I show that I'm able to no clip in an area that's in the bank that's never accessible to players so those are some things we could do with Reflections so reflex it's essentially a bot and a cheat client like if you're familiar with the term cheat line tread on the same line there's a very very minimal difference
between what you could do with the bot and the tree client as shown here so this no clip for example would be something you would find in a cheap client
okay cool let's move forward to external bots so external Bots um so external Bots are essentially you may have heard the term pixel or colorbots um really what it does it just reads data using pixels on the screen so what this means is basically what you see is what you get so what you see as a player is the same thing the bot would see so for example you could see um there's this interesting blog post about someone writing about using OCR libraries and other image detections such as like Tesseract and stuff like that and what they were able to do is uh highlight like the Rocks so again this is fully external you're not injecting or
manipulating the client in any way this is running in a completely separate process um so it's common to find library so most like you'll most likely find these Bots written in Python because it has support for these kinds of libraries um like I said Tesseract opencv and Etc there's other software like Auto hotkey you may have heard of that you know you can have scripts written that will detect the pixel on the screen um Simba which is a actually was built for RuneScape so here's what is actually happening under the hood with an external bot we take a screenshot of a section of the screen we pre-pos pre-process the image we detect we use OCR to detect what's
happening on and then we take an action so like for example if we're using health you know in the action is our health is low we need a food we'll probably have another script running that's able to locate the location of the food on the screen and then send a click and then it just Loops itself so let's take a look at what's happening so what I'm doing here is you may not see it but my prayer level is right here and this is in the game prayer is just use this buff so you can consider and um what you see here is I'm using a color bot that's basically or a bot that's basically extracting the values of my
prayer and printing it on the screen and you'll see that it's really not that reliable so like it prints q1 or prints something like 539 or one and again my colorbot is very very brittle it's very rudimentary usually you would use like you know Implement pre-processing and all this stuff to make it like I'm saying is that it's not as robust as internal Bots but some people make them really really well but to me I find it a lot more hard so another uh something I just missed is that if I close this interface for example which you'll see me do right here uh I just missed it again sorry
but there's a so basically what it does is that it reads this value so if this interface is closed it's not going to be able to read the value anymore and I think I show an example of here so there we go I close the interface and you can see that it you know it's not able to find the value so that's why these Bots can be considered brittle these Bots can easily be broken so for example someone once wrote a mining bot that would find the rock would be a specific color and it would just click on the Rock whenever it would find the color what another player found was they found another item
in the game that was the same color so they went around and dropping that item so what happened was the player's bot just started clicking that item and completely broke and made it obvious they were botting um
so last but not least I'd like to leave off with a slide so one essential fact that I didn't show you is that in the real world the client's going to be obfuscated and what that means is that the Java code basically in layman's terms it's going to be scrambled it's going to be hard to read and that's done on purpose to prevent you know people like ourselves from riding the bot and what and if you're interested in this talk and want to actually see how you can you know write a bot for an obfuscated client um there will be a blog post on my blog hopefully by uh tomorrow that will actually detail the process so basically
we'll leave off from where we ended here and then use um some D obfuscation techniques to write the bot and last but not least here are some cool references you can look at if you um are interested in this kind of stuff and yeah that's pretty much it thank you
Max thanks so much that was so great I'm not a gamer but now I know how cheating is done I'm kidding do we have any questions for Max there you go it acts in private but you know just for the sake of others um so you mentioned that when you instrument the client you can walk through walls and if I understand it correctly that all happens uh in the client um did you see any so there's obviously going to be communication between the client and the server for some stuff like where's that limitation where you talk to the server and and I assume the server also has protections against some things like where is that line did you
find it and what kind of what can you do when that when that happens thank you thank you for the question um it's a good question so um so when I showed everyone dancing here for example this is only shown on your client you're not going to see like other players are not going to see everybody dancing so this is completely client-side um this though when you're walking when you're making any movement in the game it's actually sending packets to the server telling it's your location so the way you would Implement an anti-cheat on the server this is you would have have a list of locations that you can potentially say the player cannot be
here and if the player is going there then you know something's happening under the hood that should not be happening and so anytime I walk in the game anytime you click or you walk anywhere it actually sends the location of your x y and your Z coordinates and to use the plane to the server um yeah so lastly I just want to thank my colleagues for coming out and watching my talk thank you Brandon thank you Max [Applause] we're just gonna make a quick break till we set up the next speaker Mike
so there's not gonna be a break we're gonna go with a next speech right after we set up the the next speaker and then there's a lunch break so please remain seated uh I'm going to introduce the next speaker in a second also for those that are registered with a capture the flag or workshops that are taking place outside and then just as we did yesterday at the end of the event we're gonna do the raffle drawing so I encourage you to pick up the tickets if you didn't so you should have picked those up earlier
oh
yes you're free to walk around as much as you want okay but try to stay roughly on that side of this line because otherwise we get the screen in the background which is very Blinky behind you so it's not a big problem but it doesn't look good so don't cross this line okay but it's not a super big deal okay
okay so we can continue with our next speaker it's a great honor to introduce my dear friend but also he doesn't need any introduction he's one of the Pioneers at least here in Kosovo when it comes to cyber security Mr castrated and he's going to be talking us today about some data leaks here that he has found out and shared them with you thank you again thank you um maybe I've seen the players when my original speech has different name and different topic maybe all of you but what happened really I found a major vulnerability in one of the fintech companies and we report like three months ago and after that I sent my presentation that I'm gonna present here
I meant to present it to present it here and say we are good to go but phone certainly on Friday I receive an email and you'll say we cannot show it we cannot show it because there's gonna damage or reputation as a company and my affect our clients so we decided to switch the so it's a topic and I hope all of you will like this this one since we are in University I have been studying in this University too I decided to do something related to data lease and University so I hope you will like this okay uh uh just a short introduction and customer that I am cyber security engineer at during my career I've been
working as a cyber security engineer software developer and quality assurance engineer uh I have been working in cyber security industry since I was 12 so most of the guys who are here as a presenter or as a attendees start working cyber security when they are young like sales or teens so it's been like 20 years working on it and during my uh experience in my career I've been participating in a lot of competitions and here are some of them live I won and probably a prose Oblivion don't like them because I used to beat their students okay but we all started like most of you students I'm here this is a picture of me at 2011
and some of my colleagues like most of you in a university we all start with a frontal bearing but participate in conferences this is a conference from 2011 it's a Microsoft conference and after that the moving career like developing and evolving we decide okay what what this uh presentation will contain uh we will talk about data leaks and data data Bridges we will talk the tools that I've been using to make an analysis about data listen about the university we will talk the how I managed to make samples of emails and testing them we'll talk about the analogy reports impact of that and we have some conclusion and Q a session inland so for for you all uh that are not very
familiar with data leaks data leaks is uh sending or showing commercial data to a third party without authorization for example if you are a company who shared data to a third party without authorization or clients data without our authorization this is known as a data leak one of the biggest data leaks is known or Cambridge analytica maybe you know Trump can campaign when they use the Facebook data to to make advertisements and there are some other stuff that Facebook actually have killed and data breach is a incident confirming accident that a company confirmed that sensitive data have been leaked and are public or maybe non-public but they are in Internet that people can buy or find
in a way someone with data leaks during the ages or Myspace is one of the first ones LinkedIn Yahoo Adobe Facebook had had big data link about phone numbers and other stuffs in the in the previous year so a lot a lot of big companies have faced this kind of Excellence uh for this analyze I have been using two tools one of them is have I've been born maybe possibility and for you folks in University have shown it's a service that you can check your email if it's leaked in a any data Bridges or not and the other one is combo list is a a combo this is a combination on all username of password of many data leaks that have
been data bridges that have built during the years and it has like 3.8 million combination of usernames and password for for analyzing the emails I've been using this service to see if your emails have been leaked but for analyzing password patterns and other stuff I've been using this combo list I will show in details in the next slides so just a deeper explanation uh have I been Pawn is a website that is uh developed by Troy Hunt is a Australian researcher and what can do what you can do there you can put your email and see the result if you have been LinkedIn in any data Bridges and currently it sounds like the 12.5 billion credentials on his
database for example if you put my mail you can see my email have a late in a 17 databases so most of us who have been using the email for a long period of time probably the email have been leaked for all of us but it depends how we handle and that the uh this presentation is about how we should handle the leaks because sometimes you cannot start Facebook from leaking your data or or other big companies uh uh comma combo box is like this is a huge like 100 gigabytes of combination username and password and even the people who made it that have make even a shell script who is a lit indexed uh
files who can help you uh to search fast so for example you just put emails and you will see your email and the password for that orb in this database service example for example if you would email here's email here's a password they are just a random picture not a real data that I have done during the this uh uh analyzing so uh the analyzing was about University first of all what I thought to do is were governments but governments was very sensitive uh uh institution and might have problems with them so I did with universities and the other the emails that I I did I did for three universities a b uh ubt and public university and here
are the the samples I managed to find this kind of emails uh in the public internet using a technique called email harvesting so I didn't get the list of emails from the universities and say Here's the emails you can test again and provide us report but I use email harvesting that is a it's a technique of finding public emails using Google or other uh uh searched genes and you can see there are some a b stuff Wireless because University of pristine and ubt use the same domain for uh staffs and and students but they be have different domains so I managed to to divide into two categories of stuffs and uh and the students so there are the steps that I
actually like conduct to make this analyze uh one of them is to analyze email if they are part of a leaks and have I been pawned after that check the credential pattern and other stuff in in a combo list analyze password patterns uh showing the results based on that and if the result are not enough for universities I contact them and say if you want to see real impact you have to give me permission to show your real impact and one of the University actually accepts to show real impact and after that we did puzzle spraying techniques that is technical brute force and all the emails and passwords and after that you show the impact that you
will see in a upcoming slice so the first concept is to grab every male and try if they mail is lit or not and the response to that will show you a result like this for example my email has been leaked in as 17 Bridges and here are some of them but doing this manually for more than three thousand ml is probably going to be gonna be uh hard repeatedly job and it's not fun so what what the have I been Pawn provide they provide the paid API so you can just write a python script or anything you want and you can automate it and save the result in any type you want like database or any file or so I did what I
did I write a python script try all emails the result I saved in a database and after that and I analyze them and this is a general report from 2900 emails like almost 49 of them has been leaked so the the percentage of them is 50 50 almost 50 there and here you can check comparison between the universities can you see the university a B has more than 50 the ubt has more than 60 percent and you uh the public university have like a 42 percent of leaks the column red colonies image that can be leaked green or not leaked so and even the staff of a b like is like more than 80 percent of them and
I'm talking uh here we have to to know I'm talking for for the emails I had probably the university might have like 2 20 000 emails and maybe some of them are lease or not but I have only some amount of mail for analyzing because I didn't get officially from the from the University and they are the sources that we have big league for example when analyze where the sources what are the sources that the data have been leaked I find out that most of the universities share the common sources for example one of them is Nitro uh Doom bash they are PDF readers and other stuff and we're going to go is one uh one by one uh
most of the emails was leaked like you can see here for uh 441 emails in Nitra is a PDF reader that actually have been breached in 2020 and they have been like 77 million emails and and credential leaks and one of the data that had been linked there are email uh names and password very important passwords uh the second one is Doom bash that is visual messaging services similar to the first one has been linked in 2018 and he had leaked like uh 161 million data you can see the data here one of them is the password and email address so very important for our for our analyzing and for or a puzzle spraying technique uh
similar to neutral another application is a lonely PDF that because most of the students and professors based on the results we can see they use free pdf readers and they have probably download this application and this application probably has required a user to download them and here are the data that has been linked emailing passwords including two is a kind of a more older or older application is is Facebook application maybe on I don't know if you are familiar with the Facebook application it's application based on Facebook and it was this kind of application that you decide with with what famous person you are look like or something like that maybe you saw that silly old application
2016 and there are a lot of females lifting this application too uh this is another PDL it's another combo list that that include a lot of emails and is leading in 2019 and it has emails and uh and but no password here so uh what the app is another application that has been later they are 72 emails leaked here from all the universities uh linking Scrapper is not a data Breeze but it was scrapping technique that you that someone has does scrap all the users and they are this amount of data that can be leaked here but even this league doesn't include password it's not very very danger but of course there are some other personal data too
and malware is a math oriented application that probably students has been using to solve the problems the challenge in University and they are like uh 63 events leaked in in this uh platform too kava is a designing tool maybe the designers and Architects that use and it's recently in 2019 and from all uh samples of emails there have been 61 emails leaked in this too and house is a designing house this is more about the architect things and they are 49 emails leaked in this uh data source uh two this okay this remote is not working very well so I have to click a couple of times so uh you can see for a b they are
top 10 sources that being leaked similar to a b the ubt have similar things so maybe the first or second place are swapping but pretty much our same same things and same for uh uh Public University and for the professors and staff senior a b was different because uh they believed in nothing this kind of application than public students and mid league so it was but was what was fun was this MyFitnessPal it looks like some of the staffs are doing dice in a b so and this is the most common password that I have been analyzing on that so the common password probably are similar to most of the common passwords that are using in different categories so people
not the students and professors one two three one two three password one to nine phone number phone number I have put in a brackets because different formats or phone number including prefix with dashes with lines with spaces uh birth dates first and last name combination of them like a capital first name lower so this kind of and there are two passwords that actually break the algorithm kind of this uh list two in the lab all right because emails that they have been leaked and that probably have been leaked in many stores like 100 sources and if a guy had the email and all the passwords have the same and have living in 100 sources it
kind of kind of mess your data because if you have like 10 students that have been leaking two sources and have different puzzles but you have a student that have been leaking 100 sources that has always a similar this kind of passwords showing top 10 because is one person but in many leaks and after that I decide okay this all the result I will email the universities the department of I.T that all the university has and show the emails uh show the leaks and tell them to inform students and and professors to change the password to see if they still have this kind of criticians and all stuff but I I got this funny response yeah
thank you for reporting that but I don't see impact on that okay I say do you want to see impact I asked them do you want to see impact and one of the University a b said yes we want to see impact okay what I did I did password spring so I get all the emails from AV and all the password from a b and did The Brute Force like like uh all uh all the possible for all the emails like you've shown in diagram for example the password is one two three I'll try with all the emails the next buzzword for all their emails and the impact was like this if it doesn't look fun
this is this is an Olympic this is a professor and this is a model when the professors put Grace for students for exams of course we reported them all of them are fixed and probably for now they are safe but they have we have some conclusions uh that uh we produce from from this research like 49 of emails that we analyzed for University have been leaked at least in one source uh universities do not do cyber security trainings not only for students or or or cyber security awarenesses not only for students but even for our staffs because uh when we reason with the email and Sam and said okay this is the same these are
the leaks you have to inform them the same there is no impact only when we show the impact they say oh this is a real deal now we have to do something and the third conclusion is that University do not do data link monitoring that most of Banks and other governments should do so they don't do data leaks monitoring and probably if some of the credentials have been leaked in the uh dark internet or public internet they are not aware of that so this is all if anyone have a question feel free to ask thank you question that was great does anybody has any questions yeah of course person because I have to do with your
universities thank you very much for your presentation and for your talk really inspiring see all this work that you have done uh just I think my students know you all ready because we are using your let's say results from your Bachelor thesis Castro did an awesome work on his Bachelor thesis just focusing on University of Pristina and of course his Bachelor thesis is closed it's not for public we have sent all the recommendations that been outcome from his thesis to the information Center University of Pristina they have taken someone accounts I think some of them already patched some of them are still not but they are still there regarding the question I think you concretely stopped to the impact and
this is important because it doesn't make sense researching something without impact uh coming back to the impact you said that you've done the impact only for a b what is the impact for other universities because leaking so much information and as we know many users tend to have the same email address and probably the same password in many sites many accounts that's the huge impact can you maybe share something what about other institution about the impact yes I know I'm aware of sharing some more information not only from users University but for the banks do actually I did this kind of analyze analytic for for banks two and one of my reporters report that I've done like a previous
year for RAF Eisenberg and Kosovo and the impact was this this kind of leaks end up to full compromising of internal internal uh uh infrastructure so the impact doesn't mean to be just a male of students that way someone can access and can see the result of him doing studies but in fact it kind of very depends on what what system does the universities use and other stuff but the worst thing in this this thing is because most of the institution nothing not only universities but even governments and some private companies do not like to see and just accept that as a risk so we have a kind of a very formal famous quote let's say there are two types of
peoples people who have been hacked and people who have been hacked that don't know that they have been next so most of time you cannot stop big companies from leaking your information because you you cannot do anything but what you can do is Monitor them and take uh take action based on the potential impact can can be on it okay let me go to spend he has another question for you
thank you for the presentation um did I understood it correctly that you used passwords from breaches to to do the passport spraying is that correct I can't hear you very well can you repeat please did you use passwords from the breaches to do password spraying yes because we as I mentioned during presentation I use the password because we kind of have a deal from the one of the universities do you want to see a real impact can we we did the SLA hold on can we do it because if you use password and you manage to to authenticate less illegal activity so you have to have the so the first part of analyzing the emails and leaks is
aware of public data there is no harm on it and you can show us a result but if you use a credentices to log in on them and brute force in the account this activity that actually if you don't have it does it doesn't if you don't have a permission to do it it's a illegal activity and no one should do it so thank you so the actual question is um how did you get those passwords I got the password from the combination uh combo list that I show in the first presentation is like 3.8 million combination of of the username and password that is lit in 2021 that combo I have that Converse about uh 100
gigabytes of them and I just for every mail I search on it and grab a password saving database and after that I make a combination between the emails and password and try and issue them a support Force attack so the so the passwords from the breaches were I assume hashed insulted no uh actually what is a combo list is plant tax combo list it's not hashes so what people have done during the a during the time they for example if they have a gallon database of the uh Nitro most of the passwords that are hashed but they have uh tried using rainbow tables to dehash them and after that some organizations or companies have collected uh unhashed password from this
database and listen listen this and make a huge list it's a similar what uh rock you rock you um award list about cracking things but this is about Campbell is that include emails and passwords does anybody else has any question
okay uh I think castria is stressed out very good but I will put this very clearly if you log into a system we thought you don't have permission this is illegal activity in Kosovo you can go jail you can go in jail yes you can go in jail so be careful on this castroot is one of the ethical hackers in Kosovo and in any conference more than decade we are raising this issue to the governments and I think now by the new low this you can get some uh Bounty or you can get some uh let's say fee on that but till now this is illegal activity so if you have a user username and password and
you have allowance to do enter it if you're doing this you're doing illegal activity in Kosovo so be aware of this what the professor saying uh testing platforms public platforms is a illegal activity by the law in Kosovo so you can you are able to test only if you have the SLA before starting the testing and as a cyber security committee we find very difficult to find to find to make this kind of agreements for testing especially with government but since our community we have some friends and most of the reports and Agreements are more like a friendly agreement than like uh when I reported that University I know I knew the who is the head of idea that
public university I know who's had the right thing to others University I cannot do this kind of testing for uh universities or organizations that you have no relation with them we're probably going to sue you and probably gonna end up in prison so it's very important to know that great as you guys noticed like when Castro started his speech he was going to do another speech on another topic how I became a millionaire and I was so excited that's why I introduced him as my dear friend now I found out that he's not a millionaires I'm kidding uh actually your your presentation didn't fall short and we liked it it concerned like a couple of days ago it was a world
password day and some of the resources that you have shared they are great like have I been pound instead of what cluster did like with the emails uh what you can do you can uh through your DNS records you can put your domain your company domain and then whenever there's a leak obviously you will get a notified these leaks and how I've been bound they are a little bit delayed uh the Microsoft researcher Roy hunt has castrate explained he will gather these uh leaked data and then he will input them there make them easy for you to find out have you been leaked or not and as we know like uh monitoring dark web for uh League credentials can be tiring
expensive exercise so this is one of the ways for you guys for your own and also like for your companies maybe for myself like one of the key takeaways is that no matter how complex you make your password it's up to the vendor that you're using how they are storing it what security measures they have around it and eventually it will leak but what we can do about it is like to use unique passwords and then whenever the vendor offers like MFA use a multi-factor Authentication not SMS by the way by the way LinkedIn yesterday uh has added Kosovo prefix 383 yeah so that was done through help of Miss Hawa maloku that she works for
LinkedIn although now through like if we do any Sim shopping or something like that it's not very effective way if you have a chance always use like a authenticator of your choice password manager and and try to avoid like SMS at least in my opinion all right do we have any question I know that we have a little bit more like 10 minutes let me just lay out quickly like what's ahead of us at 12 o'clock we have a lunch break we are serving the lunch outside and then at 1 30 we are back here we have two great presenters that are coming back for the second Year Maggie and Ryan I enjoyed I thoroughly enjoyed their
presentation last year and I'm looking forward to what they have to present this year so please please please be back on time so we don't interrupt their presentation we'll see you after the break [Applause]
foreign
examples
guys you only have set a high standard last year honestly I like your presentation so much it was so entertaining you know like there's like hearing those like phone calls it was like funny so I hope your presentation is at least same as it was last year if not better
music anymore
in English welcome back everyone I hope you had a great lunch break you're re-energized and you're ready like for other exciting speakers that we have as you know our agenda is published on our website besidespristina.org and in there you can see all species and timing so without any delay let me introduce you our net next speakers Maggie and Dylan they are returning for the second year to besides Christina as I announced before the break they had a great presentation last year and I'm sure they will do the same thing again so we are very exciting and looking forward to learn new stuff from you guys the floor is yours
[Applause] hello everyone welcome and thank you so much for joining us today on our talk as we dive into the dark side of wireless networks and introduction to wi-fi hacking my name is Maggie and this is Ryan and we're very happy to be here today all right so a quick disclaimer before we get started we do want to say that any attempt at hacking or manipulating a device or network that you do not have permission to or you do not own is illegal so please if you choose to do anything that we're going to be showing you in this in this uh slide deck it is for educational purposes and please make sure that if you try to replicate any of
it it is done in a controlled environment that you have permission to be working on such as a home lab now many people um I'm sure I'm assuming because this is a security conference you are all familiar with how Wi-Fi works and what it is however for the general public it is oftentimes not quite understood just how important wireless networks are outside of just that they can connect to the internet not only are they being used to ensure that everything in our world is operational but when misconfigured they can be used as attack surfaces for larger more complex and sophisticated attacks to go after both individuals and companies as a whole so what we want to be doing in this
presentation is covering some of those instances breaking down these events when Wi-Fi networks have been hacked explaining what happened why it happened and then going through and actually showing how these attacks can be replicated all right so the first story that we're going to start with is the vengeful uh neighbor so back in 2008 um a new couple recently removed moved into a new neighborhood in Minnesota it was they had they were well educated individuals one the husband was a lawyer and then all of a sudden they started getting complaints from their co-workers as well as their boss saying that hey we're getting some inappropriate work emails from you guys and they were not the
couple was not admitting was not sure what was going on and were very concerned as you see on the screenshots here uh as the investigation started from the company the couple didn't think much of it until some a more serious com um investigation started from the Secret Service an email was sent to then Vice President Joe Biden with a death threat Secret Service knocked the door of the couple and they started saying that you uh this email was originated by your IP address they started looking into all the network traffic and they actually verified that indeed it was sent it was originated by the home network of the couple the IP address matched uh the
couple kept denying it and wasn't sure what was going on and upon the the law firm that the couple worked at they started doing a digital forensic investigation and upon seeing the logs of the emails they were they saw that there was another the IP address was still their home address uh home network address however there was a new device that was unauthorized that was never used before that was logged in and authenticated then um with more research that they more digging in they were able to find out that that device belonged to a Neighbor Next Door so then um they found out that the Neighbor Next Door was a cyber criminal that targeted the couple he was mad at
them and wanted to Revenge by hacking into their Wi-Fi he spent about three weeks looking at the different types of um wi-fi hacking techniques and tools and found out that their router was using WEP encryption and found some ways to crack it so after like about two or three weeks he was able to get in he cracked his password or their password and then started sending creating fake email accounts and social media accounts like Myspace and started sending emails to their work to their work co-workers and bosses and being doing real damage to their careers in their lives with the investigation from Secret Services once they showed up um they were really concerned about the
Yahoo email death threat to Joe Biden so that kind of sparked a big investigation to go in and that way they went and searched the neighbor's house where they found a lot of evidence that every single attack or every single email that was sent was from that device and from the um from The Neighbors computer the hacker downloaded Wi-Fi software and because of the weak encryption as well as the weak password he was able to break in um now let's talk about some terminology that we'll be using later on too yes so to fully understand how this hacker was able to gain access to the wireless network we need to do a little history lesson on wireless encryption so Wi-Fi
began had its first standardized encryption method back in 1997 which was called WEP and since then there's been three major uh version updates all the way up to what we currently use the wpa3 now the main improvements for each of these versions was to address previous security concerns identified in the other versions as well as keeping up to date with new and emerging Technologies the big issue with these different encryption is not necessarily that they are that they have known vulnerabilities it's that they are not all kept up to date current routers uh that exist out in the real world are not up to date to the most recent ones which means that these vulnerabilities that have existed
on these older uh systems are known and can be actively exploited and that's where the biggest threat lies is that they're not keeping up to date in some cases this is intentional to save time and money in many other cases it's just the fact that people are not aware that it needs to be updated and no one is telling them they need to and real quick some other terms that we are going to be using is WPS this is a protocol in wireless networks you may be familiar with as a little button that you can push on a router to connect a device without having to enter the password this is a known insecure protocol
however it is still very widely used throughout the entire world and is often misconfigured when used additionally we also want you to be familiar with the term essid this is just the name of the network so when you join a wireless network whatever it says that you're connected to on your phone or computer that is the ESS ID it is to be known that is different from the bssid which is the hexadecimal value associated with an access point such as a router that connects you to an actual wireless network so as we mentioned in this specific instance the hacker was breaking into the web encryption standard of the neighbor's Wi-Fi at the time of this
attack it was 2009 so meaning that the web encryption standard uh had been used for about 10 years but was outdated by two different versions so it should not have been being used but it was but let's take a look at exactly how this web encryption standard works and why the hacker was able to take advantage of it so there's two main aspects going on here we have the top portion and the bottom portion that top portion we can see there's the plain text which is just the general information that's being sent from a computer to whatever Network you're trying to send it to so if you're communicating with a website the information that you're sending to a
website will be stored there and then will be sent over this plain text is then put through a mathematical algorithm to get that icv value all this does is it allows a endpoint such as the website to verify that the information is being sent is legitimate and has not been changed this is very helpful however if this message is just sent as is people will still be able to read the actual contents of the message and as technology has evolved since 1997 there are current attacks that can be done to then still change the message and change that end value so even if it comes out with that value it's not it's not necessarily that it
hasn't been changed so that's why we need to added the second part the lower portion the encryption standard so what's going on is we have two different values that IV and that shared key these combined are supposed to have been a very long number that would be hard to guess that is constantly changing so that every time that is used it can then be put through an algorithm that combines scrambles up the message so that only the end receiver in this case a website could be able to decrypt it and understand what the messages is being said but since this is made back in 1997 What was considered to be a long enough number back then is no longer the
case with emerging Technologies we can do what are called Brute Force attacks to guess all of the possible potential numbers in order to guess in order to identify what is the real number and able to decrypt the actual message but in some instances if you just make the number longer it still becomes uh encrypted and it becomes very hard to break unless you have very expensive Hardware so the other big issue is that IV value it is supposed to be constantly change every single instance of communication the problem is there is no way for the actual standard to enforce this meaning that most people don't change that number every time and since really all that's going on is there's
just a mathematical algorithm that's using here that's being used to encrypt the original message patterns can emerge if the same numbers are being used so with a large enough sample size of different packets then you can begin to to limit the amount of numbers that you need to check before identifying the specific number as a result then you don't have to guess every single number you only just have to guess a limited amount and this is exactly what the hacker was targeting over a week or so period the hacker was able to gain a large enough sample size with this number not being changed so that it limited how many tests he had to perform
and eventually was able to guess the correct numbers reversing this entire process identifying what the messages were and eventually gaining the password from that that was stored in that initial plain text message from there he could then join the network and do all the attacks that he was that we've discussed all right so we started talking about uh W EP which was a little outdated and has been cracked a long time ago now let's start talking about something that is more relevant or more recent um this is about WAP attacks that uh WPA attacks that uh this actually was not done by a malicious actor it was a research conducted in uh Tel Aviv however it proves a very good point of
how unsecure some routers can be Expo city is a research project that took place in Tel Aviv in 2018 and was conducted only with 50 worth of equipment well a laptop some free Cali tools as well as a signal booster or adapter that was used to boost the signal signal so that the whole city can potentially connect to that um get so that he can get the single for the whole city he walked around with this adapter and gathered as much information as he could and then use that booster to run scripts to exploit previously known vulnerabilities such as p mkid which basically allows you to collect to collect hashed passwords and decompile or be able to crack them
without needing to look at any traffic at all uh any network traffic so with that said he walked around the city collected 5000 hash passwords and started uh cracking them he was not successful with all of them however he was successful with over 3 500 passwords which is a large amount and there was no limitation as he just chose to collect 5000 but he this could have had much more um this could have been much more impactful uh this was very easy for him because most people were using the full phone number as their passwords so that made it easy for him to guess and brute force that way um one of the main vulnerabilities for
pmkid attacks is the Wi-Fi roaming which must be enabled and not a lot of not all the routers have this feature however the ones that they do they are vulnerable to pmkid attacks um although this took place in a specific place like Tel Aviv the routers the vendors of these routers that were vulnerable to this type of attack are known worldwide and this could be done in any other country now there are different types of wi-fi hacking tools they can be used of course they specialize in different things depending on the scope and the target however today we're going to talk about two of them which are our favorites the first one is air Suite tools which is a
Kali Linux um a wi-fi hacking pen testing tool Suite that has a lot of different features from monitoring attacking testing some of them are air mon or aircrack and they can be used for uh enabling or disabling the monitor mode which is the first thing that we do for any type of Wireless attacks in addition uh that we have Wi-Fi which is a very powerful automated Wi-Fi tool which takes some of the tools from the air Suite tools that takes those scripts and automatically runs it so it does any everything from finding those access points that are available and up and running from cracking the passwords de-authenticating them and connecting them to like a rogue access point or any
other attacks that they want to do such as bmkid that we mentioned as well now we could do an entire presentation just on Wi-Fi encryption if we wanted to and the different ways that we could try to crack it but in lieu of that we are going to kind of show you just the overall General process for trying to break wireless encryption now the very first step is just to identify which wireless networks you want to be attacking if you're going to follow a similar case to our first story where you're targeting an individual Network or if you're going to do something along the second lines where you're targeting a wide range of networks either way you want to identify
which ones you want to Target and then attempt to access them without any hacking if you can bypass this entire process just by gaining access to an open network or by asking someone for the password then it saves a lot of time and you'd be surprised at how easy this can be such as going to a restaurant and instead of trying to break it just asking for the Wi-Fi if people aren't familiar with why it's important not to share it but assuming that's not the case then the next step is you're going to want to get that ESS ID the network names that's the way we can Target something when we're actually attempting to attack it there
are instances where the essid is hidden and it won't be visible at all or have a name at all in which case you can run these simple commands to identify the bssid which will be used to then in the same way show which specific Network we want to Target to unleash our tools onto so after this you'll have a Target and you know what it's called and how to use the tools against it so you're going to ideally try an overall tool that's going to address and identify different information about the router and attempt some of the most basic attacks in this case as we mentioned we prefer Wi-Fi it's very easy to use so we're going to
show you a quick demo of what that looks like once we run Wi-Fi it's going to start up it's going to go into monitor mode and it's going to search for all networks in that area in this case we're targeting that second Network Netgear 80. and immediately once we select it it's going to start doing those initial vulnerability checks based on what information it's able to gather in this case we see that that WPS standard is running so it's going to try to break those we've configured it so that it won't be the case so instead it's going to go through and try some other methods against the larger encryption standard WPA in this case what we're able to find
is that with a client connected someone was actively trying to join the network we're able to steal that packet and while it's encrypted we're able to find a hashed value of the actual password for or the wireless network as a result of that we can then run a Brute Force attack to try to break that hash and in this case since we were using a the base the default password it was able to be found and identified this isn't always going to be the case especially since Wi-Fi itself is not specifically a hash cracking tool but with this information you can then pivot to more diff or more specific tools such as something like hashcat or John the Ripper that you can
then use to break more of these hashes but even if it's not able to break it or identify an immediate vulnerability that you can exploit this information gained by Wi-Fi will give you information about the wireless network such as what encryption it's using and any other information that you can use and then from there you can pivot to more detailed tools that are specific again these wireless networks the older versions have been out for decades so there are a whole lot of people who are very intricately familiar with these vulnerabilities how they work and have created very specific tools to targeting those abilities so out there you're going to be able to find something or a
tool that you can pivot to to Target that specifically so pivoting to those and with enough time and dedication you'll be able to break these older encryption standards and find the information that you're trying to gain access to and then with that you'll be able to gain access to the wireless network so moving on from encryption we're going to tell a different story targeting a different way that wireless networks can be attacked so in this case we have a traveler who is at an airport now they wanted to access their internet do some work while they're on their layover and so while they were there they open up their computer try to join the airport
Wi-Fi if you've ever been to an airport I'm sure you've seen that there's a lot of different networks that are available and oftentimes what people will do is just join the first one that seems to be legitimate in this case it was named Sydney free airport Wi-Fi joined it you get the little pop-up it's asking her to verify that hey you are a legitimate traveler asking her where she's going her plane ticket and then after entering that information she's able to get next to the network do the work that she was trying to do and while she was there access her bank records to check to see what uh just check checking her bank account
a week later she goes back and checks her bank account and identifies that a purchase was made while she was on the plane for a restaurant in Germany obviously this wasn't her being that she was actively flying so she does a little bit of research and she's able to identify that something called a rogue access point was active in the airport terminal while she was logged in and that she had signed into the wrong Network and as a result by checking her bank password while or by checking her bank account that fake Wi-Fi was able to steal her information her username and password and then log in and mess with her bank account while she was away
now let's go ahead and go through the breakdown of a rogue access point how that is and what that is and how that works so we said we mentioned on the story that the user was logging into the free Sydney Wi-Fi which is completely normal it's the legitimate access point however there is unfortunately no way to open the available networks and see which one is the legitimate one and which one is the Rogue access point so there are a few other ones that are available that have similar names and this is done in um this is not this is done so that people are confused and they don't know which one to connect to so an access point firstly is just any
entry point that connects you to the internet it can be a wireless or an Ethernet access point and then a rogue access point is a uh when an attacker sets up a an access point to monitor your traffic but it's very similar it's mimicking a legitimate one um with the intention to steal your personal information or interact with it in different ways so when users can connect to this we're able to get any sensitive information there is two types of perceptions there is passive and active in passive perception we're able to just see their traffic packets we're able to see if they're logging into their bank account for example and maybe their passwords as well and um plain
text however we're not interacting at all however in active perception we are able to intercept and um do things with what we're seeing on the on those packets for example if they're doing a bank transfer we can kind of capture that packet we can do a replay attack change the bank account information from that of the user to the attackers and then the money will go to the wrong bank account so this can be used for for bigger hacks as well such as men in the middle or by interacting with it so the impact of this can be much bigger now let's take a look at how something like this will actually work the tool
that we like to use is Wi-Fi Fisher it's very simple to run all you need to do is run Wi-Fi Fischer attack e being the name that you want to call your network in this case we're calling it free Wi-Fi then gives us some options of what type of attack that we're going to be doing what we're going to prompt the user to try to trick them into doing once we do that we get a little home menu that's going to show us information about the network and then going as live feed of anybody connecting to our Network once someone's connect the choice that we gave them is to give a little pop-up that asks them to enter the password to
update their Wi-Fi this can be customized to be whatever kind of attack or pop-up that you want in this case this is what we chose to demonstrate so from here it's just seemingly a legitimate firmware upgrade asking them to enter their password they're going to enter it and click a start upgrade once they enter that password we can see on our screen in plain text the super secret password that they entered and from there we now have it and the user is just going to be stuck with this loading page until we close the network connection and once we close it we can still see the password there and now we have the information that we can use again this
can be customized to do a wide variety of attacks and based on whatever kind of information you're trying to leverage and gain from the actual victim all right so next story is about a Russians about Russian spies and a group that started um starting this attack about driving around to different buildings and um hacking Wi-Fi's by creating an evil twin which is something that we'll explain in just a moment so this is a National Intelligence group that went around filled up their car with a bunch of equipment and started going um in near approximity with like targeted buildings um the stuff that they had in their car was a Wi-Fi pineapple which is a wi-fi
hacking tool in this case it was used to so that they can make this the turn this into an evil twin they use the high gain directional Wi-Fi antenna this was used as a booster so that the signal can go further away to those buildings so let's say they're in the parking lot or across the street they want to make sure that wherever this signal is going it's going to be the strongest one so that users can actually connect to it a 4G modem which was used to get uh to provide internet access to the Wi-Fi pineapple as well as to all the users on those buildings as well as a small computer that was used for storage so they can
store all the information that they stole from their victims now the way that they worked is they used the uh the signal boosts to send D auth frames to those to those users say the user is connecting to a legitimate access point or Wireless they're going to send the off packets they're going to get de-authenticated and automatically connected to the evil twin that they have created this way they're able to not only extract sensitive information but they're also able to interact with it by implanting back doors um or just having access to their to their Wi-Fi if they're persistent with it so let's take a look at what is happening in this evil twin attack now
with the Rogue access point it relied on us being able to trick a user into joining the wrong Wi-Fi here we can actually force a user to join our Wi-Fi without having them to do without having them to do anything so initially what's going to happen is we have the safe Wi-Fi in this case we're calling it the company Wi-Fi that a user will already be connected to using it as they normally would then what an attacker is going to do is create an identical Wi-Fi not only are we going to replicate the essid that network name but we're also going to take the bssid that numeric number and make a new network that is an
exact copy of that with those two information pieces the same a computer is going to see the same exact Network and is not going to be able to differentiate between the two so as a result which everyone has the stronger signal is going to be the one that is being joined so once an attacker is able to create an identical system or identical Network what they're going to do is they're going to kick the user off of the safe Wi-Fi sending these de-authentication frames they send these user is now off and as you normally would if you're ever been disconnected your computer is going to automatically try to reconnect to a known trusted Wi-Fi but since this is
the same exact Wi-Fi we want to try to get our Wi-Fi to be the one that they automatically reconnect to so to do that whichever signal is stronger is what the victim's computer is going to join so we boost our signal make ours the stronger one and then the signal will be established and connected to our own network which is that malicious evil Network okay let's go over a breakdown of how this process can be replicated in kala Linux we're going to use some of the air Suite tools that we talked about earlier more specifically we're going to start with Airman NG uh check kill let's go ahead and play this so what this is doing is going to check all the
processes that are currently running and make sure that it kills any that is going to stop us from creating the evil twin um we make sure that we are in monitoring mode as well the moment that we see wlan0 mod that means that we're in modern mode wlan0 is just the name of the interface and that is showing there right now once that runs we're able to see all the available access points that are available we see the target one we see Netgear 80 that's the one that we want to create an evil twin for we grab the bssid essid and that's all that we need to run with our Command to create the evil twin then
um and we use that information to to use in the air base NG um command we replace the bssid the esid name and then we put that in channel six we make sure we include the interface that is in monitoring mode and there we go we already have an evil uh an evil twin that is currently created at interface uh at zero if we do a quick if config we see that it's already listed but no Wireless extensions so we now have to create a bridge to make sure that they're connected our interface with the evil twin interface as well so we create um a bridge which is called high in this case and we connected to both of the
endpoints so that um so they're connected and then we have we're it's linked between our ethernet and the evil twin and then uh we make sure that it's up and running so that the users connected evil evil twin are actually connected to the internet then what we do this is part of the process of connecting the bridge or bridging those two connections and then we start to see the difference we start to do ifconfect to make sure that the ha or the bridge is actually up and running we see both interfaces e0 and uh W lens xeromon so once those are up we start monitoring for uh what kind of new devices are actually logging into
the evil twin uh first we do DHC client Hub which is basically taking that bridge and uh firing up a DHC client the am percent in the end it's just to put it as a background process Cali will just return the process number which means it's there so then they will have internet access then we start monitoring if there are any new devices that aren't connecting to the evil um to the evil twin as we see it's still working it's sending the auth packets and um on the other side we see the Netgear 80 essad client is associated and connected so how does this look in the victim's side though this is how we set it up
this is how we set up the evil twin how we make sure that's that the victim is connected and we now have access to their Network traffic but how does it look like for them so if we have the Wi-Fi networks that are available that are scanning um if you notice here we're not clicking anything we're just looking at it Netgear 80 is already connected but just uh de-authenticates or disconnects on its own what's happening is that's when the D auth packets are actually playing or going through and we're automatically connecting it to the evil twin that doesn't show here however on some routers that have some security controls implemented you will get a pop-up that
says that the Netgear 80 that you were previously joined which is exactly the same exact essid was not open so that means that the configurations of the evil twin were not exactly the same like the original access point this is a good thing however um for for somebody that wants to do this type of attack we want to avoid it so the way around that is to make sure that every single configuration from the original access point matches the evil twin and then what we do is we fire up Wireshark to sniff some packets on the bridge make sure that there is packets going on and we're able to monitor the traffic that is going in the bridge this
is where everything will happen from our original ethernet connection to the evil twin um so then we start extracting information from from here as well as see if they have entered any sensitive information such as passwords and things like that War flying so there are other fun ways how we can hack Wi-Fi such as we're flying this is a little um this is basically just using any flying object usually it's an airplane or a drone flying around with some Network detectors to scan for Wi-Fi networks most of the time this is more done for reconnaissance so getting information of like how many available Wi-Fi networks are in a certain area however it can be it can have a lot of advantages even for
those that want to get a large number of networks in a large area and they don't want to be walking around or driving around so that's the main advantage however some disadvantages are it's difficult to tell where the wireless network is so you can be flying around your drone around the whole city but you won't have an exact approximity of where that Wi-Fi network is however there are some more advanced drones that have built-in GPS capabilities that can can take care of that one of the coolest events that happen in the in the past with drones was Skyjack this I believe was discovered in 2018 um they basically programmed this this drone with a parrot operating system
it's a drone that has all the other drones what it does is it goes around flies around and then sees all the other flying objects in this case drones uh hopefully not airplanes they will de-authenticate them or disconnect them from the actual owner's wireless access point and they'll make it connect forcely connect to the um to this drone and what that does is it turns into our army of an army of um drones that are controlled and monitored by the same one so with one drone you can hack all the other drones that may be available in the area and you can start replicating the same process so then you can get way more information
around whole city all right now for our last little attack Vector I wanted to cover something that was very different than all the previous ones previously we're showing very technical attacks trying to evaluate a way in which we can bypass something or break into something this is taking a brute force method where it is a hard so the Wi-Fi bubble is a hardware tool it can range in size also known as a signal jammer it can range in size anything from something that can fit in the size of your hand with a range of 5 to 10 meters all the way up to something that's backpack sized that can go up to over a kilometer in
distance and Effectiveness so what these things are going to be doing is it's going to jam any radio frequencies that you have it set to these can include cell phones GPS Bluetooth and of course Wi-Fi now the way this works is it is going to emit signals that are on these same frequencies loudly as as with a lot of force in relation to radio frequency that essentially blocks out any normal information from being passed so forcing everything else to not be effective there are now this is an extremely dangerous item to have depending on where you are in many places it is extremely illegal just to possess however there are legitimate use cases for it for example if you aren't to have
something that is in a very detailed government building with yes exactly yes so areas in which you need to prevent information from going in or out of such as an exam test center or in a government building you can use these to prevent information from going in and out of but there is also many illegal use cases as can be seen in the upper right picture this is actually a picture of a criminal who was being who used this radio jamming frequency uh the backpack sized one for a kilometer to commit a crime and the reason that they use signal Jammers and crimes it normal crimes everything from theft to murder to robberies these kind
of crimes allow criminals more time to commit the crime before being detected if anything in this frequency bubble is not able to use frequency no outward calls can be made to Emergency Services if there is a police officer or someone they cannot call for backup if they're in this area if there is an alarm that is tripped it cannot send any information outward to send responders to so it allows more time for these people to go and actually commit the crimes now again very very illegal and in the areas that these have been seen they're really trying to crack down on these on these tools but it's just the very opposite Spectrum to show all the devices and
attack methods that we've seen today there are many different ways that you can go about attacking Wi-Fi from as blatant as Liz as just preventing it from being used to being very technical and trying to break into mathematically how the actual wireless encryption can work so there's a lot of different options and there's a lot of different methodologies and really we've only been able to scratch the surface and what we've covered today awesome and that's all we had for you guys today thank you so much any questions let us know if you guys have any questions thank you thank you yep hi thank you both for the presentation I had a less technical question is there
any Push by the European commission to like remove the WPS button or to deprecate the WPA features uh I'm not sure if the European Union has I know that they have a lot of like privacy rules and a lot of uh they're investing a lot of their security research on implementing things like that but I'm not quite sure if that's something on their roadmap but it's a good question thank you you're welcome I have another question very short one thank you very much for your presentation maybe you can give us let's say an advice what would be what we should use or what we should think when before we connect into any unknown Network because there always
seems frightened so and all we here are connected so maybe an advice but we should check before connecting to any open network now um I'll take this one it's okay okay so now there's unfortunately no way that you can tell for sure if a wireless network that is that you're scanning at the airport for example you cannot know for sure if it's an actual legitimate access point or if it's a rogue access point or an evil twin however what you can do is um you know there's always some red flags for example in captive portals if it's asking hey where are you going this is something that has nothing to do with like a security check usually
we see like the Bots like make sure you're not a robot those are usually uh the those tend to be more the standard however another way that you can stay secure when you're not sure if the access point is legitimate using a VPN to make sure that all the traffic that's going through the internet is encrypted uh that way you can stay secure as well and never access bank accounts or anything sensitive when you know in a public Wi-Fi that you're not sure where it's coming from or how secure it is yes hi it was a very good presentation my question is how can you manage to deal with the compatibility of air crack and
air mon on arm 64 uh architecture for example I have a Macbook M2 and I cannot get for example the compatibility between now the aircraft and Armon to work so do you recommend any devices to buy to make these tools work or do you have any solution that you've heard of it yes so obviously the tools are 10 or tend to work on what they were designed on the easy solution is to use a VM if you just download a Kali Linux VM oftentimes you'll be able to kind of use that or you can use remote Services as well to kind of utilize um additionally there are plenty of individual small hacking tools as mentioned we got that Wi-Fi pineapple
and other tools that you can purchase to that are explicitly meant for the purpose of wi-fi hacking so buying the small tools or you can get something as small as like a Raspberry Pi configure it to run Kali Linux and right from there you'll be able to create your own little hacking device
yeah so in that case you'll want to try to stick to external services so getting your own devices and configuring them there to have your own home lab or you can use remote services online that can kind of do those things for you as without having to use your own personal system thank you do we have any other question yep real give me a second
so thank you very much for the presentation I just had the question because I mean you kind of answer it but I'm I haven't played with wi-fi hacking in a while so for the evil twin attack so basically when you get the notification that oh this let's say this access point was actually a vpa2 and now connecting to an access point that's not password protected and I saw it was on Mac is does window has Windows done something similar or it will just automatically reconnect to the same name without asking before when when I last did that it was like that but apparently it's changed so I'm not sure if you guys have any information about that
we have actually only tested it on Mac so I'm not really sure I would assume they would do something similar but um it depends on the operating system we're talking Windows is it a 1997 windows or is it like a Windows 11 you know that is updated has all the security controls so it depends on the operating system if it's been updated and if it has those security features implemented I know that Windows 11 has done a lot of work in you know their security recently so I would assume they do but we haven't tested it thank you you're welcome do I see any hands up no thank you thank you so much Maggie and Dylan that
was awesome we're just gonna take a quick break not a break but till we set up the next speaker with a headset so please remain seated
yourself
okay guys we are ready to go uh with the next speaker uh it is my honor to present uh Paulina chakoli and she's going to be talking about how to build a threatened model to analyze and it's suspicious and malicious Network traffic so with that floor is yours good luck thank you thank you everyone for being here it's great to be here I want to thank dardan and the team for organizing besides we now we know how much effort is needed so well done it's looking great so today I'm going to speak about using common attack database and intent clustering to protect websites mobile apps and apis
okay apparently this doesn't like me yeah I'll just use this thank you so first I want to give an into drug introduction of who I am so um my current job is a lead data analyst at netasia a manchester-based company where I work closely with threat research team and data science team to identify and protect protect web services and API from the recent threat attacks basically I'm also a co-founder and organizer at besides Tirana we have called for papers open it's the second edition that we are running this year if you want you can have a look and submit your talk if you are looking for any instructions either myself or Rio we are happy to support and give our feedback
I'm also an organizer and team at illyrian brains so illyrian brains is a community-based organization the focus is to bring together all Albanian professionals world white do meetups webinars and have fun together so I'm interested in threat hunting both cyber security threat analytics and threat protections my name is Paulina chakali you can also find me in social media in LinkedIn Twitter or GitHub
so sorry so the agenda for today will be what automated threads are we facing today kill chain investigation mapping mapping attacks to Blade framework threat attack sophistication level what is cut common attack database clustering method used to identify malicious traffic analyzing bad bot behaviors and also using machine learning to identify Bots by passing captchas so first let's start with the automated dress like the most recent automated threads that we see in my day-to-day job are like credential Staffing account takeover fake account creation scalper and sneaker Bots web scraping gift card abuse and also there are so many others automated threads that we are facing nowadays that are causing like either Financial damage or reputational damage
to the businesses so I wanted to give us an introduction about blade framework so blade framework is similar to miter framework so I I'm pretty sure that everyone here knows about the phases Tech tactics and techniques of the maitre framework so creative knowledge base of adversary tactics and techniques based on real-world observations of business logic attacks there are six phases distinct stages that a business logic attack May progress through there are 24 tactics the Strategies employed by adversaries during specific phases and also 80 techniques the specific actions or methods performed to achieve tactical goals and then we will explain um and map attacks to Blade framework we'll start with the credential Staffing kill chain overview
so what is a credential Staffing bot a credential Staffing bot is used to test previously leaked credentials typically usernames and password pairs that you can either Buy in in dark web to determine if they are valid on a Target web service or API these Bots validate credentials payers against their target web service or apis by automating login attempts allowing adversaries to test and validate credentials at Mass scales so when we talk about credential Staffing Bots the endpoints will be login endpoints that adversaries basically will try to attack in the credential Staffing bot the blade framework has like six phases uh the first phase is resource development where basically the attacker will um produce the tools that they need to
attack and then we have the reconnaissance stage where basically um the attacker will know what is the specific Target which in this case as I said before it's login endpoints and then defense bypass attack execution actions on the objectives and post attack so we I mean this kind of attack is the most seen attack recently also the scalper button sneaker boss I mean I'm pretty sure you might have heard about the PS5 launch when we had this you know crazy stuff going with the ps5s but also recently in the Eurovision Sound Contest like the tickets went at around 1 sorry 11 000 pounds because of bots doing this you know scalping all the tickets and like reselling them
also I wanted to give some information about the fake account creation bot fake account creation Bots abuse the sign up process of a web service to create user accounts in bulk using stolen or fake identities so yeah mostly on the fake account creation attacks they target register endpoints these Bots automate multiple sign up requests which can be spread out over long periods of time of using IP addresses from different geolocations to hide the fact that they are controlled by by one person I mean the residential attacks coming from residential proxy networks might be a good example of this kind of attacks coming from fake account creation Bots many Advanced fake account creation Bots can also bypass email phone and captcha
verifications mapping to the blade framework here we see five phases that are pretty much the same phases so I'm not going to mention the same once I'm moving to the next attack which is scraper board and scalping this is the same group of no sorry this is scraperbot web scraping is the use of both together content of data from websites they can scrape product endpoints the prices of the products it might be a competitor who is trying basically to scrape all your website and like to clone it and create the same website on or they can play with the prices like if you have if you are selling the same products they can manipulate the prices and make more
business than you again this goes over six phases resource development reconnaissance defense bypass attack execution actions and objectives and post attack and the last one I wanted to talk today is calpurn sneakerbot group breaking the kill chain with blade so here we have it's interesting because some of the use cases that we mentioned before are part of this attack basically so the first phase of the scalper bot is monitoring targeted websites creating accounts and scraping products so fake account creation credential Staffing account takeover and product scraping up are part of the phase one of this attack and then like if I'm an attacker I'll scrape your products I'll create either fake accounts or compromise like
um existing accounts to do some product scraping and then what I'll do I'll let all the stuff into the basket or add to cart abuse where Bots hit the basket massively they simulate many users and we have Speedy scripted Bots from my experience we have seen that these attacks last for seconds or minutes in web services or API so they are very fast that's why they use speed descript Bots and the last phase is checkout abuse Bots hit checkout endpoints in this the the last phase that they do credit card and gift card fraud as well so the reason why they do this is because they want to gain discounts basically and spend less money and then they do
multiple purchases exceeding limits out of stock and this is mostly used for limited edition product not like Adidas gz or Nike shoes or the PS5 or any other product that is limited edition basically uh so one important step on analyzing automated threats is a sophistication level there are four levels this is how I see in my day-to-day job the first one is the easy level where we have an attack coming from high volume of requests and they it's like a combination of all categories like one single user one single IP one single user agent one single Data Center and Country so if we have a high volume of requests coming from this a combination of these
categories is very easy to spot us basically we can see a peak in the high number of requests and like mathematically we can analyze that quickly I like identify that attack and then the second phase is moderate level high volume of requests coming from multiple users and clients but we have unique user agents data centers and countries so in this case it's it's still manageable I'll say like you can build a system with rules and like you can still identify these taxes it's easy and then we move in the more sophisticated levels which is sophisticated level high volume of requests coming from multiple users clients user agents data centers But Country still in this case I would say
that it's manageable I mean we can easily mitigate these attacks as we can do geo blocking for example I mean you can do in the mitigation strategy you can block in a user ID IP user agent data center country or ASN or geographically so these are still manageable and then we go in the very sophisticated level of the tax we we see high number of requests ready creating sources we see multiple categories doing this so these are mostly residential proxy Network sources so what Bots do they compromise residential proxy networks and they behave let's say very similar with a human and that's the most challenging level of the attack that we see and we protect web services or apis
I'll explain later how we do and how we ensure the protection so one of the stuff that we use which basically mitigates in the first request and it doesn't need a big science behind that is cut so cut is common attack database it involves some lists one of the lists that we have created is called capture recommended thread lists and this basically is using all the experience like we serve let's say a part of the traffic to capture services and then we can see if something is showing a human behavior or a bot behavior and then what we do we aggregate the data and we collect all users that haven't been able to pass captcha at 100 percent and then
this is called the capture recommended threat list and it's part of the card the next one is residential proxy IPS so we do this geographically like we collect all the residential proxy networks let's say if we are in kosova we will we will collect all the lists for kosova if we do business with United Kingdom will collect the list with United Kingdom so basically we we collect geographically and then we have worst offenders and these are basically values or entities that have been collected through a system of rows like we can use a system of rules let's say like okay I can build the regex and I can spot like spoofed user agents for example or
um or I can build another rule that can see if an IP is coming through a VPN or like a private service so there these are like you know a system of rules that we build and that we classify if something is malicious or spoofed and not representing uh human behavior and also there are some other lists so these lists are coming from the models output basically so why we use card as I said before like you can mitigate in the first request you need zero second of preparation really like if you want protection in a web service or API we say Okay a model needs time to tune to validate to do the performance measure
and all this so here is the list we have and we can protect your website straight away and then uh I'll move in the clustering method which is the most challenging part in the detection I would say there is a lot of mathematics behind the let's say machine learning models that are used to identify bots so first of all this is a classification problem so basically we need to identify if a user is a human or a bot being a classification problem one of the most common methods that we use is a clustering method called DB scan which is a density based clustering method there are some hyper parameters of on the methods so first we do data set
loading aggregation we aggregate the data so each row represents a categorical value and has a Time series array for that category and then we have the filtering filter out categories with a smaller presentation in the data and reduce the volume of data to be considered and here for example when we speak about outliers this method is really good because it removes the outliers so they are not included in the Clusters and this makes it very efficient for the problem that we have a noise adjustment all-time series container roughly roughly fixed amount of noise which interferes with the distance metric due to scaling so for the distance metric we use we usually like by default it's euclidean
distance but you can explore the method itself and the clustering algorithm is dibiscan a density based clustering method basically and then we move in the reporting phase where where we have like a list of cluster labeled and then we do some we set some rules and then we select we do a cluster selection and then and then those clusters are used basically as recommendations for web services or apis so if you want to explore with um DB scan clustering method you can go in the scikit-learn library and you can play around with the hyper parameters you can play with the Epsilon minimum sample of the data and you can see what's the impact basically um so the next one as I said is cluster
overview so what the time series clustering method will do is it will identify uh entities that have the same behaviors over time so let's say if I'm a human and I want to buy I don't know a dress today I'll go home dress red and then check out payment and that's it if you are a bot you will do a different Behavior the probability of myself doing the same behavior with someone else here at the same time it's I'll say very close to zero as it's very rare that all the people do the same behavior let's say within the same time period so what the method does it it correlates so basically correlates together based on
the traffic pattern so if basically you have automated some Bots either coming from residential proxy networks this will be identified from the behavior basically over time so we have cluster labeled in this case we have a lot of plasters like 26 it's a lot the minus one cluster usually is unclassified data so usually we're expecting this to be uh entities of the data that haven't been able to classify or correlate together from the pattern in the trend so this is interesting I mean usually it's recommended not to use this cluster but it's interesting because sometimes you can find out that there are some unique Bots within this cluster and then the other clusters so then you build like a system of rules
in terms of selecting clusters as it might be let's say traffic coming from semi-trusted data centers that you don't want to block this kind of traffic as it's risky it might cause false positives this is a good method for uh captcha as a mitigation strategies but if we are in hard blocking for instance for us mobile app traffic it might be challenging and we need to set up some extra rules to make sure that this will be valid and then we will see um analyzing behaviors so here are some of the Clusters what is good about this method is that you can run that intent let's say in a user ID level but you can
also run that in a client level user agent so basically all the categories you have either in an ASL level you can still run it and find like commonalities through asms for instance so here in the top left graph you will see the minus one cluster so hopefully you can see the automated behavior on the blue line and then the orange and red one so usually this is unclassified but still it's good evidence of finding out some weird behavior and then you can see the other clusters that you know like the values correlate really good over time so let's say in the top right one you will see that there are how many lines like five
lines or more but they have all the same uh basically Behavior over time so when the traffic goes down these sources are doing the same behavior over time and then we have the bottom right graph this is either more volumetric in terms of the unique entities that are sending the attack so here for instance it might be a residential proxy Network attacks basically that is using a very distributed list of users IPS they use the recent versions of browsers or and also they use semi-trusted data centers and this makes it challenging but still we can find out on the behavior like which are the eyepiece or users that are doing this and to recommend them straight away
so the last topic I wanted to talk today is bypassing captchas as this is a topic that it's very challenging nowadays so all the companies that have bot management as a strategy as a product this is one of the parts that we see we have a lot of discussions with customers and want to find a good basically solving solution so what happens so low cost human labor to solve capture images they share the same cookies to stay active you can pay them for like very cheap maybe 0.50 to solve 1000 captcha frames and then what they do they keep the cookie active and they can really use the cookie and do the activity basically and then we have ai chat board GPT
Etc that can solve captcha with some human help again but then we also have sophisticated Bots that can bypass capture by using AI to goals and let's say if we have a captcha like yesterday when dardan was sharing the awards for the raffle we saw that you know you need to fill the captcha images you can build an AI model that will be able to fill that and bypass the captcha it's very easy really what we can do is that stop badbot's user from sharing cookies for more than x hours like you can add the rule let's say and say like okay if a user is using this cookie for more than 12 hours 24 hours then stop it like
expire this cookie and they need to use a new cookie and this is like a quick solution it doesn't want a lot of exploratory data analysis and stuff uh the other feature that we investigate is analyze the time that bedbot needs to bypass cacha and compare this to time needed by humans so this is time to pass captcha estimation we visualize the distribution of time needed to bypass captcha and then we build the captcha abuse model so basically the features that I mentioned before like sharing cookies and also estimating the time to pass captcha we are able to build like a capture abuse model so what we do is uh we visualize the distribution of humans
and Bots bypassing captchas and then we can see what cluster basically so usually we'll have two clusters one will will represent Bots and one will represent humans and then it's very easy to spot with some rules which of the Clusters basically it's uh automated traffic and then what we do is we we solve the problem with hard blocking in these cases I've also visualized um so yeah this is bypassing capture so here I've listed some captcha Farms I'm pretty sure there might be others as well supported captures versions but most of them basically can be manipulated and like bypass um the other one I wanted to share some information is basically how we visualize the distribution of bots
bypassing captchas so here are three different Bots that we're bypassing uh the captcha and hopefully you can see how different and unique they are so basically basically you can see the purple line and that's a bot that is more stationary I like they need up to maybe for 50 seconds um to bypass and then we have a noise here of 90 seconds so this Bots it's you know manipulating us like if we say okay we can't set the threshold and say like okay humans need like 40 seconds and Bots need like I don't know 20 seconds before they used to need to take like 12 seconds to bypass but now it's completely the opposite they are
behaving as humans and this makes it even more challenging and then we have the red bars so we can see that this bot is um is bypassing before 20 seconds and in a much more number of requests like up to 300 requests and the third behavior of both I'll say is bypassing in around 10 seconds um sending around 67 requests so yeah as I said I mean we see different behaviors really and it's challenging it's a new industry I'd say but it's definitely interesting this was my talk for today thank you very much I hope you enjoyed it [Applause] that was great sorry about the ticker I don't know why it wasn't working oh no
worries no worries do we have any question yes we do let me go out there
thank you very much for the presentation it was great Insight regarding data security my only question was since you mentioned the AIS like chat GPT or Microsoft Sydney or Google's Bard uh can we use those like do you see uh companies or different solutions using AI as a protection measure like to counterfeit these types of bots or the engines that want to pass captures or whatever stuff like that like do you see uh these AI helping us or helping companies in mitigating data security and web apps applications and what um thank you for your question I mean from my experience I don't think there is like a GTP version or something else that it's protecting from this kind of Trends it
might be in the future who knows like you know AI is evolving very quickly so at the end of the day we're still building machine learning models to protect this so if we automate it in an AI level like child gpdl like we say Okay identify if this is a bottle user it will be really good but until now in my knowledge no thank you do we have any other question thank you so much that was very insightful thank you [Applause] please remain seated we have one more speaker till we set him up and then after that we're gonna have a break coffee break so please stand by
test test okay yeah
foreign
okay
are we good to go okay guys uh we have our next speaker uh bleon Proco he returns for the second time in besides Pristina uh it's a pleasure to have him again last year he had a very nice presentation speech about if I remember correctly again security yeah yep and this time around he's going to be talking about something else uh it's gonna be about a digital ocean pen test and also like uh on the defensive side so with that said floors is yours okay so uh hello everybody welcome to my talk and it's a pleasure to be here for a second year and it's always a pleasure to have you all fall asleep of boredom uh last year I did the
presentation on uh Cloud penetration testing this year I'm coming with something different which is cloud penetration testing but this year is something that I've been working for the last I would say kind of six seven months which is a whole methodology on how to test uh digital lotion based infrastructures uh about yeah six or seven months earlier I decided to start with a small not so tasty Cloud providers that people don't give too much credit for but a lot of companies use them because of many reasons most one of which and which is the most important is the price first of all this is me this one here uh I'm A Cloud researcher at permiso it's this one here and you've
probably gotten some some shirts two and I've been working for them for the last five months this is the sixth one uh prior to that I've been working at the banking sector and the Telecommunications sector and uh as a security engineer for for all of them and uh my main focus is uh Cloud penetration testing mostly AWS and Azure Port but of course uh what is the lotion Auto uh so far we've seen uh penetration testing on cloud providers like this uh like Acer AWS and TCP for many services that they have and they have a lot of services uh so the last time I checked AWS had more than 200 services so you know you can test all of them but the
most important providers are these three and those are some of the stuff that have been uh tested if you don't have any knowledge of cloud penetration testing or the fact that bless you the fact that cloud can be attacked here are some references the last one is actually the this last three are books and they are some of the best books that I've read so you can you can look at them uh this one is AWS this one is Asia and this one is aws2 but he has some of the best series so take the last one if you don't look at the other ones now this is the lotion this is the lotion uh first of all offers cheap
vps's the the cheapest they have is the 512 megabytes of Ram with one virtual CPU and uh if I'm not wrong 10 gigabytes of SSD uh storage for four dollars a month which is a great VPS for hacking gotta say that but it's not so uh they call it a cheap platform I would say if you use light sail which practically has almost all the features that you will find on droplet which is the their version of a virtual machine you will not be you know you will not be spending any much more money than that but yes anything else is cheaper they have several services not as much as other providers they have droplets which are basically your
virtual machines kit which is a kubernetes managed by them container registry which is again continuing radius 3 managed by them Cloud functions which is their version of Lambda for those people that have used AWS or Cloud functions for those people that use Azure so there are a code that is ran uh when you trigger them now the difference here is that there is no Event Event based trigger like you do for Lambda but you can trigger them yourself you know by by just accessing them they have the block storage now uh the block storage is just the same thing that you you will find on uh on AWS and Azure the the EBS for for
uh yeah for AWS so so those are just uh storage that are added extra or for the certain certain machine uh they have networking they have spaces which is their version of buckets their version of cloud storage and of course my managed databases uh they have their own API which is good and the vpcs which is uh something that is I wouldn't say a subnet but it's kind of the same as a subnet for for cloud for the people that use cloud They Know It uh VPC can have many subnets so so it's it's kind of a network separation of your of all of your uh resources on cloud this is something that you will be finding on practically
most of the cloud providers if not all and they also have it too they have 10 regions they used to have 14. four of them are not longer accepting resources so only 10 are are active though the other four are just there for the old resources that you might have set up prior now starting with reconnaissance and yes this is the watermark don't don't say anything uh so what you can find online are spaces which as I said is their version of buckets they have the domain and droplets which can have a domain record assigned so that's how you you will be able to find them they have functions which can can be fine found sorry and they have the
kubernetes node which has a public endpoint species are literally literally just AWS S3 used for them so it's they literally use the that service they just use it with less features than the the normal AWS S3 so anything that will be done on the S3 accessing it with the with the API and they have a certain API only for that uh the bucket being public the bucket name uh and the bucket itself uh just just needed to be globally the bucket name itself needed to be globally unique it's everything is inherited on this because it's literally an S3 bucket and you can so sorry sorry sorry as you can see here even the the response is practically the same as the
S3 and you can see here it's an S3 Amazon S3 uh bucket now the the same way as in AWS you have an endpoint which is the name and the region and there are two ways on how you can you can do that but it's the result would will be the same and you will get uh one of three uh HTTP responses 200 if the bucket exists and it's public so uh its content its contents are public and you will be finding a lot of them and there have been a lot of breaches just by this uh you will have a 403 if the bucket exists but is uh its contents are not allowed by uh Anonymous access and
404 if the bucket does not exist this is a good uh enumeration this is a good enumeration or reconnaissance enumeration uh technique that you can do because you can literally just files for different names and try to to find the the buckets that are public also you will have to understand something there are a lot of cases that the name will be just the domain especially when you configure them as a website so you will have the name is the the domain as the name here and then everything else will be the the endpoint has its own bucket so this is another way on how you can find sensitive information uh buckets uh sorry the spaces the same
way as buckets allow for the ecls ecls are Access Control list so uh how the bucket itself and how each object is allowed so you can allow a bucket to list every file but each file will be private so you will not be able to to download it you will just find the the name of the of the file but not the sorry here the name of the file but not access the file itself if you allow both of them to be public then yes you can download those files if a bucket is is configured as a website then you should mandatorily allow those files because as a website the the users need to access the the HTML files
but for everything else it's best to to block them this is their way of doing something like a bucket policy because bucket policies do not exist here so you know just as I said allowing some files from upv downloaded while allowing others to be downloaded and you just allow the bucket to list those names still even by that you will be able to find a lot of information that you can later on escalate uh as I said you can you can allow a bucket to be a website so it will host HTML CSS and JavaScript files practically everything that will be rendered by the browser only by the browser and uh when you do that you need
to have a domain configured on your uh on your digital lotion and uh you you will assign an endpoint to that and this will be practically a cname for the for this host and also uh an SSL you can add your own or you can just ask one for uh for from lesson clip gray Network fair is something that I found quite recently actually it's a it's a service that keeps all the non-public uh Storage Public cloud storage on AWS Azure and digital ocean so you will find any file you will find any endpoint that is known to be public and you can find a lot of a lot of information in this like let's say yeah so we check here I don't
know if you can see that we check for test here and just by test you will see a lot of them and as you can see this one here is the is the sign of the digital lotion and you can have the name here and the files and another good thing that gray head Warfare does that uh some other you know Services don't is that they also check for the keyword on the key itself so you can find tests for the bucket for the bucket name or the space name and you can also find tests for the file name itself so if you want to check for a certain Target you can check for both
both the things and find out where you can find information on them they also have an API which you can which you can use and you can automate Google Dorking is another uh way on how to find a lot of a lot of domains and then you can find the C names for them is something that I use a lot for those cases and it's something that has given me a lot of a lot of uh endpoints that I haven't been able to access with stuff like I don't know sublister because uh they will be giving you even hosts that so they will be giving you all the holes that a certificate is bought for if you are
targeting a large company which has had many uh companies uh that they have outsourced services for you will most likely have one certificate per domain because of a lot of illegal issues so you will be able to find a lot of a lot of endpoints for that and kubernetes which this is something that was strange to me because kubernetes is not something that you need to necessarily have public I I would understand something like a container registry but kubernetes being able to have a public uh endpoint was strange but the good news is that it's a really large ID so it's it's not going to be easy to fast but you can find a subdomain that points to this and if you
find that you will be able to also find the the ID of the kids which you can later on use on on the enumeration and the privileged escalation steps functions as I said they're the the the the distillation version of lambdas they do not have a trigger based uneven-based trigger sorry but you can trigger them yourself and they also have a public endpoint as you can see here uh it's the region there are some random characters they have something called the name space which is a container for many functions it's the package that you will be running the function name is a lot of stuff and if you run this uh you will be able to execute the code and you will
find as you will have the return as the response from that uh I don't know if I've added this no okay no uh you can also access this using their own API key or publicly without a key by default you can access that without a key so if you find the the URL you will be able to execute the code that's that's another reason why you should look for that and uh again Google Dorking helps a lot with that because since every and every URL will have that and you will check for the domain you will be able to find uh for example a cname record to a function which also has this URL and you will be able to to get a
function which if it's allowed to be executed without uh a token you will be able to find the the execution point that you probably will be able to to escalate on our CE or something but at least you will have you will have some some information droplets as I said they you can assign domain records to them and that's the best way you can track them because as we as we will see later the IP uh IPL is that they have do not specify the services and as you can see here the IP list will give you the all the IPS and the region for all of them but you will not you do not have the service as you have on
other Cloud providers so you will not know what type of services uh you do you have I started a project a while ago and I'm continuing on that it's just that it's harder to maintain on uh just looking for uh domain uh domain records on each of those IPS and then trying to find uh C names for all the services that might have might be on one of those regions and try to find on which regions that they might be in and try to to you know link the service with IP range this is really hard to maintain because those are always updated so I don't think I will be able to to complete that but if
somebody wants to that's the best way you can you can link a service to uh to an IP range on digitalocean so this is the the awesome recap that's how your those are practically what you will be able to find if you search online
going on with the initial access now there are several vectors of initial access phishing is the first one uh you can utilize a lot of stuff for phishing you can even create your own phishing site which is I would say the best way for the second best way on on digital ocean uh you can get uh access to the droplets then you can find the the token from the droplet you can find the database password and you will be able to get the the sensitive information right away or you can find the the functions uh get access using the tokens and config files which we'll be seeing later on now for the fishing uh they have one way that I will show you
later on uh one one cool way that you can use Toto fish but uh one thing that I don't have is a link between the token even if it's an admin token uh to the console so to the interface of the web interface so even if you are admin using the token you cannot use it to get access to the to the dashboard so vsync is your best bet to get the to get access to that and what I do is I usually use the the alerts because the alerts are something that people will always open they will always look for them and you can send something like this and you know they will look at that they
will see that they will click on that and they will be able to so you can see here this you can see here all of them are you know just you can just add something to that and they you know when they open it they need to add the credentials and what I did this is a pitch done by me I'm I'm a Noob at front end so sorry I tried my best so this is something done by me I try to replicate it as best as I could and this is something that I saw when uh when you are on digital lotion and a resource is not found or it's missing or your token is expired or
something you will have same me this is Sami this is a gif and you you will be looking at this and you have a link to go to to redirect you to the to the home page you can use all of them you can send them uh you know a login page they will add the credentials and then you can redirect them to to your same even your custom Sammy and they will click on that and go to the web page everything will look normal now one thing that digital lotion does is that it allows you for 60 days to uh not add the two-factor authentication so if they have been logged in Prior the moment
they click on that they will be able to log into the uh to the dashboard and it will look completely normal to them so it's a good way to finish them without them even even knowing on on how to do that is this Brute Force this is another thing that was you know uh strange to me they don't have any restriction for how many uh passwords you you add to the sh so you can literally do uh so I don't remember how many I did I don't remember how many I did sorry but I did a lot of them I thought nine thousand something like that so you know I I did a lot of a lot
of them and still was able to to crack the password and there was no restriction for sh you can edit yourself but there is no restriction by them so you know you have to go and edit the sh file the seat config file in order to to stop that which is again strange but it is going to be a good trade plus every every droplet is run as root by default so uh you know the user at least no matter what uh What uh Os or these thread is the API they have four apis this is the metadata if the if you have used Cloud you will know this which is on 169.254 169254 uh and it's only accessible from
inside the droplet and only for the droplet it's not accessible you know publicly so you will only be able to access it from there you have the digitalocean API which we'll be looking at that is the space API which is literally AWS S3 API uh well what's the opposite of on steroid because you know that's what it is and they all over API which will be looking because this can be used as uh as a phishing the API can access all of them basically anything that is not a space that is not metadata and anything that will not lead you to to the portal it has this format and that's all you know that's all you
need to look at if you want to look for those at the source code that this is what you need to look for foreign you can find them here you can you can create them on your on the portal you can find them on source files you can find them on kubernetes and CRS config files we'll be looking at that you can find them on the console history because the yes different from AWS you can just provide the token here and you will not be able to to create a profile for for the token you can just provide it so finding that on uh on bash history will be you know will be useful and you can
find them on functions and you will be able to find them on the environmental environmental variables or functions on apps and droplets uh as I said when you create a container registry you get a configuration file this one has a token which is a b64 of two uh distolution tokens and well it says here it's read only ordered right on read write because you select it yourself we will be looking at that later on and it's read only and read write only for all the infrastructure not just container registry so if you find this you you and if you find the read write you will be able to to get admin access uh this is just a simple code on how you
can access that if you can see it's using bottle which is the AWS SDK the only difference is the end point here which is the region and the digitaloceanspaces.com and the access key doesn't have the usual format of a Kia or Asia but I say is the the temporary key so Ikea everything else is the same so the the authentication is different everything else is the same and these are everything that is allowed so those are allowed from the dashboard those are only allowed by the the API versioning is something that will be looking for and those are not allowed now uh if you if you are able to find credentials on the spaces one thing that
you should be able you should understand is that you don't have any limitations uh space uh space identity is the full access on all spaces so if you find that you get access to all the spaces you get access to all the sensitive information Within that account so if you are able to get that you are able to get practically all the information that they have there which okay yeah that's not the enumeration part sorry now the oauth part the the fishing that I said uh since they do not have also uh this solution does not have uh the idea of an IAM every identity has full access to everything since they do not have an idea of an IAM
they do not have an idea of a cross account uh identity so the best way they do it is by using by utilizing uh something they call an oauth API which is uh their version of the application consent which if I may say it like this so the idea is you create an application with a redirect URL you have this URL that you will be sending and this token without the red part will only be a read token but if you also put the scope as read write when they accept that you get a token as a read write token which is valid for 30 days but you also have a refresh token which I haven't found anywhere to be
expiring so to be honest it might not expired at all I'm not sure if that you know if that's true but I haven't found any documentation that says when it does expire so I don't know about that and the and everything is the same as in Asia uh access token and refresh token so it's it is the same process you get the access token you you uh access the digital lotion with it after 30 days you refresh your access token you get the second access token you continue with that so if you are able to do that you get admin access to the API and you also get uh a token that can always be
refreshed uh the container industry as I said this is where you choose your uh your scope as a leader did write and this is just us using that uh the best ways the best way I found on testing if a token is read ordered right is creating an sh key this H key is something that does not have any impact it does not cost anything so you can create you can delete if you do that you have a read write token if you don't do that you only have any token so yeah and lastly as I said since you are able to to to have access for 60 days if you find if you have physical physical
access or quick access to to a machine you can just open the the cloud.distolution.com and you will have access to that on the enumeration side going back to the API uh going back to the sorry the space API uh since we said before we had some stuff that we were allowed to do on Authority this is very small but when I share the slides you it will be bigger uh these are everything that you are allowed to do so and since you have practically access to do every one of them without restrictions you can just create your own script that will execute now this is from as far as I've seen the most important information and I wrote
this script and I I get practically all the information like all the buckets all the bucket ACLS all the bucket objects I can tell download them if I want to I get all the if the bucket is a website if it's not practically even though even the version in which it's this one here which is the AWS and by extension digitaloceans version of not allowing you to lose the file after it's deleted so if you enable versioning if a file is deleted you can still retrieve it now this is important because if you find the sensitive information that is being deleted and it's not a deleted as a version then you can retrieve it so if you find
some credentials or something you'll be able to to get that and the pre-signed URLs which are used will forget and put objects but get is the most important if you find one of them you can access the file if you don't you will be at least able to find the access key from that so you know it's something that it's worth looking for even if that one is is expired now uh say you have a digital lotion uh token from one of these methods what you would do is as I said just check if it's reloaded right just create an sh key it will do no harm you will be able to either not create it or create it and
delete it so it's not going to cause much much problem to the organization and you will know what what type of access you have for the container registry you can use the token on everything else or you can just log in using Docker to the registry you can just list the registry uh the container registries you can list the repos you can log in with Docker and you will be able to get the the image and after that you can also update the image put your own malware on it uh I don't know even even just getting it and finding sensitive information you will still be able to do that previous privileged escalation now after this part there is not much that
you can do to be honest since they do not have the idea of an IAM you either have all the access or you don't have access you know you you either are admin or you are not admin and it's not much that you can do but one thing that I found one thing that I found is that if you get a read-only token you can look for the database you can just list the database and you'll be getting the password the plain text password for all the users yeah have everything this is though though this is only for uh everything except for uh mongodb so they have something against the SQL based databases but yes
you will not be able to do that for so uh use I guess to be to be secure but yes sorry no no it's not it's not even on the console you cannot look at the mongodb password after you refresh the page you need to reset the password and another thing that you can look is that each password has this avns I don't know what that is a necronym for it starts with that and another and underscore so you can look for that on uh repos or on on your code so you know it's it's not bad to to look for something like that and uh each database can uh no matter if you configure them
to only be accessed publicly or not publicly each database has its own uh public node so you can also look for that you know probably you'll be able to find one no exfiltration for the exfiltration I haven't done much you know if you have console access you can you practically have everything what I try to to use uh mostly is adding everything to this to to a certain space especially if I have a space token and everything to a space and then download it from there usually the space and S3 based events are not so much log because there are a lot of them so doing it like that is the best way to to get a sensitive information even if
they have something like uh uh I don't know what DLP which uh is there is no service for DLP on on distolution if they have another third party doing for that another thing that that you can do is create a droplet and drop everything there in case you only have a digital ocean right token so do that and use sh2 to download the the files if you have already talked and just try harder try to escalate that and as for defenses this is the the last part so as we said what's wrong with digital ocean well you want to be an admin they want you to be an admin too so you you get to be an admin and you get to be an
admin and you get to be an admin so the idea of them is that you there is one super admin that can invite others and everything else is is just an admin a that's all uh we give you the space or just an S3 bucket and then some over privileged Keys uh the API is not bad but again there are no identities uh there are no key vaults there is a service for hashicorps Vault but you have to pay extra for that or you can do it uh you know uh you can set it up yourself uh container registry has practically full riddle for read write access to all the infrastructure uh the cloud functions are public and there are
no credentials on metadata which is something that I that I didn't put here actually and if you get access to the user data which are the startup scripts you will not get uh credentials as normally but if droplet needs them you will probably find them on the environment variables I'm pretty sure you'll be fine a little bit to find them on the on the environment variable so what you can do for them for the roles yet you can't do much you can just put MFA or I don't know just regularly change passwords for the for the interface they do have their own MFA so they send a key to the to the email so they send the code to the email which
you can you know send it back so I would recommend you also to Target the email in case you target the the uh the console for the over privileged try to not add them on accessible parts for the droplets uh droplets can also be accessed from the console you can do that it's going to be harder but it's uh you you will practically remove all the needs for the sh Keys being spread across the all the admins uh for the public functions please use the the rest token that they do at least it's going to be harder for them to to brute force that uh for the container registry yes yeah and for the database is use
and for credentials on other places use uh password vaults that's that's the best thing you can do that's how much digital ocean offers you so that's that's how much you can do with it so if you have to use that please at least do those also so sorry before I go on this uh I have practically told this to everybody that I've met but if in case I haven't met you my company is looking for some interns so if you want to you can contact me or Daniel boanon it's so it's preferable to not be at work momentarily and it's preferable to uh have some knowledge with other stuff with other stuff like a cloud Security
even though it's not mandatory but it's preferable and uh programming with something like well python probably but even even another programming language will not be uh a bad thing because you can work with those two the idea is that you might need to automate some stuff so you you might need to do that that too in case you you want to to apply uh contact Daniel Boone or me send us a CV then we will you know continue with everything else and I started writing a book about one two months ago it's currently on the third chapter so I'm finishing the third chapter I'm planning to finish it by the end of the summer hopefully and it will
have a deeper dive on uh digital lotion also with a lot more exercises this is just you know this this was just a basic if you want to you can look at that and This Is the End thank you do you have any questions thank him down as always very insightful for those that were yeah that attended like last year he also had a great presentation let me pass on the mic thank you blonde really interesting talk so I have a question um so do you have any idea how much of the traffic coming from digital ocean might be legitimate traffic that's a good question because that's something we are looking for to add the company
that I work for and uh no I don't have a statistic to be honest but yes digital lotion has been used a lot as uh as attackers vpss and if you if you go to Talos which checks for all the endpoints and the IPS and you put a digital ocean IP you will at the best have a neutral level of uh security because it's been used so much as attacker machines that even a normal digital ocean API will be you know will be at least at least neutral because they don't have the security to just say it's a normal even if they haven't detected yet it's probably this is probably a hacker okay thank you so in
terms of the IP ranges like if we do DNS reverse lookup is there any common thing we can find out if it's like malicious traffic or legitimate traffic I can't say that because droplets by this themselves and those are the the ones that are mostly used do not have an endpoint themselves like they do on AWS or Azure so in on AWS we have an endpoint on for droplets you do not have which is an indicator in itself because as far as I know this is the only service that does not have an endpoint so if you don't find uh if you don't find one n is part of the digital ocean IP list it's probably a droplet so this
is one one way to to find it at least if they are using a droplet for that but uh finding if if a certain IP is used for malicious purposes just by looking at at the name record or at the IPOs or at even the provider I don't think that's that's correct or anything but yes as I said the best way to find out is probably if if you don't get a reverse uh uh record a PTR record it's probably uh uh droplet and if you do get one and the record is a custom one that looks like a custom one is again a droplet because those those are the only ones that to have that so okay thank you you thank
you do we have more questions yes okay thank you for your presentation thank you um so my question is from my experience I've seen that most of the companies that do actually use digitalocean are usually either startups or companies on a budget who don't like want to use the full featured Cloud yeah so what would your recommendation be should companies try to like Harden the security in this case or migrate to another cloud provider always considering that infrastructure migration is not an easy task thank you uh okay that's a good question migration is always as you said is always hard to do because you know it's always costly if especially if they started with something
uh yeah I would recommend them to at least limit the the usage of different accesses like tokens or the space credentials so if they if they only need right also already read access to something only use the read I'm sorry a dirty talking don't don't use a read and write token because uh especially the companies that I've seen that use digital lotion are as you said one there are uh startups and two the people that manage them are usually devs which do not have the necessary knowledge not or not necessarily the the required knowledge when it comes to the system administrating stuff so they will just put something and say okay this works you know and the the best way to
do that is that is at least limit everything now there are some other services that are paid so they have Cloud Enix which checks for governance and checks for some misconfigurations that you have they have logging which you can which you can look uh so they have some services that do logging and they also have logging for the anything that is droplet droplet related action so they have if you look at the API they have that so even if they do use that and you know as I said I I would not recommend migrating until the very until the very last if they're at least staying there they can at least log everything that is being
that is being down there so it's it's better for them to even if something happens know how it happened or just be alerted immediately if that if that happens so yeah I don't know if I answered your question yeah yeah exactly so there's one more thing so uh considering that they are a startup and uh they will not utilize the API because most of the uh work they do we know that it's manual so we're we're uh we just got rid of the API token let's say uh now the problem is with the username password do they have like an SSO or something that uh can or they don't offer assistant no no SSO no Federation
I actually wanted to look at uh Federation from that and I looked at a lot of spaces a lot of places sorry and they don't have something neither necessary neither or or a federation so you can't do that even the MFE that they have as I said I've all they at least try to do it you know by using their own sudo MFA so as I said they send you a key to your email that you can you know you will let a six number uh one-time password that you can add and then you will be able to log in so that's how they they manage that that aspect but aside from that I would recommend
stronger passwords checking the the image and probably using a provider that uh provides you with MFA and the strong password policy at least you will be able to secure the image site so even if they find the password they will not be able to access that because they also need the email to do that and if they do that at least even if they use the same password for both the services uh since the email with the strong password policy will require you a strong password the second one will also you know yes they will also add the second one as a stronger password so that's kind of what I would recommend in this case
thank you you're welcome any other question okay let me just walk over there and burn some calories a great presentation thank you what was your methodology that you used during the reconnaissance phase specifically what tools did you use did you make your own Scripts which I don't know if you can call it automated because it's half manual and crt.sh everything else is just me looking at the DNS records and me looking at the URL and everything so me just creating the the service and looking at what can be found by that that's that's how I tried that uh and uh that's what I've been using for other services too because since you will either have or not have an endpoint for
that or you will have or not have an indicator over no synth in in a service it's I would say a good way to to to do it but I don't know if somebody else is using any other any other methodology plus since this was my account I knew what services I had when it comes to other people's accounts so they say you are hired to do a penetration testing for them using uh tools like I don't know sublister or a mask or something you know will help with uh with uh reconnaissance but uh when it comes to digital oceans uh specific or scent uh I would recommend you just looking at uh what what is some what are some indicators on
the services that they have like as I said the URL for functions or the uh the species uh endpoint name or the or looking for DNS records and then pointing you know just doing a reverse lookup and then looking if that is part of the IP space so you get the droplets so you you get the idea if it's distillation only I would recommend you that if it's uh there are all also other services and you want to at least filter them and know which ones are distillation and which are which one aren't it's best to have everything then you know try to filter them as much as you can so yeah you're welcome any other question
I guess not thank you Leon once again thank you all thank you okay so guys just some Logistics to to let you know like uh now we're gonna take a 20 minute break uh we're gonna be back at four or five please be on time we have two more speeches interesting speeches and at the end we're gonna announce the winners of the CTF competition and we will also do the raffle so please stick around and be back on time 405.
foreign
foreign
foreign
hi everyone welcome back our next speaker it's Andrew Musa and he's gonna walk us through one of the cases I believe in that 2017 about the largest shipping company I believe uh massark so with that the floor is yours thank you okay so hi everyone thank you for joining us today on our presentation it's an honor for me to be here mainly for two reasons I was a student obviously of this University and also this is the first time speaking in a conference so I would like to personally thank Aryan and dardan for uh and the whole besides theme for giving me the opportunity to present here in front of you today we are discussing about a very delicate
subject which is the uh attack which struck Maersk uh in 2017. this is me I am currently working as a devops engineer at Buckroe payments I recently joined them it's been like three weeks uh I'm passionate about cyber security obviously because I'm presenting here today and I I'm a local Ambassador for crowdsack they were part of b-sides last year they couldn't make it this year but uh they are basically an open source uh company which offers IPS IDs firewall and many integration with different software for for uh the protection of your servers and so uh I do love working with AWS I do that daily but as many people don't I don't like Azure I want
to point that out and I also enjoy making memes so you're going to see a couple of them during the presentation so let's get to it today we're talking about ransomware we're going to have like a brief introduction of what ransomware is many of you are familiar with it but uh anyway we're going to give like a short description uh just to see what of what type of malware it is uh how does it work and so on uh and uh we're also going to specifically talk about a very special type of ransomware which is not Patia which is uh what attacked Mars in this case also we're going to talk about mask itself uh just to see uh what type
of company it is and why is it so important to mention them in this case and then we're going to talk about the day where when Maersk meets not petya which was very unfortunate and also uh we're going to see at the we're going to stop at the aftermath of the attack just to see what the casualties were and how everything unfolded and ultimately what's important we're going to look at the lessons we've learned from this attack so what is a ransomware uh Kaspersky defines it as an extortion software that can lock your computer and then demand a ransom for its release so basically what happens uh a ransomware is a form of what malware which basically encrypts
your data and then says I want some money in exchange of that if you want like the key to decrypt it and yeah basically that's how it works usually the uh encryption algorithm algorithms that are used are unable to be decrypted without having the the key and this is why it makes almost you know impossible to decrypt without without having uh the private key in this case it also spreads spread rapidly on the network which is also what happened with not petia and usually the payments uh are required to be done in crypto because you know of all the reasons we already know it's untraceable it's easier to to make those payments and so on and so forth so forth
so what does it actually look like to be attacked by a ransomware I really want to emphasize this I really hope none of you sees this screen we're going to present next because it's already too late for you this is the screen that is usually presented to the persons that uh have been attacked by a ransomware so basically it gives a description of what has already happened it says that your hard disk of your computer has been encrypted military-grade encryption algorithm we're gonna see on the next slide how that works it says that there is no way to restore your data without a special key which is a private key on asymmetric encryption and it says that to purchase your key it
usually instructs you to use a tour browser or as we know the onion routing protocol and uh you need a tour browser to actually access uh the links that they usually provide as you've seen uh and also you need to like enter your personal decryption and then they will send the key back what happens most of the times is that even if the company of the person sends a payment they will be like yeah you've paid this but you need to make an additional payment and so on and so forth so it's usually not recommended to send payments if this happens unfortunately uh if you don't have a backup it's non-recoverable but if you have a backup in place you can
just simply restore that backup and have your files back so how does it work basically the the victim uh acquires the ransomware from email an exploit warm whatever type of source and then the rest somewhere contacts the attackers uh control and command server so what happens is a public key is used to encrypt the data on your machine and a private key is stored on the command and control server so it means without that private key it's impossible to decrypt your data data is encrypted and runs a note which in this case is this one is presented to the victim and then after the ransom is paid the attacker sends private key to decrypt the data but please be aware
that that is not always uh the case sometimes even if the payment is made as we mentioned uh probably you will not get your data back we are going to focus on a special type if we can call that ransomware and I'm going to elaborate more on that shortly it was first detected in 2017 and it was primarily spread through medoc now what is medoc it's an accounting software which is based in Ukraine and the Damage that not patio cost to uh companies all around the world is estimated to be around 10 10 billion dollars it's a variation of petia which is where the name originates so petia is basically a ransomware which originated before not petya so this is like a
variation of that ransomware and we are going to see the differences that it has uh in comparison with petya it used to ex oops it used two exploits which are very uh popular uh one of them is eternal blue and it used a special tool which is called mini Cuts we are going to see what these two do shortly and ultimately it was labeled as a cyber weapon and this is for the reason because it is believed that this was created by Russian hackers and the main reason it was created it was to attack uh companies organization Banks and everything that were located in Ukraine so unfortunately for Maersk uh it was just collateral damage because Maersk
was never the target so what happened is that uh the Cyber weapon was created because of the geopolitical uh war that was happening between Russia and Ukraine and basically uh in this case Maersk was uh attacked by uh not petya but it wasn't the main target so how does notepadia uh actually go into uh different machines or organizations the first variation is that it goes through the medoc update server so this means that not petya was uh coupled together with me Doc and as soon as you would get an update so in this case it means that it used me Doc as a backdoor to actually go into the infrastructure this is what happened with Maersk and uh uh the other way of
actually going into the systems is using is using fishing mails for example if you have like an infected document and also uh for example if one of your machines uh on the local network let's say is uh is infected it can also spread through the internal Network and ultimately this is what is called lateral movement uh Swiss army knife which means it's a compilation of tools multiple tools which is also what a Swiss army knife is and for example uh it uses let's say for example Eternal blue anime cards just like we mentioned earlier it uses that to spread rapidly across the network which is what happened in this case so the most striking feature of the
notepadia ransomware is that it is not a ransomware I'm sorry to disappoint you I know that the name of the presentation is uh not Patty ransomware but it is not a ransomware the developers had no intention of ever delivering a decryption key this means that uh the main focus of this attack was to destroy data and uh this is why it made the data non-recoverable for example uh if you take a comparison between this and let's say the wannacry ransomware which happened months before the notepadia the intention of the intention of want to cry was to actually encrypt your data get your money get your data back this was not the intention of notepad yeah it was purely data wiping
and destruction let's talk about mursk which is the victim in this case it has its headquarters in Copenhagen uh so that is where the attack initially happened and then it spread uh across the global infrastructure that Mars uh has in place it is the world's largest shipping company uh because it it estimated that they transport around 12 million containers every every years and in 2022 they had a uh revenue of 81.5 billion dollars and the reason for this is because of the you know containers prices going up and up but yeah basically you can just see how big of a company it is so it has 574 offices in 130 countries all of them were infected in this case
even the backups that they had even the offline backups everything was infected when the uh not petia ransomware struck let's unfold the attack it happened on June 27 2017. at four o'clock in the morning ransomware attack on Ukrainian Banks power companies and as you can see a pattern here Ukrainian that's mainly because uh let's say the entry point of uh not petya was medoc so whoever was using medoc and uh got the update from uh their server they were actually getting not bad yeah into their systems together with that update at 11 30 Ukraine Central Bank confirms attack on it systems same attack if not Patia at 121 Mars publicly confirms that the it systems are down
at 612 Kaspersky says that not patio wiper we have to focus on this because as I mentioned the main focus was to wipe and Destroy data and it has already affected around 2 000 organizations at 746 Ukraine police confirms me dog is infected by notepadia but they said that it's not our fault in this case because it was initially thought that they were actually conducting the attack but that was not the case they were just infected uh the source of this information it's uh from Charlie ponnell which had a case study on the mursk not patio attack not patio attack started this might seem like a joke but it is not this is what actually happened the way they describe
it if you were looking on the whole all the computers was just like going black black black black and there is like a strong reason for that this is not patia's recipe for catastrophe if we can call this that way initially as we mentioned medoc was infected so the malware itself came from a trusted Source nobody would think that if you just update your accounting software in this case mersk was using medoc for tax returns in the UK sorry in the Ukraine country so the source for them in this case it was trusted they had no idea that they could be infected from their accounting software the second one is encrypting mft which is the master file table we're also
going to take a look at that uh it takes very uh it takes less time to actually increase encrypt the mft in comparison to actually encrypting all the files on the systems we're going to stop at that uh on the next slide rapid propagation was also a feature because it is it is said that it only took uh several minutes to a couple of hours for the whole Global infrastructure of Mars to go down they also had this fatal combination of different tools and exploits to actually achieve this which we are going to see how they actually did that so the back door the software used by the finance teams for tax returns as I
mentioned it was compromised by not petia in this case automatic updates were enabled which if you look at it it's not something really strange because we also have automatic updates enabled in our different apps and we would never think that the ransomware would actually originate from that in June the virus was pulled inside the ID infrastructure and is propagated inside the network I'm going to get back on a slide and just reason just just elaborate on one thing this command and control server which we earlier mentioned for example if you want to cry around somewhere this connection between the uh machine that was attacked and the command and control server never actually happened so the encryption key
that was used by notepadia it was sent to an email but that email was blocked by the machine so it never reached the attacker's machine which renders the files unusable and also the operating system in this case encrypting mft I'm going to take a practical example for this let's say you want to go into building and you're looking for a specific apartment instead of let's say encrypting all the names of the apartments on the doors you simply remove the map which is at the entrance of the building this is what happened with mft instead of going and encrypting all the files one by one what they did is they encrypted mft which is the master file table inside
NTFS which is in a file system used by windows in this case this rendered the whole operating system unusable what this means is that this is a table that includes information about where your files are so this for example let's say for a 500 gigabytes hard disk this is merely uh some some megabytes so it encrypted so fast and this is the main reason why it was propagated so so fast across across the the machines to do this they used a special tool which is used mft to CSV so basically they just encrypted the MFD master table and the whole operating system was rendered unusable except that they also had a special module integrated which also
wiped the data on the machine so rapid propagation was done mainly using Eternal blue which you might have heard of Eternal blue is an exploit which was used by NSA it was used for more than six years they never reported it to Microsoft because they had to you know they wanted to use it for their uh for their uh exploitations so they used Eternal blue uh which in this case used a vulnerability of of the SMB V1 which is a protocol uh used in Windows for uh file and resource sharing on the network so Eternal blue use that vulnerability to spread across the network and what's very interesting is that this attack as we mentioned
happened in June 2017 the patch for Eternal blue was uh released a couple of months I think it was March March 2017. so they could have passed this but that does not necessarily mean that this would not happen because they still used extra tools to actually propagate through the network which is for example the PS exec also mini cuts and also a bunch of different tools to actually both encrypt the the data and also spread across the network this is how mimikuts looks like it's a tool that is used also uses vulnerability to extract passwords from the memory on devices that are running Windows example of PS exec we run a command on a machine with a simple command with
ipconfig and as we can see it returned the IP of the device that we were actually running this on so this is just one of the tools that notepadia had incorporated into their uh malware in this case and uh the combination was just fatal for mask in this case the aftermath of the attack uh okay initially they had to work on pen and paper which imagine if you have several hundred offices spread across the world they couldn't even use their phones they couldn't even alert uh their colleagues that this was happening and that is mainly because also their servers that they used for uh telephone Communications were rendered unusable an estimated 49 000 laptops were destroyed
the financial cost was around 300 million their backups were infected they had to shut down operations on multiple ports they had several day of inaccessible I.T infrastructure and uh yeah it took them about four weeks to get like a full operational I.T infrastructure and obviously they had to rebuild all the servers and all their PCS and yeah it cost them a lot both financially and it is also important to actually emphasize that it was uh it damaged their reputation a lot because uh you know it's a big company spread all around the world so basically uh they had some good communication if we can say so with their clients partners and stakeholders but at the end
of the day I mean uh it's not good that this happened to such a big company this was posted on the mercs Maersk I.T systems uh they public publicly accepted uh that their ID systems were down which is quite uh you know unfortunate and uh yeah the lessons we all learned from this attack it was unfortunate for Maersk to have this attack but nowadays it serves as a lesson for all the companies institutions uh and also individuals that uh you always have to prepare for the unpredictable which in this case was also uh the case with mercs because as we mentioned the actual ransomware came from their accounting software first of all companies need to
prioritize their security Investments because this is crucial for a normal operation especially since uh the whole management and business continuity of mursk in this case was based on their ID infrastructure they need to add robust backup and Disaster Recovery systems even though they had this in this case unfortunately it couldn't be of help for them it's important to have a comprehensive cyber security plan they did as we mentioned have transparent Communications with their customers and also with the stakeholders and their Partners but that didn't really came to help as much and also up-to-date configuration of the systems which is crucial one thing that I want to mention is that they could have used sandbox environment
to test their uh software because it just even if the the ransomware would go inside the systems if you have like a Sandbox environment the virus would just spread there and not like in the whole infrastructure which in this case happened with mersk and uh ultimately we can close with a quote immersed experience with notepadia serves as a stark reminder of the need for robust cyber security measures in today's interconnected world thank you for joining this presentation if any of you has any questions I would be happy to answer them yep
so thank you very much for the presentation um to be honest I remember when the Eternal blue exploits got leaked by Shadow Brokers and was a really challenging time for everyone I was just curious I'm not sure if you like where let's say investigated something similar because some of the attacks actually affected Albanian uh like uh institutions and not been like and also I probably because of as well because they were not bounded by boundaries and if I remember correctly if you actually didn't restart the computer the mft would be fine so if you shut down the computer and didn't start up if you didn't just restart it automatically the MFD encryption was only happening on Startup so it was like
a way to actually avoid the entire problem happening but it was too late because everything was done so I'm not sure did you encounter that in real life or uh was just yeah good question because I was also asking myself uh this very question but the thing is uh I also mentioned that uh except having the MFD encrypted they included this module which actually wiped all the data so it wasn't just the mft so they had like a second thinking plan which even if they don't restore the computer this module that was incorporated inside the notepadia ransomware actually made it possible for all the files to be uh wiped out even if you for example would
not restart your computer which happened in this case because you know the the whole file system was destroyed by the second module that not petia uh used but what you're saying is correct but they also had this second thing in plan which uh they wanted to make this uh you know as successful as possible in this case yeah I'm just curious because I've heard people actually talk about that but like the samples that we had didn't destroy uh didn't have the wiper features so I'm not sure it was like the wiper feature was only like specific to a region or not but yeah it was really interesting to actually see an example that had the wiper version but yeah
really interesting thank you um I would say you can use the mft to CSV on your laptop and you can try it no no I mean actually I mean the vipe the wiper coaster yeah we're gonna have to talk with the Russian hackers if they can provide it for us
do we have more questions okay great presentation thank you and I actually didn't look much into that because by that time I if I'm not wrong I just started school so you know I was yeah I was not working so uh do we have any estimation of companies that did pay for that and how much you know extra costs were were done you know for for paying because as you said and as I've heard not only did they not have a decrypter but also even if they sent something it was not allowed so do you have any estimation on how many companies did pay and how much they did well uh actually they weren't unable to pay at
all because the screen the red screen that I showed you that was an example from the Wanna Cry ransomware and that is like a different subject because they want to cry around somewhere operates different from notepadia but there is an estimation of how much damage did not petia cause to all the organizations specifically for mersk it was around 300 million dollars but they had this uh let's say cyber security Insurance in place which actually made it a little bit easier for musk to actually come back uh financially if we can say but for the other companies it was around 10 billion dollars because this included banking systems and different companies especially the ones which were
located in Ukraine because that's where it all actually started okay uh and another thing since this was the Wanna Cry screen do we have aside from the Eternal blue and the fact that that it's uh it's around somewhere do you have any correlation any any links in the code between them so is the the bug that Wanna Cry head the domain bug present here in this I I I'm asking because I haven't looked at those those codes so do you know uh well actually what is known is that uh they did use eternal blue to propagate through the infrastructure of uh mersk and all the other companies that were infected in this case uh also there are
other tools and exploits uh maybe the exact number is never actually known because there were so many tools they just wanted to make this work so I unfortunately I wouldn't be able to uh know for sure that but we know that they had just enough in place to make this work okay thank you thank you as well any more questions yeah we have one more question there by the way I do appreciate questions because it's making me walk around the menu I had like so much food so I'm gonna burn some calories hi so right now we are the data security and all the different malwares including ransomware's so my question would be how can we ensure that
our University remains resilient in the face of evolving ransomware threats and also let's just say worst case scenario we do get around somewhere threat and how would we ensure that our backups are secure and let's say up to date yeah good question first of all in terms of uh being protected by the run so here in this case it's crucial to have cyber security sessions for both the staff and the University students because this will allow them to actually identify the potential threats where ransomware could originate from and uh also it's important to have all the systems up to date because for example uh if Mars were to update the vulnerability that was related to
Eternal blue I'm not saying that the attack would not happen but the impact would be less than what they did in this case second thing about backups I mean in this case unfortunately even though they had offline backups it still managed to go through the infrastructure uh but uh you know one of the strategies would be to have these backups uh in multiple places and ensure that they are done in timely manners so in this case they they even if this would have happened they would be able to actually restore them what's really important to know is that for example if you're talking about server backups which is where they store their data or their applications that
would be the case but it would be harder to actually uh backup each and every one of the laptops of the employees which immersk had in this case thank you for the question any more questions great presentation Andrew before you upload let me make it just like a couple of comments as well before me yeah yeah of course as you know like Southern Supply Chain attacks are very common you already mentioned me Doc a couple of years three years ago we also had solarwinds like when you get Windows updates you don't question them and same thing goes for the solder you're like Focus you have business objectives and you just want to get the solder get the stuff done and
I'm glad that you pointed out that one way like to put like some controls around it it's through sandboxing so before you actually get those updates you actually do that yeah so there's a huge topic uh you you also covered like the payment and like we know like with Colonial pipeline uh CEO actually made the payment of uh four million or something like that and it was the hardest decision that he had to make only businesses that have actually dealt with ransomware they know like how it's to deal with them you know uh in case because I know that old articles that he read they say don't pay them and I'm not encouraging them to pay
them but if you decide to not fall in a like a trap trap make sure you ask proof of life so you will send them one file and see if they can decrypt it before you you actually pay okay with that said thanks very much that was great presentation [Applause] so we have the last speaker for today before I introduce him give us like a couple of minutes just so we can set him up Armand if you wanna please
foreign
now if you press the button here on the side just press it
there we go and I will work
okay I think we are ready if you want to take a seat
well she's just talking okay last but not least we have Armen salio who is going to talk about business impact analysis in business continuity plan thanks for being here Armin the floor is yours hi everyone uh so my presentation is uh how real is this business impact analysis which is um in part of business continuity plan uh to introduce myself myself I'm Armin salio this is a series [Music] mccse and copy 35 certified also working inside the auditor at Middlebury bank here in Christina uh my presentation is different from others since it's not technical presentation but more philosophical presentation so what is business path analysis uh business impact analysis is a process that identifies and evaluates so the
potential part of an interruption to critical business processes and business functions uh what is the purpose of business impact analysis so the main purpose is so to provide the framework for developing a comprehensive plan for responding to those events also to assess potential impact of disruption both internal and external uh impact that institution may have uh many organizations today claim that they have a comprehensive Business Park analysis which is part of business continuity plan uh as part of their Disaster Recovery or business continuity management process color uh the question is how real is this impact analysis and does it actually deliver the desired outcomes to answer this question usually we have to consider uh the factors that contribute
to the thickness effectiveness of business impact analysis uh firstly business impact analysis must be conducted as a clear understanding of the organization called the critical business function and processes uh also that has to be included involves the main stakeholders of the organization like Business Leaders or process owners or Business Leaders uh departmental heads and subject matter experts have to be included since without this involvement business impact analysis uh members critical elements and leading to an effective planning secondly business impact analysis must be conducted using rigorous and well-defined methodologies uh as well as well known standards in order to be a comprehensive and cover all the uh uh partition packed and our line are identified and evaluated
this requires a comprehensive risk assessment we have we cannot do anything uh that consisted both internal and external press such cyber attacks and natural disaster as well as supply chain disruptions business impact analysis must be an ongoing process not one-time process it's a living d
Related talks
39:40
1:09:05
39:04
23:08
41:40
45:11