 So, as always, you can go on Slido, I will pop that link on this board as well, and we'll have the QR code as the speakers talk, and then they will pick in after the talks. So, our moderator is Pierre-Marc Piro, he's a long-time not-so-volunteer with more than 15 years of experience in information security. He is responsible for the team of TAG, who is working on the information-motivated attack financially. His team is based in Montreal, and he specializes in retro-engineering and analysis of the MAG. So, that was very valuable. Awesome. Impressive, thank you. Welcome everyone. So, I want to introduce our first speaker, Sierra, who has been doing our analysis and we've received him for the last 10 years. In addition to that, he's also volunteering in the community, both part-time in Slido Agus and Blasphemy. So, welcome. Hello, I'm Chris, I'm here for an analysis, and we're trying to talk about our research, in terms of promoting development. You know, my relationship, and figuring out how to talk. So, after all, we are going to look at different kinds of development with different colleagues and partners. There may not be a parent right now, but what we know is that the developers would like to focus on different VR solutions, at least. Some of us always have to. So, we'll talk about those as well. We'll draw a conclusion about what these kinds of solutions are to develop and how they are going to develop and assist. So, the name for the model, as seen in the thousands of volumes, is called Sundance, where I will continue to use Bumblebee's VR solution. We'll then first get to really quick history about Bumblebee's. So, quick, with a quick knowledge on this. So, how it is all stuff. So, first of all, in March 2022, by the Google tag team and the researchers, they observe this new loader that we use by Philly. It's two of the previously associated content. And that's also how they gave it its name. The spring Bumblebee was seen in the user agent header when it made request to the server. Now, these same affiliates, they use a similar loader in a campaign. They were targeting in August of 2021. That's what they were targeting. And it was later reported by Microsoft in September of that year. But that loader, though, it didn't have the bot-like capabilities. It was only used for spreading cobalt strikes. So, when you're looking at our timelines, we are going to focus on Bumblebee when it started off as a bot. For the start date, we're doing to be 31st Jan 2022. And for the purpose of this semester, it's until 1st of March this year. As you see here, shortly after the first report, Bumblebee's activity started picking up. Every major affiliates who have been seen using it from the beginning, more major affiliates joined down the line. And there were some smaller ones, but it's not shown here in the graph. And you also see that they're used by the likes, distributed, by the likes of Smokebot and Batmotor. So, it's quite a popular malware. So, what is Bumblebee like right now when it infects a victim's machine? What does that lifecycle look like? It starts off with the loader, the way bot pops up. There you see in the flow, it's encrypted, it's packed, it unpacks a malware. In Bumblebee's case, the unpack file is always a DLL. So, once unpacked, it can communicate with the server to receive commands that it needs to run on the machine. Bumblebee calls these commands as tasks. They are abbreviated, three-lettered strings. And they're lettered in such a way that you can deduce the meaning behind each task. So, take, for instance, the one at the very bottom here, SDL, science for silent delete. Yeah, so it removes, malware removes itself from the machine. I won't go through this list yet because we will touch on tasks again at a later point. Now, our unpacked DLL2, it has another embedded file in it. It's called a hook module. It's using conjunction with two of the tasks, and we'll see that later on in the talk as well. And finally, Bumblebee is modular in nature. That means it can run different plugins on the machine that it gets from the server. And those plugins, too, can communicate with the server. So, from this image, we are looking at three different timelines. Our first timeline will look at the development that's been put into the loader and the DLL. The second one, you know, changes that you have seen to the communication protocol over time. And then finally, the third timeline is just going to look at tasks. So, here we have is our first again, timeline chart. So, the way it works is from left to right, it goes in chronological order. So, starting from 31st Jan 2022 until 1st of March this year. And from top to bottom, you can see the list of techniques that the malware uses in part of its loader or its bot. I didn't list all those techniques here because it would be impossible to fit it all in the slide. But this is just to give you an idea of how long those techniques were used and the duration. Now, before I talk about, you know, this timeline here, I do want to mention about Bumblebee's binaries just in general. So, Bumblebee's main DLL, the unpacked file, and its plugins, they use, you'll notice they use a lot of functions from the Boost library. Boost is an open source, C++ library, it is header based. That means any program using Boost ends up statically compiling a lot of those functions in its binary. And it also explains why Bumblebee's files are quite big in size. So, as you see here from the start, when Bumblebee started, it didn't have a loader. It was actually quite, it didn't have anything packing, it was unencrypted, it was unpacked. This now might likely be, it's like a way for the developers to test the bot. And the loader actually came much later into play by end of March. And as we saw in the previous timeline, it was around the time the malware was picking up activity. So despite, you know, even though they were just testing the malware, they did though have what we believe to be an EDR evasion technique. So this technique was where it would hook the API RTL exit user process. So the API was only hooked if there was an existing EDR or AV hook on that API. In this case, the malware's trampling code would make sure that Bumblebee finished executing its thread so control went back to the EDR, likely to prevent the antivirus from scanning or analyzing the process any further. They did though swap this technique for another EDR evasion called thread execution hijacking by end of June 2022. But in my opinion, a much better EDR evasion. We'll see why in the later slide. Now when the loader was introduced, it was an only like useful encrypting a packer, I mean a DLL. It too had an EDR evasion. It's called remote library injection. And that too we'll see again right after the slide. The developers as well, they played with a different form of a loader. And in fact, it also gave them another EDR evasion. So they would use PowerSploits Reflective DLL injection. And this was something they introduced after they came back from their first break. But now we see it more when they came back from their second break. And it's more used in cases for SEO poisoning and malvertising. Finally, I want to touch on Alkazer. So Alkazer is this repository in GitHub. It contains all these different techniques. One can use for doing anti-analysis checks on the machine. And Bumblebee uses almost all of those checks. And so they were using the Alkazer repo quite aggressively at the beginning of the malware's execution. And as you can see, for a really long period of time. But then interestingly, they just dropped it like two weeks before going on their second break. It wasn't really clear why. But then after coming back from their second break, they reintroduced it. But in a completely different context. So we'll see that more when we look at the C2 communication. Now, we have our first EDR evasion here. This is used by the loader. So the purpose of this technique is to actually masquerade Bumblebee's unpacked DLL to appear running as a legitimate DLL in memory. Here you see is a screenshot of Process Explorer. You can see the active threads of Bumblebee's process. The one highlighted there, the active thread, it's pointing to this library called Dim's Room. It's actually a system library of Windows. Now, in this case, it's not the system library that's running behind the scenes. It's actually Bumblebee. The one giveaway here is it's referencing that export function called setPath. That belongs to our malware. Now, this technique is done by first hooking APIs that are used by NTDLL for loading and mapping libraries in memory. Generally, those APIs perform the operation against a file on disk. But by hooking the API, they can control it against an unpacked file in memory. It's quite clever. But this proof of concept isn't new. It was introduced back in 2004. There's a link to it at the bottom for those that can see the slide, which goes into detail explaining it. Also, the only other malware that we were able to find using the same technique was RamNet. It's also pointed out in one of IBM's blogs. Now, this is not all to say that the developers were necessarily aware of the POC or were the same group as RamNet, but it's quite common in eCrime to see a lot of these groups borrow techniques and reuse techniques. Yeah, so it's nothing necessarily new, but it seems to work for their case. Next off, we have is the thread execution hijacking. So this is the EDR evasion used by UnpackedLL. Now, this technique's purpose is to masquerade Bumblebee's start offset in memory up here under a decoy offset, and they point that offset to that of this really long-named API that's part of NTDLL. So similarly, you have the same screenshot here, and you have one of these other active threads. It's showing that the API is running, but as you can guess, it's actually a malware. Now, this technique is done by first, it creates the API as a thread in suspended mode, and when the thread is suspended, the malware can modify the thread's context structure. In that structure, there's a field that specifies a start routine. It would normally point to the API, it just swaps it for the malware. So it effectively just spooks the EDR's call stack, so it appears that an API is running, but actually it's the malware that's running behind the scenes. Now, this technique is generally used for process injection, and there's a really good entry in MITRE attack that shows other malware families using it. In my case, I was trying to find a similar POC where it's used within the same process because it wasn't really injected into any external process. I had no luck. I actually thought this was something novel by this group, but then I come across this other blog where they show Cozy Bear's Dropbox order using the same technique, and coincidentally, they use the same decoy API name of all the API names that could be out there. So again, clearly they borrowed another technique here. Now that we've learned about the loader in DLL, let's look at the C2 communication. So before I show the timeline, I just want to explain what Bumblebee's protocol is like right now. So the malware uses secure web sockets, the messages it creates for the server and receives from the server, they are JSON formats, and they are RC4 encrypted, the key of which is embedded in our unpack DLL file. Here's a description of what these messages look like. They're very truncated. It's not the full version, but just to give a sense of what it is, and I've labeled them as ping-hidden tasks just to understand the flow better as I explain it, but these are not the names given by the malware. Now Bumblebee, they have a beaconing style communication. So these messages you see, they get sent in a loop constantly. This is quite common in a lot of e-crime families. You see it also with boxbots and catbots, so the payload is not immediately delivered to the victim machine. It's delivered at an undetermined period of time. So that makes it harder for analysts like us to pull down any payload and also makes it just harder for the victim to realize that they were affected. Now so let's explain what these messages mean. So now the whole point of Bumblebee's ping request is to send across the bot's ID to the server, and in turn from the server, it will get a session ID. That session ID is used in throughout the other request messages, and likely it's for the malware's back end to keep track of what messages get sent out. And finally, if there's any commands for the malware to execute, it will arrive in the task type response message, and as you learn, task is the three-letter command along with any payload for the malware to execute. Now what about the hit request here in the middle? That is where Al-Qaizur comes into play. So Al-Qaizur, as we learned from the first timeline, you know, as this repo in GitHub contains different techniques one can do for anti-analysis checks, well, Bumblebee don't do those checks at the beginning of execution. Now they will run those checks only when it receives the go-to from the server. That go-to is in the ping response. There's a Boolean field in there called hit. If the server sends the hit value as true, it will run these checks, and then it will send, you know, the results of those checks in this really long JSON message contains different Boolean fields across to the server. And accordingly, the server will drop the connection if it thinks there's any, if it's running in the VM or any anti-analysis artifacts. Now the developers, they didn't only settle with using Al-Qaizur, they do some of their own checks, like the classic, trying to look for active processes in the machine, and this one in particular, this field here called binaryDB. That one contains a Base64 encoded SQL database of browsing history that they query from Chrome and MS Edge in particular. So now you have a really clever way of checking, like if your machine is indeed a sandbox or a victim, because, you know, a sandbox is less likely to have browsing history. I don't want to note that now we see these new builds in April where this check has been dropped, but not completely, because we still see affiliates using older builds, so not every communication will necessarily be exfiltrating browsing history. Now in the event that Bumblebee gets a task from the server, it will also send a result of running the task in a separate type message. Sorry, it's right behind me here. And that just contains, you know, any errors that may have been encountered by running the task or any information that was exfiltrated by running the task. So looking at the timeline has actually been quite a fair bit of changes over time until it got to where it is now. It's a bit harder to follow, so I found that just by grouping it on these certain properties here, again, right behind me, it makes it a bit more easier to follow. So let's go from the beginning at the start. So when Bumblebee first started, they used actually an HTTPS protocol. And of course, it's infamous user agent string Bumblebee. Now the messages that were sent across, it was only the task message, so not the ping and the hit that we saw in the previous slide. The client version number was one, you know, of course, first iteration, and the endpoint string that I made a request to was called gait. Now by mid-April, they decided to randomize the user agent pattern, and this was also the time you started seeing more public blogs coming out above Bumblebee. And Bumblebee was a bit too obvious of a user agent name, but that was clearly short-lived because in early May, they decided to switch it up. So they randomized the user agent. They started encrypting the task message and see RC4 keys come and play. The endpoint string changed from gait to gaitS. S may be their way of saying secure, no idea. And then, okay, so now the next stage. So a month after they came from their first break, they switched the protocol. This is now where they started using WebSockets. And we also see the introduction of the ping type message. The endpoint string changed from gaitS to gaitW. And the client version number was two. And now where we are at, and something they've introduced after their second break is, you know, we see the three messages. The only difference is the user agent string is this hard-coded value here, the bottom of the slide. It's not randomized anymore. And maybe it's like the attempt at trying to make traffic look a bit more legit. That brings us to the final one, tasks. So here on the left-hand side, okay, the screen is like gone off here. But on the left-hand side, you can see the description of what the three-letter tasks mean. And on the right-hand side is a really high-level overview on how they get executed by the malware. Now, our first four tasks are what are responsible for executing payloads, the poster of which does injects the payload into processes. So Bumblebee can either inject shellcodes or a DLL. And if it is DLL, it could be either secondary payloads in the DLL format, so like cobalt strike, or it could be their plugins, which are also in the DLL format. Now, if it's injecting payloads, it uses the APCQ code injection technique, and it's also injected along with the hook module, both of which have an EDR evasion role behind it, so I will expand on them at a later slide. Now, Bumblebee can execute payloads just by itself. No injection needed. That's the DEX task. GDT allows the malware to run commands likely for reconnaissance, instead of invoking it directly through command.exe. It's passed to command.exe's standard input output. Nothing malicious is actually a common programming technique, but it just prevents the user from getting notified that these commands are running in the background. The malware can install itself on the machine, a.k.a. create persistence. It uses WMI to create those artifacts. And finally, SDL, silent delete. The malware can remove itself, and it uses PowerShell to do that. And now we have our final timeline. So let's start off with the persistence task installed. So now, when this task was used in the beginning, it didn't use WMI. It used your regular Windows API, like create directory, you know, to create those artifacts on the machine. The switch to WMI came about early May, and it was actually quite a clever shift. Because now we'll create those persistence files using command line strings. But with WMI, it would create the... Yeah, it would create command.exe using WMI. A result of doing that ends up showing command.exe's process as a child process of the WMI parent process, rather than of the malware's process. So effectively, they achieved parent PID spoofing. So quite clever, and it's a bit more harder to monitor. Now, this same task, the weight is implemented to deferred based on which loader is being used. So as we learned in the first timeline, you know, it's either PowerSploit, so it starts off as a PowerShell file, or it could be an encrypted loader. So if it was using PowerSploit, the malware just uses Windows DP API to encrypt the contents of the file. So this likely prevents antivirus from scanning the contents, and, you know, I mean like, oh, this looks like PowerShell, like commands and from blocking it. Then accordingly, Bumblebee creates a task that will run a script, which uses DP API to decrypt it before running. Now if the loader was, you know, an executable to start off with, it was already encrypted, already packed, it didn't need DP API, and then, you know, just used a living of the LAN binary, odp.conf, to execute the DLL. Next off, we have is GDT, the one that can execute commands. They introduced this in early May as well. It was implemented in a simple manner. In fact, it was so simple that it matched exactly that with MSDN's example on how to achieve the same technique, but it only allowed them to run one command at a time. So I wasn't aware that they were testing it, but then by end of May, they switched, they started using boost.asio library to implement the same technique. The only difference with using boost was it allowed them to run multiple commands asynchronously. So here you see is just a screenshot of what the pipe name gets created as a result of using boost.asio. So not malicious again, but quite useful for hunting. And also at the end of the name, you'll see concatenated to it is the PID. So it's the process that involved this technique to start off with. And then finally, let's touch on PLG, the task. So PLG is what allowed, which introduced plugins for the malware. And that was also introduced around the time they switched to WebSocket. So they made quite a big changes after their first break. Nothing too fancy, but they needed a way to get the plugins to communicate with the bots. And so they created an RPC endpoint. We are named Pipes. That allows for inter-process communication. Nothing malicious, popular programming technique, but you know, it's just useful to be aware of. Now the plugins via this endpoint they can query for the active C2 address. Fine, okay. Okay. For the active C2 address and port that they need to connect to. Okay, so I'll try and go as quickly as I can. Okay. So let's talk on this injection technique that's used by tasks. So APC is actually getting quite popular among malware authors and there's a MITRE attack at the bottom of the slide if you can see it. That lists other families using it. So why is this popular? So every thread in a process has an APC, it's a Q. Anything that gets added to that Q is executed when the thread enters an alertable state. So Bumblebee, as you can tell, and most other malware families they like to take advantage of this. So in Bumblebee's case they'll just create the process in the suspended mode, inject the payload and add an offset to the payload to the thread's APC Q. So then as the thread is, as the process is resumed it ends up executing the code. And also they modify the entry point of the process by adding instructions that call sleepx in the loop because sleepx helps to set the thread into that state, into the alertable state. And in addition these processes are created with WMI and as we've learned achieves parent PIDs grouping. Next off is the hook module that's injected along with the DLLs. So the purpose of this is module is to remove EDR hooks on APIs. It comes with a list of hard-coded APIs in the binary and it looks through all those APIs. So it compares those APIs instructions in memory to its instructions on this physical file on disk because AV is likely to hook on an API more in memory. It doesn't hook it in disk. So it compares it using a length disassembler which calculates the length of each instruction as the prefix. And accordingly, the length or prefix is different, it means it's hooked in which case it just copies over the bytes in the physical file to its instructions in memory. Effectively removing the hook. Finally, it uses remote library injection to load the payload to appear running as a legitimate DLL. So this was the very same technique used by the loader as well. So I'll quickly expand on the function that uses the length disassembler function. It borrows a lot from this open-source library called Lipsplice. I just wanted to point out it's quite popular among other families that have been seen. And again, just to show that, you know, it's nothing something they've implemented on their own and they're just using some existing code out there. And that finally brings us to our conclusion, speed mode. So what do these timelines teach us? So from these timelines, it helps us to map the activity of Bumblebee's software development lifecycle. So clearly, the developers they have an agile methodology with how they go about building this malware. So we see that right off from the beginning, especially that appeared in the start 31st Jan until 31st March 2022. That was, you know, the first release of our malware. It was quite simple. It didn't have the loader. It was an encrypted impact. And this in agile terms would be called an MVP, which is a minimal viable product. And that's where you know, they're testing out. You'll also see this in a lot of forums, underground forums, when authors are trying to sell their malware product they're like, they have some beta version or an MVP version. And it's kind of hilarious. It's kind of like the crowdfunding for getting the malware project off the ground. But not to say that we saw the same activity with Bumblebee, but just by observing the bills over time, you can see this. You can imagine what that's like. And it's also clear because the second phase of their release was what introduced EDR evasion. And that was, you know, at the end of March when they introduced the loader and it also had an EDR evasion and we even see three major affiliates using it. And it makes sense because if you're going to make your malware live, you want to make sure that it's not detectable. Now apart from all of that we also noticed that these developers they like to focus on the C2 infrastructure during the hiatus. In our heads we think of hiatus as a break but no, they are not on a break. They're on a break from distributing the malware. This makes sense because if they're going to you know build a new malware, they want to make sure that it's able to communicate with a back end that works. And so it makes sense why they're going on a break. And I believe right now they're probably on their third break because I haven't seen much activity. The developers too they seem to step out of the norm with how they've gone building out this malware. We don't see the use of API hashing or string obfuscation that's actually quite common. So that might likely be the result of how they're using EDR evasion. So as we saw with the loader and with our DLL it spoofs the EDR's call stack. It makes it appear that I'm always running as a DLL or as an API. So you know if your antivirus doesn't think that memory space is malicious because it thinks it's a DLL or API it's less likely to scan it and then YAR rules at this point would be quite useless. And then finally you know they clearly have some mature dev practices on how they go about doing things especially the fact that they're using boost. Boost you know it's open source but it's very popular in the C++ community but it's not commonly seen in malware and used for building malware. There are a few out there but not common. You don't even see them using game sheets and you can guess why it's quite big in size and quite bulky. But the fact that this is mature is because they're clearly familiar with something that is quite common for a community and they use it. I mean they communicate with the C2 and in the GDT task command. And also the fact that they're using the open source library lip splice that's quite common in splicing. You know it's been around for almost a decade and it makes sense. Like if you're going to modify an API in memory you better know what you're doing. So might as well use something that works and is quite capable in the C2 task. So yeah that's about it. Hope you all enjoyed and I look forward to questions during the panel. Thank you. Thanks everyone. We will start again in roughly 5 minutes. So if you want to change rooms or even move a bit forward in the room so that you leave more space for others coming in see you in 5 minutes. Good morning for about a week. And they give more detail and say that there was a malicious attachment with a macro and then it led to a lube as malware depth sensitive. So according to our visibility most high profile targets for this cyber espionage campaign were located in Eastern Europe around Ukraine and we noticed that the group was especially interested in diplomats and people are working at Ministry of Foreign Affairs in various countries in this region. So here are examples of malicious documents that the group has used. So the one on the left is used some traditional VBA macro while the one on the right that was used if I remember correctly in June 2022 against current staff of Moldova. So this one was using the full vulnerability which is CV 2022 30190. So it's a vulnerability that leads to code execution in Microsoft Office. And this one was discovered just few weeks before it was used. So it shows that the realm of Biscayde is looking for new compromised vector. So what's the infection chain? First it starts with a spearfishing email. As I just shown then it's a malicious office document for example XLS attachment with a VBA macro. That then download the MSI installer that will drop the SunSeed downloader which is Lua downloader and then the persistence is established by dropping a lnk file in the startup folder. But the chain doesn't stop there. So SunSeed is a downloader and can download additional scripts in Lua and one of those scripts is responsible for downloading the next stage which is more or less the same thing as SunSeed but in AutoHotKey So it's again a downloader in AutoHotKey and this one can download spying plugins also in AutoHotKey so for example to take screenshots to steal password in browser or some kind of hidden VNC there are many more. So this is SunSeed it's a bit ugly but once you've de-oplesscated with bit of manual work this is what you're opting. So it's quite simple first it takes the serial number of the C drive and then it sends a HTTP get request to the CNC server. So there is an IP address of the C2 that is directly encoded in the code and then it's a slash and the serial number that was retrieved and then the reply of this request is lower code that will be interpreted So this is the plugin that will drop the AutoHotKey downloader so it's lower script that will just download first this mscore.ahk file so this is the AutoHotKey script and then second it downloads the AutoHotKey interpreter because most of the time the victim doesn't have the AutoHotKey interpreter installing their machine so they need to ship it. This group really like scripting language for example they develop a variant of SunSeed in TCL it was first time I heard about the script language but as you can see it's almost the same thing except that it doesn't retrieve the C drive serial number but the logic is similar like it send request to a server and eval the reply So this is the AutoHotKey downloader as you can see it's almost the same as SunSeed again First it will take the C drive serial number which is put then in the HTTP request and then it evals the code that is written by the CNC server See an example of plugin in AutoHotKey this one will install a remote access tool which is called Remote Utilities so it's kind of legitimate tool but it allows to fully control the machine so actually like this AutoHotKey script just download and execute the execution tab for Remote Utilities This is the full list of plugins that is available to AHKbot so I won't describe every single of them but maybe just a few so there is a desk screen plugin to take a screenshot desk screen on, desk screen office to take a screenshot in loop Then we have this HVNC so HVNC stands for hidden VNC but actually in this case it's not really it doesn't use the VNC protocol it's just a headless Chrome browser that can be controlled remotely Not sure what's the exact purpose but it might be to browse websites that are not available from like the outside I mean to browse websites on the intranet or on the local network since they don't have any proxy maybe it's like their way of proxying traffic there is a keylogger pretty simple browser password stealer and the root server on the root server of plugins that I just talked earlier so it's quite typical like implant used to spy on a machine and there is this plugin which is called delete cookies which is interesting because for espionage it's not very useful it's delete cookies on the victim machine for very specific domain including, so it's outcoded, the domains are outcoded here, made.eru and td.com and as you might know td is a canadian bank so why would detector want to delete cookies for a canadian bank so we think that this plugin is aimed at deleting authentication cookies so that the victim has to re-authenticate to their account and then if they run the keylogger at the same time they can grab credentials but like this td.com doesn't make sense if you target diplomats in Eastern Europe so let's go back bit in time I found this blog post by trainmicro that says that it's a group that targets US and canadian bank customer and if we scroll down a little bit we have this nice figure and as you can see the infection chain starts with a xls file with vba micro then we have an autoetc downloader that can download additional scripts so probably sounds quite familiar and then we scroll down again and there is an example of a plugin so this one is a browser password stealer and if we compare to the plugin called passwords that we found in our espionage campaign it's actually the same thing so it seems that the tool kit used in this trainmicro article from 2020 is the same that was used to target government staff last year so is it a criminal group that switched to espionage during the war? actually not because we dug into older campaign and we found that since 2020 the Eroma Busket have been targeting government officials and people working in state-owned companies mostly in Central Asia and also Armenia so it means that they have been doing cybercrime and cyberespionage since the beginning of their operation so I answer to the question a bit early but yes they do cybercrime and cyberespionage I also noticed that so at the beginning of last year they were mostly doing cyberespionage but then starting October 2022 we started to see more and more cybercrime campaigns we found around a bit more than 4,000 victims since the beginning of 2022 and as you can see most of them are located in the US Canada a bit in Europe as you can see Germany but what is interesting is that there are also quite few victims in Russia so we counted more than 4,500 victims since January last year and interestingly there is a big spike of infection almost once a month so this the latest one we observe was in early March I didn't observe anything like another campaign since that time but maybe they completely changed the toolkit I'm not sure and most victims for cybercrime campaigns are cryptocurrency traders and also small and medium businesses I don't think they are specifically targeting like anyone just random small businesses in US and Canada so how is malware delivery for the cybercrime campaigns so they mostly use a traffic direction system to redirect targets to malicious pages unfortunately in our telemetry we did not observe how people landed on the first note of the TDS but open source reporting suggests that the attackers are sending special emails with links or PDF documents with links to these first notes of the TDS and it's also possible that visitors from compromised websites are redirected to the TDS so it's an example of a change for the TDS that I found on urscan.io so the target will first visit the website localkitchencodes.com then they will be redirected to a second domain which is bit hard to pronounce so I won't do it and then there is a third redirection to take4solutions.com and on this one there is the delivery of malicious JavaScript files, in that case it was named Document 1 December some random number.js and it's almost every time the same pattern for the malicious JavaScript so it's always like document or notice or something like that and then the date of the campaign and then some random number. In some other cases there are also fake so people are redirected from the TDS to fake Zoom pages and then from the Zoom pages if you click download then you also get a malicious JavaScript file and there are also some for TeamViewer, as you can see there is some typo, new verizon and I think it's written actually it's not TeamViewer in the title, it's 2v if I remember correctly so this is another change that we found with NakodaMachine.com is part of the TDS, it redirected to this documented JS malicious script and then it downloaded AHK but so this is clearly like part of the AMObscade operation but if we look for this domain on Varistotal for example we can see that the same domain was used to deliver like a different like msc file with jobs, actually a poor shell script and this poor shell script will reach out to download-cdn.com and this domain was apparently controlled by another cyberprime actor called TA-505 in 2020 so it's possible that the domain change ends but in any case like this poor shell downloader it's actually not part of the AMObscade operation so what it means is that the TDS is not exclusive to the AMObscade so it was probably used by TA-505 we've also seen some QBOT distribution for format so it's probably some paid underground services that the group is using to distribute and install the malware they are probably like paying someone else to distribute the tools there was also some mention of Google ads malicious Google ads that redirect to those malicious websites so we did not really observe it in our telemetry but there is a blog post on the sans site and you can see like this is fake ads for TeamViewer and actually it redirects to one of the fake pages that I mentioned just a few slides before so in any case either like the TDS or the malicious Google ads they lead to a JavaScript file which is a bit obfuscated but we can reconstruct the URL and actually it will call install product to download MSI to download and install MSI from this URL so probably a Zalarm obfuscated was providing this MSI and even the JavaScript was controlled by same group as the TDS if the target executes the JS script it download the MSI package that drops this VBS downloader and again it's similar to Sunseed or AHKbot you can see that it gets the C drive cell number and then does the HTTP get request in this case it will not download VBS scripts but download and install another MSI package this MSI package can contain for example AHKbot or a new Python screenshot tool and also in the latest campaigns we have seen a few more plugins for the autohotkey downloader so this is a Python screenshoter it's quite simple like it just take a screenshot and exfiltrate it also the feeling how it's written it's always similar to in every scripting language so I believe like one person develops all these tools in all those different languages there is also so if you remember there was this more or less hidden VNC but now they have something that they call HCMD and actually it's a reverse shell written in node.js why not and actually there are few functions but the goal is just to execute some command with CMD.exe and send the result back to the cnc server and there is a new password stealer it will and what is interesting is at the end so they download and execute another executable which is downloaded just here what is interesting there is some command in Russian saying that here it is not known what the function should written so it's probably wrestling to see that they don't really know what they are doing and the last one that they have probably because they started to really compromise more and more like companies is that it's this script to gather information about the active directory so they execute a bunch of commands like NLTest or NetGrop domain computers slash domain etc and then again they actually try to this part is very similar in all plugins and what comes after of course cobalt strike then after cobalt strike we haven't observed any further activity but it's likely that attackers are deploying other stages or are reselling the infecting machine to ransomware affiliates for example yes they can monetize their activity with the password stealers or I don't know they can take screenshots and get some private information but I think that they are really monetizing also the infecting machine after cobalt strike configuration is quite typical so yes you have like a domain knowset.com I believe they control that it uses a jQuery malleable profile and if we scroll down there is a watermark and it's non-watermark used by many many cybercom groups so it's probably some cobalt strike builder from long time ago and then two months ago they did some retooling they decided to redevelop everything in node.js so including ahkbot so this is the new backdoor that we named nodebot but it's as you can see it's the same but their number get request and then execute the results difference is that everything is in javascript now and they have started redeveloping the plugins from auto at key to javascript so they haven't finished redeveloping everything but some of them are already known for example the browser password stealer or the screenshoter this one actually it downloads another tool which is called ear fan view it's some tools to edit pictures but actually it can be used in command line to take screenshots some other experimentation that we have observed like in March is that they have started playing with LNK file so since microsoft disabled by default macro downloaded from the internet NNK file have become some very very popular last year among like old threat actors and other among these kids is no exception and they also starting to play with dotpip file which are like just office file for macrosoft publisher so as we can see here for example one of the operator uploaded a bunch of file on various total probably in order to try to bypass the detection so we can see at the beginning there was one detection then few minutes after five detection and finally zero detection after 27 minutes some words about the attribution so there was again another blog post by proofpoint which was published early February and so they have named the group here 806 but actually the cyber crime part that I was describing so now the question is between espionage and cyber crime clusters is it the same group or is it some marrake for sale so we think it's the same group because the level of activity is quite low we counted like a bit more than 4000 victims it sounds high but if the toolkit was shared on multiple cyber crime groups it would be way higher and second the network infrastructure is very similar for all cyber crime and cyber crime campaigns for example since server are usually located at same hosting providers so it's likely that a single person manage all this infrastructure and third the tool set is rather basic in comparison to other criminal backdoors that for sale that we have seen so assessment is that the limo biscuit is a cyber crime group that is doing espionage on the side for for some reason like we don't know for who they are working but they are clearly engaging in espionage as well so lastly why they will do financially motivated activity since espionage is not just a few operations not their main operations it's unlikely that they use cyber crime to fund the espionage operation but it's likely that it's for the personal profit and during our investigation we found a few hints about origin of the attackers so first in most plugins or most malware developed there are russian strings and most of them like the real stream language is like really good quality so it was written by a russian native speaker so this one says my number for debugging so it's likely that these two numbers are the serial number of the developer and also if you remember the targets of the cyber espionage campaign it was first Central Asia and then Ukraine and its neighbors so it really suggests that attackers are more connected to Belarus or Russia because there are like the two main states that are like spying in this region so let's conclude this talk first back to the original question so are russian cyber criminals targeting you and its allies so yes and no so azarayama biscuit is a good example of that it's probably russian or burlesan cyber criminals that are that were doing espionage in Central Asia but then they moved to Eastern Europe at the beginning of the war but on the other end it's only one of the few it's only one example and we haven't seen like a very big trend of cyber criminals starting to target Ukraine or Poland or such countries so we should be careful when trying to link every cyber crime incident in western countries to the war in Ukraine so there are azarayama biscuit I believe there are cyber criminals doing a bit of cyber espionage they have a basic toolset but it seems to work even against Ministry of Foreign Affairs they really like to redevelop the same thing in different scripting language we will see what scripting language is next thanks for your attention we are currently finishing to write a blog post that will be published on our blog ReliefSecurity.com in a few weeks thanks everyone thanks for attending we are right on time so what we will do is that before taking any of your questions we will bring some chairs on stage and we'll have a panel with Sue and Matthew so if you have questions please ask them you can ask them over silo as well and we will start in a bit less than 15 minutes so please stay tuned thank you again with our two previous presenters Sue and Matthew thanks again for presenting I really enjoyed the presentations while the topic were completely different I think there are many things that were similar using reverse engineering and technical analysis to understand how attackers or malicious actors are behaving, how they are evolving over time I think it was also interesting to note that it is likely that both actors are operating from the same region of the world while at the same time the motivations are different so I think it was really good the first question I have for you actually we have a couple questions from the audience already thank you if you have more we will have microphones you can ask them or you can ask them on silo as well so that's it please send your questions if you have them but before that I'll start with two of my own questions just to warm you up and get you accustomed to the microphones so my first question and I'll start with you Sue if you had unlimited resources and you had to do that research again unlimited resources in the sense of both money but also reverse engineers contacts in the government is there anything you do different or you wish you had the resources to do something more good question so it's very unlike APT it's almost widespread it's one of them and there's also something I touched on the slide briefly that a lot of these malware use a beaconing style communication so that makes it a lot more harder to pull down payloads that they're trying to spread so if money wasn't an issue it would be actually quite fun to try and infect as many machines as we can and track all these different affiliates and how they what payloads they choose to distribute because I think that's one thing that's missing in a lot of our industry so we do track some affiliates but not all of them it's impossible like you can emulate up to a certain point but then it comes to a point where these affiliates are installing tooling on the victim machine that requires hands on keyboard activity so at that point emulation is useless and you do need a machine and if they don't find anything interesting they're less likely to load anything so yeah money not an issue infect as many computers out there that's a really good answer what about you Matthew? yeah I think that your idea about having like full environment to see how actors are behaving would be a pretty good idea even for APTs sometimes I would like to have that big windows domain like a fake one with a machine with interesting documents etc just to see what they are doing this is a good point specifically for my research I didn't have much time to focus on the first part the traffic direction system if I had more resources I would definitely look at that to try to find out how these threat actors where they are selling their services exactly what other threat actors are using it and trying to to separate the chain among the different threat actors yeah I think that's what missing in the research cool thanks and by the way I didn't want to highlight anything that was missing we always have limited resources and time so cool one thing that I am noticing in different research teams looking at cybercrime is that there is lots of similarities with tracking APT actors but sometimes there are some things that are harder in my opinion one of them is how we organize multiple researchers tracking cybercrime in APT I think many research teams will split between Russian actors Iranian actors, Chinese actors maybe in North Korea how do you think teams doing cybercrime research should be structured or do you have good experience in your own organizations that you'd like to share I guess I'll go with that since it's cybercrime that's a good point that's true I mean even I believe CrowdStrike has a similar structure like that where APT focuses by country and e-crime is well everything you have but in my case I work on certain families and some other analysts they work on it by family basis but we are starting to notice things like tooling that is shared across these groups and then this does make it a lot more harder I mean as far as it's concerned we could place most of these malware groups under say one country in particular because that's where they tend to arrive but of course there's no malware coming from other country I don't think there's any clear solution but the key thing is to distinguish these toolings as much as possible and then you have from a low level perspective and then from a high level perspective you have threat intelligence analysts come into play and try and make that connection with how this tooling is used across groups so I don't think settling with countries is enough targeted and this is a whole different financial sort of ballgame here yeah I think the problem with cyborgcrime is that it's a whole ecosystem so you cannot really you can make clusters but everything is connected so you cannot like work on something and it's not separate from everything for APTs for example you can separate by countries because APTs they will never collaborate with each other like if you track Russian APTs they will never never collaborate with Chinese APTs or North Korean actors or if you work on some APTs you can just work on that and it has no relation with anything else so it's quite easy to separate the job even like we don't really we are not how we are organized we don't separate by countries like for example I work mostly on Russian APTs but also on Chinese APTs same for other people but we tend to to track different groups and one people is responsible for one group and it's very rare that we have to someone has to collaborate with another researcher because groups are sharing something except for Chinese APTs which is a big mess but it's really easier to cluster things like for example when I did the Zalarmobuscade research it was really hard to understand the infection chain and the traffic the ocean system and all this stuff because there are so many different actors using like same GDS so it gets messy quite easy that's actually a good point that you brought up about the tooling because it reminds me of the Conti leads and not just the Conti leads just like a Bazar loader so when Bazar loader was using the Bazar call type campaigns a lot of these call centers were opened in India but we know that Bazar loader none of those developers are from India and you know based off what we've seen in the Conti leads so clearly there's a lot of international collaboration here and it's a lot more yes a lot more organized than we thought you know before another good example I have with E-Clime is so for Bokbats or publicly it's called I-City they use this hidden VNC tool you know Matthew talked about like hidden VNCs so they've been using this tool since 2019 but now we're seeing the same tool being distributed by Bumblebee we even see Catbot using a similar tool and it's a bit it was a bit like curious it's like is this just another group building this tool like where are they getting their hands on this tool from so clearly there's a lot of organization happening here something that we're not privy to Thanks I'd like to ask Lily you had a question and if that's okay with you I'd like you to ask it live because I think you will deliver it better than myself Hi Asim so question regards to Bumblebee so with the API on hooking module in that particular malware when it detects that an API is hooked in memory so it overwrites that with the bytes on disk and my question is what happens if there's a memory pointer at the beginning of that particular API on disk and for example in memory would it just write the raw bytes from disk and that memory pointer would be invalid and potentially cause any type of crash do you think what are your thoughts there cool thanks Lily for the question so yeah so this was I think it was a slide I just quickly went by it was a slide that talked about the lip splice the splicing library that does the unhooking so essentially when it's trying to remove any hooks on the APIs it's copying over bytes from the instructions in its physical file so Lily pointed out the fact that you might have instructions in memory where it's referencing addresses and that could be a potential problem because this malware take care of rebasing those addresses long story short no they don't they just they don't even do anything different they just completely use this library as is the thing about this library it is almost a decade old so it's not something new not something that was aware of rebasing so they just and it ran like it there was no problem so maybe they tested it maybe not to your idea why but it seems to work but I believe like also like Lily's done research where we have seen like other families now starting to look and implement those checks for rebasing so you know a lot of these groups are probably becoming aware of the faults behind some of these hooking libraries thank you thanks again for your question is there any other question in the audience we are not ready to take some questions yes please go ahead okay with you I'll try to rephrase your question for the ones listening online so please step in great me if I didn't understand your question properly the question is in the in bumblebee why are the developers why did the developers choose RC4 instead of something maybe more efficient or more modern like RC5 or double fish good question it's not clear why they've introduced RC4 and RC4 is like this it's like this go to thing with a lot of e-crime malware a lot of them just use RC4 but there is also a bit of a hidden meaning behind it not something I've talked about so with bumblebee a lot of the samples based on which affiliates is using the malware each affiliate has their own RC4 key and so even though it's communicating with the server you need to make sure you're communicating with the server that can decrypt the messages with that proper key so in a way it wasn't only just encrypting traffic it was also used to track communication for certain affiliates so you couldn't just use any bumblebee malware and just take the C2s from that malware and just communicate with it if you don't know the RC4 key that's associated with the C2 it makes it harder to see what the response is so it's in their way slightly tricky like unless you have the malware and can't use it but I mean yeah they could have carried it forward but they clearly didn't bother thanks thanks for your answer maybe we can explain why tractors like using RC4 so I don't really know about RC5 and RC6 but for RC4 there is no constant so if you compare to AES for example in RC4 for instance so it's harder to to detect RC4 with like a byte patterns you'll need to check like the day compiler or have a signature on some disassembly graph so that's why tractors are like using RC4 it's just hard to make a signature on it thanks for this explanation I'll go with one question we had online which was can you elaborate a bit on the what does it mean that there was a watermark for the cobalt strike sample that you described so the watermark is a number that is linked to the license linked to the cobalt strike builder the problem is that first it's quite easy to change if I remember correctly just the number in the text file in the directory of the cobalt strike instance but generally tractors don't care about changing it so it can still be useful to cluster different cobalt strike beacons you extract the config and then you cluster by watermark the second problem is that there are a lot of cobalt strike builder that have been leaked online so you can find cobalt strike builder of previous versions and a lot of tractors are reusing those leaked builders and that's why they are they end up with the same watermark at the end thanks I'll continue with questions online I like that everyone is able to vote and upvote them so it helps me prioritize the next one I think is for you Sue and the question is could you abuse the beginning system in Bumblebee to affect the attacker in order to to infect the attacker in order to unmask their identity you seem to be expecting that question I like it well unfortunately I don't have any good answer because part of my work is we do not attack back so it may be possible but it's not something we are allowed to pursue a look forward and so I just really monitor traffic and I will yeah that's all I can answer to it awesome I think the next one is for you Matthew did you need to enable macros in Word and Excel and Microsoft publisher files in order to get a successful infection probably yes but to be honest I just extracted the macro and didn't try to run the document but if it was downloaded from the internet I think for few years now so before so before July 2022 you had just some message and you can just click to enable macro but now it's just not possible to run macro from the internet if you have up to date version of Microsoft Office thank you next one is is crypto still very in fashion in the crime world or as hype died down like in the mainstream and if so which crypto I guess cryptocurrency in this case so maybe I'll start with you Matthew because I think you did mention that some of the targets for the group you're tracking were looking at crypto yes so we noticed that when they were collecting like from browsing stories or like doing like key logging they were very interested in taking credentials to logging to log in popular cryptocurrency exchange for example so we haven't observed them stealing really stealing those those cryptocurrencies but I guess if they are collecting wallet addresses logging password for crypto exchange it's just not to look at the number and what was the original question not sure I answered the question I think you did answer the question maybe the other part was is there anything you can share about which crypto exchanges or which currencies were mostly targeted mostly bitcoin if I remember correctly and like the exchanges it was very random so it mostly depends on what exchange the victim was using okay I could expand on that so it's not with bumblebee or anything this is actually because I also been tracking some Mac OS malware a lot of stealers so lately we've been seeing it's a kind of an interesting question because we've been seeing a lot of stealers that target gamers and like social engineer gamers through twitter and to get them to install stealers on a machine which end of the day just steals wallets and an extensive list of wallets and it's all related to the metaverse because some of these games they use crypto currency exchanges for trading and stuff so they look at like finance bitcoin there was a list and I don't know the entire list off my head but I think it's more common in the gaming world yeah for sure great thanks for the additional context this is really appreciated the next question is something we've already touched on but I will go through it again and then please feel free to chime in if there's something else you'd like to add how different is it studying geo-politically motivated versus the ones created by criminals a significant difference or pretty much the same I'll start by summarizing what I remember from what we've discussed so far I think we've discussed that state-sponsored attackers are going to be mostly not sharing their tools or techniques they have their own things and the Chinese and the Russians rarely exchange tools while for the cybercrime we see a lot more of exchange and common pieces being used anything else that you see that kind of stands out as geo-political versus criminal malware I'll start if you want maybe how malware are developed or protected like generally criminal malware are very well protected there are big packers which are very annoying to reverse they do a lot of check to see if they are running in some virtual machine or sandbox or stuff like that on the contrary APT malware generally they are not packed very little obfuscated like from time to time strings are obfuscated but that's pretty much it so of course from time to time there are some very big changes that are very hard to understand but generally I'd say maybe not easier to reverse because the malware are very big a lot of functionalities are generally in C++ network communication can be quite hard to understand but they are rarely used packer because they want to stay under the radar and looks like any other file on the system when you have some pack sample it starts to be suspicious I guess what I could add to it is e-crime these days they are a lot more ransomware focused I mean that's the easy way to make money and if it's targeting gamers it's stealing cryptocurrency but like gone other days you see banking trojans and most APTs don't I could be wrong they may be doing ransomware or not but that's what's clearly defining what defines e-crime and APT and also I find that e-crime they tend to focus a lot more on EDR evasion because they are targeting companies most likely have some EDR solution and they just want to bypass that and especially with ransomware you're seeing a trend with the vulnerable drivers so the BYOVD and so they clearly they want to prevent EDRs from seeing that they are encrypting files so vulnerable drivers is the way to go apparently these days so yeah I guess I hope that answers the question I think it does thank you I'll start with Mathieu for the next one have you seen the situation in Ukraine generally increase malware threat activity and what do you think those people working on malware will do if the war ends so we did see an increase of malware attacks in Ukraine but those are mostly state-sponsored attacks so the people developing those malware were most probably working from for the same organization before the war and will continue to work for some organization after the war so not sure if it will change anything and we did see some increase in the context of the war but it's not like crazy and in the last few months it's really more quiet that it was one year ago anything to add? I don't know I think Mathieu answered it well perfect the next question is also a bit APT oriented have you been involved in nation state APT identification for diplomatic allegations for example blaming Russian FSB for attacks so from time to time we will say that the group is most likely Russia line or China line but we never go as far as naming the entity of the person who is behind it it's quite easy to make mistakes and it's more a political job to do that right? cool and we have time for one last question it is also a bit politically oriented how much work is going on with groups blaming each other? for example Anonymous Sudan recently was discovered to be actually tied to Russian APT are there other examples? I can start because I see you looking at the sky I think I do remember one case of another Russian operation at the beginning of the war with Ukraine where they changed the metadata in some pictures to make it look like it was coming from Poland but it was very amateurish and not super convincing so I think fast lag operations are not uncommon but to say they are increasing or there are recent examples I would need to ask our experts any crime well with group blaming you normally see a lot of within the group a lot of them sometimes there can be tensions I think that was quite clear with Conti leaks with something political comes up but of course it was a Ukrainian researcher that released the logs but you don't see it too much you mostly see it among ransomware groups especially if there was a ransomware that targeted a hospital and then they immediately try to post on the data leak site that it's not them, it's someone else so it's often times that that case because they do not want to be liable and they can actually worry but otherwise we haven't seen it elsewhere like any crime about APT I'm not sure maybe there's a lot more of that happening at that end I don't think there are a lot of them another example was the one in Korea during the Winter Olympics I don't remember exactly the details but there was something with richaders from North Korean group and actually it was like being like the attack like a Russia line group it's a bit old so I don't remember exactly the details but actually like this group said in it make it look like it was some North Korean line group that was being the attack but it's not very common or it's too good and we don't realize it but I don't know okay so something that came up in my mind so you don't see this like immediately in campaigns but you do see it in forums you see a lot of sometimes arguments sometimes when an author like some group has developed a malware and they're selling it to affiliates they can sometimes backstab or do something that they're not meant to do there's always rules among them that they allow affiliates to do not do so that is actually quite common crime and so especially again with ransomware they try to tell affiliates that because of you you're targeting hospitals you're no longer part of the program so that's pretty common or sometimes you have affiliates that will buy a test build but then end up using it their own way and that you know quite frankly upsets the developer and then they just release it or they go into cahoots with someone else so as long as there's money there's always something to be upset about these are really good examples thank you and we are at time so thank you very much for your presentations for everything you've shared and then for joining this panel it's great having this discussion with you and thanks to all of you for your questions started, I'll let people wander in and speak slowly we've got three more talks in the Zoom until the end of the day and we're going to be doing a couple of questions after each other so there's no final panel so I'm thrilled to welcome Sarah to the stage she's a long time hacker and she spent the better part of ten years as a software engineer with a keen interest in security engineering specifically she also had a 4A into entrepreneurship and now for the last five years or so her main focus has been on cyber security primarily offensive her research interest include cryptography, malware, reverse engineering and cyber warfare Sarah is currently working towards her CISST ISSTT and in the future she hopes to finally get her things so welcome to the stage really excited to be here thank you thank you so much thank you thank you for coming to my session we're very happy to be here we're very excited to be here we're very excited to be here so yeah first of all I'm so thrilled to be here I'm so thrilled to be here and I do not speak on behalf of my story I'm not talking about my work I've got my work I do my work I'm just happy to be here so I just need to make a decision so I'm excited I'm very excited to be here I'm excited to be here I just want to just open our open medium so you can be interested I believe in cyber warfare I think we speak a lot of languages so I have a great deal in The University so I just want to say thank you for welcoming me the Q is here so give me some We're going to watch a few clips. The first clip is in Russian, which is in 9. I don't know if you know that there will be 9, but there will be 8. So this is in 9. Anyway, he goes on to say, basically, we're not there. Why? We're not there. Of course not. After a long after, of course, the commander from the after. Yeah, we're there. Of course we are. We're actually playing with the system. We've got people to vote. Vote? In a proxy vote. A proxy vote? Yes. If you can get people to choose to vote for you, or choose to have a rest or mend them by force, then you don't need to go there tonight. So here's the purpose of that. You're part of the organization. If you want to get your community to believe that people voted for something in the cell, that you're a proxy vote, then there's no end to it. So you're just invited. You go to the rest of the screen. The other unique aspect of this conference has been the way drones have been utilized. More people use it as a body to do the so-called chronic biology machine. The type of drones is varied as well. Both purpose military fiber and the use of publicly available fiber. The use of the OSC self-fiber has gone to the point where some manufacturers as you go and I, I refuse to solve the working thing because it might be easy after work. This is actually a quick example of how they're using drones. They're typically economizing. So you'll actually see what's coming. They're like here first of all. Cycle worker. So some examples of cyber attacks in 2022. This topic is a person with a perspective that marries Connecticut tasks with cyber attacks. It's just on the ground, a task as well as in the cyber realm. The magic connected to cyber operations between what's going on quite regularly or high like two events in particular, one cyber, one kinetic. It happened to happen on April 11th. It's not very likely it's coming back. You can see the Russian stripes underneath there. And then we have the matching government attacks in the cyber realm. Cycle worker person with kinetic operations man often makes for more effective use of cyber capability. This is just not relevant to worker but also when conducting red seat assessments. For example, your need to coordinate with all groups involved with your individual, social engineering network or your need to coordinate with others. Your cognitive coordinate. So these are some attacks that light up. So we started 2014 with everybody's aware of their time limit. So we started there. We go for a $2.00 attack. And then it goes to afterwards. Cargo attack. And we see the succession of attacks up to 2022 with the official engagement between Ukraine. So we'll talk about two days attack. In particular, we'll talk about Mepetia and we'll talk about the Cargo attack. The first, Russian. What do we know about Russian? Their focus has been on destructive society's creation of the worker and cyber attacks and physical development of the structure. Dr. Tulligan's report suggests that other incident structures now where the destruction of the power source are probably new but I do not even think about the military objective. We're supposed to support the Russian focus on the destruction rather than a cyber physical fight, rather than a cyber physical damage. But what's quite interesting is even though they're trying to avoid not damaging the cyber realm, they have gone out to targets on the kinetic side. Hospitals and other targets like schools, schools, yeah, the kind of people but there's also this question of the three goals. The one interesting about a cyber attack is that you can't reach targets as well as tonight and if you get out, then this is the three that will be coming up. So a few viruses that you might know, one you earlier see early, that got out of the realm, there's been more things, there's been much more stuff, there's been various viruses, there's not been any. There's been a lot of viruses that we want to try. After that, we're not just based off the scale of blue, there's a big difference between the picture which is also built off the scale of blue. So, Nepecha, Nepecha is composed of two separate components. It's not a blue and mini parts and Nepecha is a derivative of Nepecha in our way. The scale of blue is at least MSA in half a year. So, what I call the airport-ready radios distance with IP address clearing. The Nepecha attack in 18 minutes on the update, and the pink attack is also called the new boss. The Nepecha radiation monitoring units can go over the next time. So, the IP rate in industries, banks, metastasites and other crisis will also affect it. I don't know if you know the Nepecha, I think it hit around 10 billion in damages The initial label of ransomware due to ransom message that was displayed after accepting a suit proving that net petrol functioned more of a destructive right of care rather than actual ransomware. The attacking might need also to be a public holiday called false to people. The petrol is a destructive and strike property but mini-counter is also an active side of it. Which is interesting because there is an insurance company called GERC that actually denied claims from hundreds of millions of dollars because the claims they didn't ask for were because one of the few cops they asked for later was going to say they decided it was other way around. And because the cyber war didn't fall under the curvy of the insurance policies, they took it to court and I think just recently they settled and I don't know what to sell them because it wasn't in the public. So net petrol overwrites and encrypts sector to the fiscal factor of the C volume but it does not contain the ability to store the files rendering recovery across the even if the ransom is full. This is why it is not a significant amount. Recently when the API device is out of control the malware is able to direct read and write access to the fiscal card drive without interacting with the operating system. This allowed the code to determine the number of disks and partitions on the system on mouth and mouth to the volume even if it was used to determine the drive geometry to the drives on the system, the number of sectors, bytes and sectors. The malware uses the access to destroy data critical to the operating system. The PECA also had the ability to replace the OSP order with custom code rather than the binary. So the next attack I chose as well because it went out to OT systems rather than the IC system. And so the colleague distribution company sustained a cyber attack in Western Ukraine on the 23rd of December 2015. Although the attack was triggered in 2015, it was carefully planned. Malware systems were compromised as early as eight months before. In the spring of 2015, a variety of black energy malware was triggered with a deployer from Krakatcha opened an Excel account of an email. If you don't know black energy is a malware sweep that was first hit in the years of 2014. When it was used extensively to incorporate energy utilities. It's able to gather intelligence about the infrastructure networks to help prepare for future cyber attacks. For several months and weeks, summer of 2015, black energy malware was remotely controlled with black data called from one host to the other to detect vulnerabilities and even make its way out to all three networks. And before that it was called a sweep afternoon. The afternoon two days after Christmas, stated by the operator, the mouse started to move on the HMI system, so that's the theme of the sweep interface. It starts switching off breakers now remotely. When the local operator kept it to regain control of the supervision interface, he was logged off, he could not log in again because the password had been changed. Additional malware, particularly for the custom developed export, is used to prevent operator from being able to control the network by wiping out, maybe just using filters. Overriding external to serial the infirmary with random codes that's turning devices into physically trapped. But the attack was too fast to allow any reaction, and due to critical infrastructure environment, operated actions were cross-circuit. Therefore, they really could do anything because they had predefined actions in a lot of these places. And so the operator had to follow guidelines to take action, and if those actions don't include such things as cyber attacks or your SOL. This is exactly the thing that happened in Ukraine. So it's great to have SOPs, what we call standard operating procedures, but we also need to account for when those actions arise in SOPs, like the secondary attackers are possibly coming up in new ways or talk about the new innovations, or S&P's be the kind of ways that adapt as well. Obvious actions could have stopped the attack, like I said, if those two are really standard ways of doing everything. So it could just, let's say, unplug the system. Okay, so what do we know about the opinion operations? This is where my talk really came from, because I was really interested in how Ukraine was expected within days to fall to Russia, right? So no one expected to be here in 2020, and Russia's still fighting out both the cyber realm and the Connecticut one. So why? I came up with two things in my mind. One was the Russian actions failed to materialize in distribution of attacks, and Ukraine had better than expected defense. Most Russian digital attacks attempt to direct between the three immediately quickly, thanks to far reaching Ukrainian monitoring, detection and response measures. Ukraine received also significant help from Western both companies and governments. One side of the speech at the Mikhailovsky study reported what apparent weakness of the Russian cyber operations has been the lack between the cyber and conventional attacks. On a calculate level, cyber attacks provide benefits for the other weapons, including conventional delivery systems, decision-guided divisions, unmanned aerial vehicles like the drone or a chronic warfare. The president of Ukraine had a better ability to deploy these recommendations. The combination of the crippled commanding networks and advanced military systems could contribute to additional deployment forces. However, when using an ad hoc manner or when unfolding air and ground actions, cyber attacks could last useful. The one area Russia seems quite successful in coming to that has been what we call information warfare, the propaganda. They could go after more physical targets, but they would have to really do it in such a way that they could, like, convert information. And they must do it in such a way that they're careful because Russia doesn't enjoy the reputation that Ukraine does. Ukraine has this aura about it, right? So they could do pretty much anything without getting behind the way or Russia. They do something with the other deep trouble, especially if they start attacking the other country. Another part of this, I don't know if anybody's heard of the ICRV, but Ukraine utilizes its ICRV concept, which is a built-off of fallen tears. There's a lot of argument to get against it, but we'll get to that quickly or soon. There's a lot of theories that they just keep Russia busy while being placed to focus on the defensive and offensive cyber operations. Any other action is just a bonus. That being said, they do have a standard, but there has been some criticism because they have gone after targets that maybe are not just military targets, just for the better. And the problem is it's only what people feel. So if you have a bunch of volunteers, how do you control them? And another aspect that you can think about is if you have a bunch of volunteers, you can also have some possible denigrity with a bunch of volunteers. So you can remain at arm's length and have that possible denigrity. They have used telegram to organize, and they also have this whole MSU. I don't know if anyone knows this library. They're not supposed to use it for nefarious purposes, of course. So the IT Army has a real engagement. But if you work with hackers at all, it's hard to control what they're doing. So it's better to say, here's a bunch of tools. Interesting, at the beginning of the whole IT Army, they were just giving them a bunch of targets. And here, have fun. Now they've gone to the point where they're using the sender fairy dolls to build a bot, and you just have to connect with their bot and you can participate in their actions. As I said, the four people are just going after targets, and I have heard stories of people actually on their own, of stories going after things like O.C. Network, ICS, and taking out cars and various things. But before you do this, I have to say, we might be active in an active war, and we all know that's illegal, so I have to make sure that we do that. Before the IT Army, there was a doctor who was also doing some volunteer activity. Some of the tools, as I said, is the O.C. Dolls Framework, which forms the basis of a bot they built that the cyber army volunteers who used to participate in efforts. Not so shockingly, there has also been cases of washer-building tools and distributing them to partisans, if you will, and taking advantage of them that way. So you don't know maybe what to do in exactly the download of tools. There was some code being done. Planning and watching the cyber attack. Let's shift our focus. We have heard a lot about what's happening in the past with some tactics, but what could be done? Most of us in the cyber world are well aware of the filtering. By lockdown, there's also a lighter attack framework, which is also a little bit more exhaustive, but to be used to defend. I use the cyber filtering. Cyber generally doesn't happen in isolation, although the rule has been built previously, like Stuxnet. Although with Stuxnet, there was a huge component on the ground with the fairies, because they had to get all that information prior to the actual event. But this is especially when you talk about critical infrastructure and other O.T. infrastructure. The amount of information that you need is hugely important. Especially when we talk about critical infrastructure, cyber attacks that have the overall consequences, it wouldn't take much to cause harm, for example, dropping the water treatment or targeting a local hospital. Sure, there are signaling targets, but let's be serious, nation states might try a way that needs to be touched on already. What about motivated partisan groups or individuals or nation states that don't care about information before and as long as... There are two systems of why you're not going to defend it and why you're not going to protect it. With more data connected to the web, it's not inconceivable that a bad actor will target these systems, neither inadvertently or advertently, targets millions, but it's shocking that it hasn't happened in more than you've seen already. Attribution would be hard unless many features may not be detected for a long time before it's being immediately designed to target the attack. Rolling out a series of attacks and making it innocuous enough to not create waves in most of the authority between the current scope of the attack is seen, so it takes time and organization and all that is lacking is the current climate of the motivated party. Stagnating the attack would help to hide the true motivation or hindrance or attribution out of some disinformation about who might be at fault, the blame, the official opposition, the fighting, and your own optimism. The lessons for effective teams. For all of the thought and questions of the IT modern things, there's pity and ingenuity, but nevertheless, that's created a model for any kind of worker. For all of the tracking tricks, Miller's the perfect scope out, but Apple is an app for this strategy that we know. Coloring out the tracking tricks, there's belly pat, Twitter feeds, there's another one as well. It's a community term, Miller can not just democratize the cyber warfare, but it's democratizing war. Similar to partisan activity in the World War II, but with large communication, a tool is organized to mobilize thousands. It would not be of interest to look at this issue in more depth with further research. Miller takes an attitude that the organizing teams will learn from the conflict and will be ready under a constant pressure that countries like industries suffer from talent shortages. For companies of origin that afford specialized units like the US cyber command, the premium model demonstrates a way to develop a cyber capability that can be strengthened and deployed. How do you train a tight line of critical, preference in the primary focus? You might be able to have but you certainly can go to partnership of industry and government or to build a network of tools and people to deploy and to stop the fuel. Reaction and preparedness is definitely not a great quote but after using cyber and tech preparation this type of preparation is often anymore. Something happens when we react. It's free planning for something that might happen. We let it happen and then we figured out what might happen again. So strategic planning your team is cost to infiltrate so some takeaways. So your team is cost to infiltrate a secure building. Now what do you know about the building? Access points. How about when the security goes to bathroom changes, shifts for example? Do we know what type of access systems they have? Can we spoof the method of entry? You need to know your enemy and target no matter if you're attacking a country or planning. Recon is important in planning your staff's of their attack. We use frameworks for a reason. Run through your plan. I go back to I fight in Muay Thai when we train for a fight we train to fight in training. So you win the fight in training. Same thing with this. You prepare and prepare, prepare. You walk through what will happen at each stage of that attack. The interesting thing even with knowing all that we know teams and organizations appear to get it wrong more times than they get it right. If you're running an offensive team take no practice war games and blue team, red team exercises should not be just the purview of intelligence organizations and military. But I realize that that takes a lot of money so you can do what we call in the security world table top exercise of white board tests. Walk through everything. There's no reason why an organization even three people can't walk through your attack steps and figure out what your adversary will be doing. Continue who your enemy attackers would be power plants, maybe a target by terrorists, banks, by criminals. It doesn't matter what organization you're a part of you are going to be an attack at some point. Even an insider. Disgrumble ex-employee for example. It could take time and effort it could take time and effort to step back and be in a system like an outsider or even an insider who attends to harm. One of the values of the table top exercise is to let players consider the system as a whole. Organization, without the idea who is doing what the flow and tasking of your efforts will be haphazard at best. So we have a CTF going on this weekend even though eight people team if nobody knows what each other is doing or how they're doing it or what you're doing you're not going to get anywhere. This goes to we'll get to communication so yeah so when you're building teams and your organization has to be there if you can't coordinate, you don't know what each other is doing it's going to fall apart pretty quickly. Talent management may not seem relevant but if you utilize your people properly no amount of team members we'll get the task done. You know I have a thousand people but if I was just sitting around dust bunnies collecting dust bunnies I have seen team dynamics and lack of organizations take down the smallest of teams because people are not sure what to do and leaders don't delegate. Figure out what your people are good at and give me up tasks. Keep to the chain of command in the event situation this doesn't have to be your chain of command at your normal workplace but have some structure in place at the event or at your assessment. But don't forget to listen to your experts right now I once mentioned a huge topic you can't specialize in everything. Figure out what your people are good at give me up tasks keep to the chain of command this leads to communication how do we pass up and down information and this of course leads into the topic of OPSEC so when we talk about OPSEC there's a well known story I don't know if you're a fan of cryptography but when they broke the enigma they couldn't actually use the enigma to the extent that everybody wanted what happens whenever one knows what you know people stop using that tool right so this is sort of the same thing with cyber you gotta plan if you have these attacks and you know you have these attacks let's say you have a zero day which I hope nobody hasn't not keeping it to themselves but if you do you would want to use it at once because then that whole idea of having that people know you have it it's gone that advantage is gone so this OPSEC applies to both cyber exercises as well as security assessments and so yeah so one of the other things when we get into talking about when to use these attacks is this idea probability and what's called strategic randomness so again you gotta use it you gotta attack somebody you gotta make it so it's plausibly that it's not yourself doing the attack so I lead on the side so when it comes to Russian I lead on the side why they haven't done so well as they have is I lead on the side of tactical coordination Russia's military and intelligence organizations not coordinating as we know large organizations ought to get in the way and are paralyzed by bureaucracy this one of the advantages I think Ukraine had is this sort of ad hoc ragtag team sort of that ground fighting attitude and because they don't have this big organization apparently before the all these attacks happened they didn't really have any cyber capacity within their organizations already and as we all know large organizations get in the way and are paralyzed by bureaucracy so you might not, you might be in a situation where you might not know in terms of another aspect we need to talk about is tooling so you might be in a position where you don't know what you're using in an event this happens quite often when you go to an event you don't know what you're doing but you'll have a set of tooling and this is very important to set up your tooling before you go a lot of organizations if you work in a big organization you might not have a choice of tools so if you're going to an assessment you might be stuck on something because that's proprietary, that's what you use so stick to it, it's unfortunate but it happens I don't think it should happen because you should use tools to match your task as always it's like this one of the most famous questions of programming languages what's the best programming language come on, what's the best programming language right, it's Python right who uses Python I don't think so, I'd like to see so there you go so you know this pain I could make a whole talk out of the scope of the session I doubt to blend in tooling is something to address so yeah, don't let your tools dictate what you do let what you do dictate your tooling before moving on I would like to address the human element the building effect of teams is a huge topic but does need to address briefly here we must build teams that are mixed in every way both in skills and makeup to think like the attacker and to find ways to attack and achieve our objectives as offensive folks you need team members that have different skill sets and viewpoints to compliment the team obviously the team obviously the team obviously you can't have everybody who is good at one thing so if you have somebody who is really good at malware writing malware what's the point of having a really good malware person if you can't have somebody who knows how to get somebody to click on that link it's not effective anymore so unfortunately I think my time is coming to a quick end maybe so I have a few final points just to go over never underestimate your adversary it is a massive mistake rushes made and organizations continually make plan for the worst hope for the best over plan run your worst case scenario of defenders if on the offensive side run through your work floor for your attack both cyber and non-cyber aspects the Ukrainian conflict will leave a lasting impact on the cyber world the lessons learned will be important going forward and not only at the nation state level but also for individual NGOs and companies and that's all I have for plan content so I think I have some time for questions so we do have we have time for questions so feel free to use the QR code that may or may not be appearing somewhere such as on the stage and I'm happy to read some questions out or since we don't have any yet if anyone wants to jump in and say something you can do so and I will translate for the stream no questions thank you, thanks so much please come talk to Sarah afterwards if you're too shy to ask in front of everyone we're going to take about a 10 minute break and then we'll be back okay and we're back welcome everyone so I'm super excited to have Susha Koshama on the stage he is a repeat speaker we know him well he's the chief scientist at Pravado where he helps build code analysis tools for data privacy and data security he completed his PhD in computer engineering from Polytechnic where he worked on EBPF technology and hardware assisted tracing techniques for OS analysis for the last six years Sushakra has been working on enhancing static analysis tooling for fixing security bugs at scale and he is also quite a prolific conference speaker including Norsak thank you so much hey everyone so thanks a lot for this very lofty introduction you know but it's just me and my humble moustache okay so I welcome you to this talk we're going to discuss a lot of concepts which have not been discussed in privacy before and I guess it would be one of the first times we are going to do a deep dive into it and just let's get into it then so I'm this guy you know about this so no need to read this privacy in modern times is actually something like this you know yes I agree and you sign up your soul or you burn your money and go to the Himalayas there's no choice in between at this time and why do people feel like this is because they see a few things they see the mistakes every day they see news items like this twitter advising all 330 million users to change their passwords gas state agency in India leaks millions of adha numbers adha is like a s-i-n number here so it's like that and all of these things when you go to the root of it is very basic for twitter it was actually plain text passwords and logs something as simple as that and for this it was an unauthenticated endpoint which was leaking PII you could just go and do the increment id thing and get all the information so the other reason is that people know about this also now they did not used to know this dark cloud in between but now they know that there are data brokers who are you trust a few of the services you put all your data there some services you don't know you should trust or not but I guess maybe just give some info to them and then it goes on everything gets collected and suddenly there is the service which has everything about you you never even expected this random ABC numbered corporation having all this information about you but they have it and people know about this now so they are worried they are genuinely worried it's very difficult to solve these problems because there are economic incentives around them because some businesses they are only going to run if they take in your data but some legitimate businesses they have to actually solve this stuff so the theater of security and privacy looks like this right now and I will start from the perspective of privacy we will see the seesaw's mind it's kind of like this it's not blank we are going to fill this so I think the first thing is like this RSA, log4j, big ticket items they really are worried about all of that stuff but then behind there is something else also in the back of the mind it's important for them to understand what's going on so we will zoom into it and then we see that they know about some bugs which are going to own them somebody must have mentioned them in some board meeting a guy walking past so they are worried about them also it's not like they are not worried about it and at the same time there is another human they know about and this human is that sharply dressed colleague which they have and they have the CIPPE etc. on LinkedIn this person is the privacy officer the chief privacy officer so we start looking at their mind also and the chief privacy officer is worried about GDPR you talk to chief privacy officers is my stuff GDPR compliant or not or like CCPA they also worry about some conferences like IAPPA organizations like that and then compliance DSAR is the data fine they are worried about that and then there is this nagging question that they always have so on parallel to a privacy policy we say that we don't collect precise location but on the random channel I saw this map of our customers doing SBB bank runs and people were joking about it so how did this information go there so I think they are worried about stuff but they just don't know exactly how to tackle it but there are reasons for it and during my movement from security and privacy and security all together throughout these years I have realized that privacy operations work like this there are three buckets of people who touch privacy essentially so I think the first is the lawyers on the site they do high level GDPR type mandates they are very important they are more reactive so they look at privacy events very carefully on what has happened what is going to happen and they have a very compliance kind of mindset are we compliant with this law is it fine at all this is very important for large organization to run efficiently not get into trouble and then they also rely very deeply with security data privacy operations which actually own and putting those laws in action they are tracking all the changes flows to all the data inside the org run privacy assessments data subject access request these are all these terms you are going to hear in privacy they come from a very safety kind of mindset we have a responsibility to safeguard the data that is coming in and then on the other side are developers they are very decoupled from other orgs as I have observed these are the people who will actually solve a problem so if some change has to be done in the code to keep the app safe to implement privacy respecting features in it it goes to them so really the problem the solution of the problem is there and then a lot of people are revolving around these buckets gathering or not having the developers get into the I would say the same table I would say they are common grounds in security and privacy you know I tried to put them in this nice Venn Diagram because Venn Diagrams always look cool so security folks you know you can see they care about injection or bypass network stuff some CWCW they care about path traversal I guess and then they also care about some other stuff they care about data security and sensitive data leaks there is a huge whole section about that like CW200 they care about information leaks it's not like they don't care about it but they look at this from their angle as if it's one of the points inside the thing that we have to fix and we are done the other folks privacy folks care about a lot of other things that these folks don't know about at all like DSAR, DPI privacy impact assessments privacy impact assessments are run on spreadsheets right now in a lot of organizations I've talked to a lot of organizations to folks working in in for sake they would think how can you run a whole thing like this you know like a provable thing where sensitive data like are you recording precise location it takes like two to three months for them to get this information from engineers it's weird but this is really what happens so they care about this and there is a common ground that is there the goal is that we need to understand that common ground so right now the pull is too much on the other sides but you know eventually we are going to fix this so the conundrum is like this there is a lot of code it produces a lot of data so the data that is coming in all these databases going from one place to another place going in the log getting leaked somewhere it's coming from code code is responsible for that and privacy operation is like someone with a broom trying to brush this water spilling on the surface you know it's not going to work they try their best and going a little bit deep this is kind of like an example of an actual code where you can see that there is username it's something that is coming from the user and eventually if you look at the code you will see that it gets logged you know in a log and in reality what's going to happen because I've seen some operations inside is they go to some 10 databases here and there one other log service running somewhere else and then some innocent human who never even cared about it they have access to it and they just don't tell anybody because they don't care about it but technically it is bad because that's data that gets leaked and it's in front of someone who should not have it so privacy operations are going to look at many places and trying to understand this they will look at databases some databases if they find private information there but the reality is that the developer really knows where this data is how we put them there so there is an opportunity here to try to fix it at the left layer and this is the whole thesis of this talk we haven't even begun so we'll begin and the thesis is that if we can analyze code properly we might be able to fix a lot of vulnerabilities that are in security and also at the intersection of privacy so making everyone happy so the goal is to develop privacy tools for developers and engineers we'll see how we can build them we use a technique called static analysis age old technique we'll see how it works so static analysis is analysis of a program or a piece of software before it even runs and then predicting what's going to happen when it runs so that's what it is you have to understand a few concepts sources so if you look on the right hand side interesting points where the data can begin so here is data coming inside this little function and then trying to track it all the way to sync so tainting it all the way so that you can do a nice data flow analysis so these are some sort of concepts you will have to remember sources, syncs, taints and data flow and why we try to do this is because how humans understand code we also understand it like that when I told you about this piece of code you started looking in your head about HTTP then seeing okay it goes to location and then it goes here so computers also understand it exactly like that so why not we just leverage this so that's kind of like the thesis behind this so looking at the same piece of code this is how you would think inside your head you would look at this HTTP variable you will tag it in your head you will mark it as source and then try to see where it is going and then see it goes to an info then you try to look at what is the type of this info okay this looks like the logger you know from a fashion log for jay okay this is interesting for me I should start tracking it so after this mapping has been done you can ask this question so this is your goal you know when you try to analyze software so find flow from a variable which is PII geolocation to sync log function of package a partial log for jay so you might have this you know thinking in your head trying to understand a piece of code and that's what you do mentally so so the goal of static analysis is to try to model this you know using computers we have been doing this for ages compilers have been doing half of this work all the time so we are just going to leverage that so why should we do this because code is actually the true container producer mover of data so why not just analyze data from that layer rather than just looking at it when it gets stored somewhere so we can find bugs early in the software development life cycle you know try to fix things very early rather than trying to be you know reactive and trying to look at things at run time so how do we do this so before we do this we'll have to do a deep dive and understand what is even code so existential questions like this and computer science can be solved by complex things like this so I'm not going to go through a whole of it but essentially what you need to know is that this is how computers are going to understand this little line you know int y equals x plus 50 it converts it into this nice tree format just remember the name AST and then eventually through this AST we are able to get this control for graph on the right hand side how control passes between different points inside the application inside the function remember we are not even executing anything it's just statically analyzing the whole you know piece of code and trying to understand that and take a good note at this yellow thing there orange thing so that's essentially where our data is so with this information embedded in these nice trees and graphs that you see we are able to get a dependence tree so that we know that the value of z depends on the value of y depends on the value of x so by doing this you can see where we are approaching we are eventually building like data flow of a complete application so but programs are more complex they are not single lines of code real programs look like this and they have more abstractions in them so there are class and types which have been introduced a variable it can be a member variable it can be a local variable there is a package now or namespace based on what language you have I mean procedure function methods I mean these are all variants of things so we have these new new abstractions that have been added and then there is a relationship between them so for example this method get patient that you saw before is defined in this class patient it is another variable and the method also contains a call which is find body so you can see programs will become huge when you convert them to a graphical format and that is essentially what we try to do we try to achieve so to embed all this information and abstract syntax tree the information about calls information about data flow we use an approach of building a graph like a massive graph which has all this information and the base layer of that would be an abstract syntax tree so it is a tree which has all the little information about for example here you know X plus 50 equals Y so this kind of information is embedded in a graph like that we will have that information of the whole code embedded as one of the base layers and then we enhance it we try to build more information over it so we have control flow and data flow information over it and then eventually build more information over it where you know we can have a human kind of question that we can ask okay give me all the methods which have patient in their name so this kind of information is now embedded because we have this nice graph this whole thing is called as a code property graph a colleague of mine invented this you can go on the Wikipedia article and you can read about this so a big graph and it's a queryable graph you can query it and ask questions so languages different languages whatever code is written different languages that's front end and then the front end you know creates this nice graph and then you can query the graph using a query engine so in real world it would be like how it would how you can operationalize is there is a Java app you have and then it converts to this graph and then you have this question a human like question that you had you can ask this question and then the graph returns it says okay I found one flow starts from HTTP ends to the first parameter of info on this line on this file so you have a lot of this information embedded completely in it how we can use this so what if we could run thousands of these queries on millions of lines of code okay it's not AI it's just it's a simple stuff okay we're not gonna do lot of LLM AI stuff it's very simple thousands of these queries formulate these nice queries and run this on millions and millions of lines of code it's gonna throw out interesting flows which you can see which are provable that this data went from here and ended up there so that's essentially the way we can solve this and to do this we build this tool called private scan which starts scaling static analysis and tuned specifically for privacy private scan is open source you know there are three components of it there are three repos private or private code and private CLI there are rules which are defined in nice camels very easy to remember very straightforward the engine it generates the CPG converts these rules to actual queries so these millions of queries and then runs these queries on you know lot of code and then you can view the results by default there's a JSON and something on the CLI but then you can also visualize it on a community dashboard that we have private ways, LGPL so you can download and play with this how does this work so source code converts to this graph we talked about YAML rules query and then results as I just told you you get something like this so five flows where data is flowing from flowing to AWS S3 so you can read these kind of syncs in the system so it's flowing to a DB it's written to a file and then you can go through the system and understand where the data is exactly going so you can try this out there's a simple command here to try this out you should not do this because and then you can just run private scan we'll go to a demo now I hope the demo works because we should start praying to the demo gods now so system is set up here it's very simple I think I should make this a bit smaller I guess here is this good okay can everyone see this awesome okay I need two hands but one is occupied so the brain has to think okay so I have some commands already added it says privado scan banking system back in there banking system back in is a repo it has some sensitive data and then we'll try to discover if it flows somewhere you know I've already scanned it so I know what happens but it's for you to see what happens so let's run this and this is so privado is packaged in like a docker container so this is running here you can see that we detected that the language is java it looks at configuration it's trying to download some dependencies which might be there so for example imports etc that you do in java it's trying to understand all of that and then it will start parsing source code so static analysis takes time so it's going to take time but surprisingly it's very fast I was told that some organizations that were doing static analysis that they used to run this stuff on weekends and then go back and on Monday they would come with like thousands of things in the list and I never understood how people can do this but you know this is pretty fast for the size of this code so we ran a lot of passes over this graph people working in compilers would understand what passes are so we ran a lot of these passes over this nice graph and we were able to detect a lot of things related to privacy here so you can see there is some data elements so we have 11 data elements total one third party and then two storages and then information about those data elements so they are also classified so we have a way to classify those data elements also you can see we have some passport information age, phone number, date of birth and where it is going so for example date of birth is getting collected in these routes it is also going to this database HDFC bank one we understood because this information was in the configuration for some things we can also detect third parties so this is getting shared to this fast to SMS thing and then there is a nice dashboard to view this also I will try to open it let's see okay so this is how it looks so you have these data elements on the left side and then you see data going all the way on the right side so here we can see like phone number we were looking at phone number we can see where phone number went it was getting shared to fast to SMS goes into the storage and then you can click on code analysis and see this literally line by line how this was going from one place to another and then you can see eventually you know you created a URL connection and then maybe you know the string in URL was fast to SMS and then that's how it detected that essentially you made a call to that and the phone number was a part of that message that went there so this is an example contrary to a lot of what people say I find this thing very interesting you know like stuff going into logs is one of the interesting things that I find here so that brings me to the end of the demo you can try to play around with it with your own with your own repos also try with Java Python is also there Python is beta at that time at this time and JS is also beta but I think Java is working very well so please play around with this where do we go next so I think if someone asked me what we should do you know in privacy this would be something very golden for me you know privacy policy very high level stuff that you know lawyer folks would understand much more better you know with CIPP stuff on the LinkedIn we want to understand how they translate to GDPR violations you know GDPR or any other laws so GDPR is like a you know kind of like a larger term that I'm using for CCPA or any other kind of PIPED for Canada so these kind of regulations which are there so any violation connected with the policy that you already have in your organization and then an actual bug inside the code so this would be like the golden you know kind of like the holy grail of getting privacy done properly it's very difficult to do this you can do half of it you can do one piece of it but through and through it's very difficult but I'm trying there's a research paper below you can see this I mean this has been talking about a very similar approach and they're also doing something like that and then you know find these exact privacy violations and suggest some automated ways to fix them you know we can definitely leverage AI or the advances in AI right now for that I think the time is there the models are just not yet there but I think they are almost there and then build a complete organizational data flow not just by analyzing code but also databases, APIs, document or your complete infrastructure so like a large complete large map of where data can start from where it can go just by doing scanning of all these individual components so till now we have been scanning something some DB's here and then someone looks at a document puts it in a spreadsheet and sends it to somebody else a lot of manual processes going on right now we can do everything by just scanning all of these pieces one by one and then correlating them that would be pretty interesting okay I think we are almost at the end of this so last comment you know which I would want to say that if your clothes had as much value as a private information I can bet some privacy policy would be there and they won't mind asking you to send them your information before you order a cab I mean this is the state that we are in right now related to privacy so please take care of your private information that's all I would say here are some additional links for docs rules engine for privado I also recommend you reading the NIST privacy framework and not just the security one the privacy one here and there's a tool by Microsoft data protection mapping framework which maps all these different you know we all know the MITRE attack framework or OWAS top 10 etc I mean in security we know this but in privacy there is an effort to map all these different kind of standards into each other so that's essentially what this is okay and so questions okay so let's start with ah there we go amazing magic so do you think this approach can encourage organizations to retain PII in a dangerous way and should we focus on privacy by design good question I think this is actual privacy by design I mean yes they are retaining your information anyways you would be surprised to know how much information they retain on you and you'll be surprised to know that they have no clue what to do with this so they are already retaining it I mean there's no question about it and and someone says that we are not going to collect this or we are compliant with this ah you know I think I can bet I don't know maybe it's too dangerous but I will still bet that they have your information okay and in somewhere in some of the databases and they don't know about it so they are not wrong in it it's just that they don't know about it but since they are collecting it anyways through these various you know means the marketing person came in and then said I need this thing in the analytics can you put it nobody else knows about what they asked and where it where the data is going the better thing is to get to have an understanding that it is going there and then stop it so so this I believe is a way to do privacy by design by doing static analysis of code and actually understanding where it's exactly going does that answer the question or I was just going on you know beating about the bush we will never know if the person who asked the question is actually in the room any other questions I'm not seeing anything popping up yet oh never mind that is a lie so here we go how is it even possible for this kind of analysis to help with the confused deputy problem your example of the incrementing ID revealing ad-hars numbers can you remind me the confused deputy problem alright audience I don't know the confused deputy problem so I'm lost okay got it so so I think when you actually do code analysis and try to understand how this information was collected for example let's take the adhan number so if you look at the system you will see that the adhan number was collected in this certain variable and we see that it went all the way here to you know populate this template in this you know JSX file you know and here it was going you would actually you would have a complete flow of where the data went to and if in between that there was no check or authentication you can actually prove and find it that this was missing this authentication was missing so this person is not authorized to view it so you can find it but if you didn't I mean obviously the flow is supposed to be there it's a data from somewhere and you know it's supposed to be shown on the site but if it's not authenticated you can prove it that this was not authenticated so it's a violation okay and we've got another one let's see won't companies actually want to stay away from tools like yours so that they can keep claiming that they did not know 100% 100% they want to be away from us as much as possible but 100% they will be slapped with like you know $60 million fine you know because like last week they were three you know in EU so EU is very strict on this right now you know last two years they have they have started you know clearing court cases which had been pending for quite some time and they are going to get fined so it's the same thing that happens in cyber security so you know like fear driven fixes which should not be there people should intrinsically be motivated to not leak information but they don't do it so the other approaches they'll get fined and then they will come to us to either detect where the issue was there or you know bake privacy by design the way it is supposed to be but I would not be too pessimistic about it because I'm interacting with a lot of companies and they are you know really coming to us from an engineering perspective for the first time never experience this like somebody a large organization coming to us and saying oh we know that all of the stuff is fine with us but we actually want to bake privacy by design so it's a new thing you know and privacy by design privacy by design and these techniques being pioneered here itself in Canada I mean it's a big thing alright going once going twice alright I think we got thank you so much Sushakra appreciate your time back for the next presentation which is the last of the day well there's the north sec 10 years panel and then there's a cocktail but the last in this room alright we're good to go so we're going to get started with the last talk of this track so we've got some guests today who came from halfway across the world so up on stage we have Vahagen Vardhanyan CEO of RedRays and his expertise includes protecting vital business applications including ERP, CRM, SRM banking and processing software he's a well known authority on enterprise application security including SAP and Oracle he's published many vulnerabilities and speaks regularly at conferences across the world as we can see and special thanks to these folks for making it here and as you can see the youngest team member is over here and really awesome so thanks a lot hello I'm excited to share my presentation with you today which focused on the vulnerability chains in the SAP softwares and today I will demonstrate how to possible to escalate privileges in SAP and jump from on-premises networks to the SAP clouds here is the here is our agenda and I think it will help you to understand the flow of our presentation my name is Vahagen I'm CTO of RedRays and Arpiné she's a CEO of RedRays a few words about RedRays RedRays is a research and development center in Armenia we founded two years ago and since 2021 we discovered over 50 zero days in enterprise softwares especially SAP Oracle etc so what is SAP? SAP is a multinational software corporation that specialized in enterprise softwares development including enterprise resource planning softwares and ERP softwares is used by businesses of all the size of our softwares all industries to manage today operations a short story of the research last year one of our customer requested us to analyze their SAP landscape the SAP landscape was very hard but here I wanted to show a very simple network structure the customer give us an access as a regular user in the user space and the request was hey guys is it possible to find out some vulnerabilities or is it possible to get information from SAP cloud from the user user environments user network environments so we started to analyze and first of all we built this map as you can see we split the map by three parts the first one is a user environment the second one is on promises SAP servers environment and the third one is SAP cloud environment the end users didn't have access to the SAP cloud directly so they have connection only to the SAP servers on a promises network but the main components was cloud connector that was connected to the SAP cloud and was connected to another SAP in on promises so it means that if you would like to compromise the SAP cloud or get information in SAP cloud we should compromise the SAP cloud connector but to compromise SAP cloud connector we should compromise the SAP servers so we need to jump there and in the cloud okay when we are compromising the SAP servers usually we can have four type of access the first access it can be admin user in SAP application and the second one we can get access to the SAP database the third one is vulnerability or access when we can read files from the SAP application using some directory traversal just for example or we can execute some code or command in SAP servers okay before we will I will demonstrate vulnerability that all the vulnerabilities have been discovered by RedRace during the data assessment only except one the CVE from 2021 we just arrested it and all the screenshots that I will demonstrate I will show you it's from RedRace demo server I think you can understand that I can show the screenshots from our customer servers okay so first of all we analyzed the SAP applications and as the our customer was from Gas and Toil industry we saw that he used SAP manufacturing execution model the SAP manufacturing execution model is using in many many industries and the SAP model is a Java application that is deploying in Java stacks application Java stacks so as the RedRace is a partner of SAP we could download that component and we started to analyze to discover some vulnerabilities there we had a low privilege user and we during the research we we in the SAP component and as you can see from the this line the script is receiving file path some file path parameter and using file path parameter value he's reading the file and he's printing that content of the file and the payload of the execution is here and I'm showing this payload here the first time after the fixing so right now we have access to the SAP application server as I mean we can read the files from the SAP application then we need to escalate our privileges in SAP to get access to another levels the privilege escalation number one the main thing is that SAP is towards some critical information in the file system and on this screenshot you can see two files sex store.properties sex store.key sex store.properties file contains in encrypted mode application admin password and gdbc connection string with user name and password as we are in the SAP cybersecurity industry over 10 years we know the encryption algorithm and of course we know we have the key of the encryption and the encryption algorithm is the triple S we decrypted and we got the SAP admin application password here and gdbc connection string okay so right now we have admin user of SAP application and we could connect to the SAP database so what's next we need to if you remember the network map we should compromise the SAP cloud we try to escalate our privileges again we escalate privileges by two ways I will show you here the first way because the second way still is not fixed by SAP and I could show it here you can we analyzed the exist other vulnerabilities and we found cv 2021 from 2021 and as you can see from the screenshot for execution this vulnerability you need to have privilege high but we already have it okay so if the SAP admins is not updated this component it means that we can execute this vulnerability also again we download this component we made a diff and we found that the SAP fixed the vulnerability in handle safe function by uploading some file and they are checking .gsp in low case and .gsp in uppercase file extension a small tip tip and trick from me if you have some java application and you are trying to upload the gsp file and java application is telling you hey you can't upload .gsp try to upload with uppercase it can be work using that information of the vulnerability server let name, function and others we build the proof of concept and again I'm showing the proof of concept first time after the fixing and we send the following HTTP request to the SAP server and it works it works sorry here we can see that we executed the task list command and right now we can execute the command in the SAP servers but if you see the screenshot on the shell script is not displaying the user name of soft processes it means that the user which running our shell script doesn't have enough privileges to show that info so what we need to do we need to escalate privileges again after we started to analyze the SAP processes by process hacker and we discovered three processes that running under system user for us interesting was the following processes SAP host exec SAP OS call exec files processes we use the process monitor for tracking the activities of that processes and we started to analyze and we started to tracking what kind of file they're creating executing modifying etc and we saw that there are a few activities but the most interesting was that the SAP host exec process this one is executing every two minutes SAP CIMB dot exec process after analyzing permissions of that file we found out that many user sorry any user from the operation system of SAP server could delete that file by this name in the folder so what we did we built we created a shell code in dot net built and uploaded to the windows machine the shell code was opened should open the port 444 listen any interface and when he received the commands he should execute that command by cmd we upload that file and we replace SAP CIMB dot exec file and it worked the SAP host exec is executed our shell file and I don't know why I don't know what was wrong but our shell file has been signed by SAP SE maybe it come from SAP maybe it's back in process hacker I need to investigate but you can see in the screenshot that our shell script has been signed so after the executing net cut you can see that port has been open and we could connect to that shell and execute it with my command that's it but again you remember that we should compromise the SAP cloud right we need to jump to one of the SAP servers here from SAP Java to cloud connector to do that we decided to dump memory of LCS our customer said that we couldn't as we are system we could disable the Microsoft antivirus and use Mimicast there but he said we couldn't disable the antivirus we couldn't extract the dump to our Windows machine to analyze that dump so we had another way only we downloaded C sharp mini dump from the github and build that program to dump the process the dump memory of the LCS process but of course this program is detected by antivirus by any antivirus included Microsoft antivirus we modified that file the source code of the sharp mini dump we modified it, we replaced some strings we replaced strings by Charcerize we compiled again and again has been detected by Microsoft antivirus and you know the bypass was so beautiful we just set file extension to we used file extension that has been registered in Windows machine and we executed by cmd C mini dump bypass ms.exe.pp and it has been executed and he dumped the password and hashes of the processes so after that we had the admin users and passwords from application and from operation system and right now we should jump to the SAP cloud connector and you know how we jump it was so easy because in the last cave there was over 100 SAP servers and the SAP admin set the same passwords for all the SAP servers landscape so we jump to the SAP cloud connector we connected the SAP cloud connector by SSH and started to analyze the system as the SAP cc is based on the page tomcat the password was in users.xml file in hashet in hashet mod so we continue to analyze the system to get other ways how it's possible to discover the password we found SAP SSFS file the SSFS is a modern SAP secure storage and we should try to analyze this secure storage after some researching of SSFS structure for SAP cc we found that the SAP cc SSFS contains the following properties should contains the following properties but the encryption algorithm has been written in binary files and traversing that binary files takes a long time for us and we choose another way we with so that there are LEAP SAP SSC20 GNI.SO file and that file had one exported function sex store access get record and what we did we just used that SO library as native function we used that function in our mini java code and as argument we passed the properties that we discovered this one and this one and we got the password for java key storage password for the SAP cloud connector so what next we open the SAP cloud connector UI and log in there and right now we can manage the SAP connections we can move the traffic from the cloud to our servers or we can move traffic from on-premises systems to ours to our another server and we can manage the traffic we can listen the traffic we can discover some private info etc so as a conclusion you the SAP admins should install the SAP security nodes that we discovered and they shouldn't use the same password for SAP operation systems they shouldn't use different passwords for different systems I know it can be so hard for the admins but it's the one way for protecting the SAP servers for password reuse attack so that's it thank you if you have any questions alright folks you know how this works at this point priority to anyone who submits VS Lido will also give it a couple minutes and if anyone is feeling brave you can also ask and I will repeat the question as I refresh it's supposed to be real-time it's not that real-time one with questions call it a day shortly alright I guess we're done with this track for the day thank you again so much it's a pleasure having you and thanks for walking us through that that was excellent