 talented people, listen to so many good talks. Got Robert, the car hacking extraordinaire over here that's just hanging out, that's kind of cool. Michael Ostman is here, like the dude that created HackRF. I hung out with a hacker last night, most of you probably don't know and I'm like a fanboy of this guy and he just kind of showed up and I'm like holy shit. So having a really good time, so we're going to do a toast. I'm probably the only guy here with alcohol in the morning. So shout out to Keila, but thanks for having me and cheers. Red team. Alright, so as you can see my talk's gonna be a little suspenseful. So Halloween back in 2018, two black kill security researchers, Bull Bullock and Michael Felch, disclosed to Google step by step how anybody with a Gmail account could inject a event into anyone else's Google Calendar as accepted via the Google API. Google calls us a feature as a red teamer, I totally agree with that. So a year later still is not fixed and this is why I entitled my talk. What the fuck Google? How is this still not fixed? But really no, my talk is actually gone collision. Little bit about who I am. Again, I'm Antonio Piazza, I go by Tony. Ant-Man been my handle for a long time. I'm an offensive security engineer at Box out of Austin, Texas. I started my career in doing this social engineering thing way back when I got my psychology degree from Ohio State. Then went to the Army and was a 35 mic human intelligence collector slash interrogator in Iraq slash professional liar slash lie detector. So later I decided to kind of get a computer science degree and translated this all over and you know have fun doing social engineering. So a little bit of an update back derby con time. Forbes wrote up this really nice article for Google and said hey they're working on this. They're aware of this based solely on this one forum post from a Google employee that said they're working on this. No interviewing anyone and I'm a little bit of a conspiracy theorist. I don't know how much weight this would hold but cool Google's working on it. Just going to kind of skip through the agenda. This is a I did this talk a few times. It's much longer. My demo is going to be much shorter here. So what is collision? Well I made up the word and I put it on Urban Dictionary. So it's legit now. I have much more upvotes and a bunch of trolls downvoting me too than from when I took this screenshot. But yeah it's just basically fishing using a calendar and in this case Google Calendar. Yeah so used in a sentence. This Google Calendar event is likely a collision scam and I'm going to collish these fools and get a shell on their Mac. Alright why is this talk relevant to red and blue teamers? Well let's start with red. It's super effective and super easy to do. So if you're working in an in-house red team and you have a for a corporation that has sales, client facing sales or support. They make a lot of they put a lot of stuff on their Google calendars right especially they're using obviously they're using G Suite. They don't really pay attention to you know that like they'll put something on their calendar they'll forget about it and then all of a sudden they'll get a pop-up you know saying hey you got an event in five minutes where you need to talk to this person you know a sales meeting whatnot. So yeah they they go oh cool here's the zoom link let me click on it. Download a malicious payload and we got a shell. Super convincing. I've had a lot of success with this attack. So on the other hand why is this you know how does this help blue? Well I heard Dave Kennedy give a talk once talking about you know you can you can use all the tactics you want have a have a wide array of tactics to throw at your blue team but you really got to get down to the technique right this is a newer technique this is a newer attack vector. So you know this it's it's something that your blue team might not have seen yet and you can expose them to it before you actually see it coming up at them in the wild. Helps you can also educate your users and what to look for you know when there could be a malicious injection into the calendar and that's kind of the best way where you can defend against it in my opinion. Relevance continued so I did some digging and I think of the what 37 Fortune 1000 companies in Silicon Valley about 17% of them use G Suite and then I continued to dig and just random big companies and I found out of 27 that I looked at 10 of them use G Suite so it's about 37% so there's a lot of G Suite customers out there that are that are vulnerable to this attack and I didn't give you all these names by the way you did this all on your own. Yeah so I normally would go through each step of this attack but I'm gonna kind of this again this condensed version I'll have the links to where actually have the step-by-step of things. The first thing if you're working not so much an in-house red team but maybe a contractor you know you need to find out if the company you're looking at uses G Suite dig is a great tool sometimes it's super obvious obviously if I dig on the NMX record on Google.com and I see that Google is their their email kind of stupid but sometimes it's not as obvious you can get something like you know PP hosted so you got proof point protection cloud protection you can give it a shot if it's up in the cloud right you got a chance if you want to try this but I think it even better dig would be to so I did on the TXT record for Twitter you can see the SPF record down here which is the type of DNS record or anybody familiar with SPF good good so what happened what can happen if you don't use SPF and your email anybody know what's that okay so I'll give the answer you can spoof the email so I can send send an email as you know if Twitter didn't have SPF protection I could send an email to somebody as you know ant-man at Twitter.com so but for us just doing recon we can see that their SPF is actually Google.com so Twitter uses G Suite for their their email. Finally my partner at box Cedric Owens been doing a lot of talks to Derby Con Def Con red team Village this year first time they had that there which is surprising but cool he created a tool called Gobler which is really good open source get it on GitHub and it you put in a domain name it does a ton of recon stuff for you including the SPF text records you can find here so again Twitter.com so the way that you get this attack to work is you have to actually get a Google or G Suite API key for Google Calendar super easy to do and again here's my medium post that will take you step by step normally I would show this but it's too time-consuming so it takes me to the tool that I wrote called G Collisher open source Python tool all this really is as I copied so there's a PowerShell module called Mail Sniper by the two Black Hills security guys I mentioned that found this they have a module called invoke inject G event API I that's all in PowerShell obviously I took that ported it over to Python because not everybody uses Windows I work in all Mac shops so this workshop much better for me all right so the demonstration of how this works let me get out of this slide show guess I'm doing pretty good on time maybe I could have gone through all that hopefully the internet's working hopefully can everybody see that don't need to zoom in make it big okay so this kind of help menu there's some mandatory arguments that you're gonna need the tacky is the attacker email so that's again if we'd go through the steps that I showed I was gonna show the attacker email you kind of want it to be something that's gonna help you fool your victim so in the case for this demo I created a guy named John Lear so I created a gmail address John Lear dot CCF you know at gmail.com put the CCF in there CCF was the fictitious company that this John Lear works for so I'll make it make it believable I mean I know it has at gmail.com at the end of it but you can you can fool a lot of people if you just throw in a dot whatever you know on there the attack X for targets you can put as many targets as you want these are the victim gmail addresses and it's comma separated no spaces the access token that's the biggest part that I again you can go to my medium post go through step-by-step and get that that's gonna give you the API access that you need the attack S which is the start date you need that and has to be in this format the year year year month month day-day T hour hour colon minute minute if you don't do it like that you get in there and just want to let you know like this tool sucks I didn't do any kind of error checking or argument checking or anything like that but anybody's welcome to go and get hub and do that for me if not I don't give a fuck it still works so for me and then you have to have the attack F for the finish date time which is again the same format and if you have something wrong again no error checking you might get like a 401 or 404 not know why you know it works when you get a 200 back so that's all I got for you the the other optional arguments important one tact T is the event title you probably don't want to send a calendar event to somebody without a title that could look pretty suspicious the let's see what else is good on here attack D the description that's where you're probably going to you can you can embed URLs using HTML on that and that's where your little description of the event's gonna be so get creative I wouldn't recommend skipping that either but you don't have to put those if you don't want time zone first time using the time zone was actually in Canada last weekend I was at Hackfest and then I used it again here and it works normally it defaults to central time so if you don't want to be central time change that one so let me get out of here before I run this anybody want about anybody get Google Calendar on their phone that wants to give me their Gmail address come on man I know I told you as a professional liar but I swear I won't hack you so anyway I got it set up for mine so fuck you guys yeah so as you can see I already got the API key here told you that was an important part all these are important you can see down here I embedded a link I created a zoom link this is actually based on a real you know calendar invite that had with a zoom link on it and then I embedded the malicious link here before I do that just want to show you guys this one thing hopefully you can see this I have this unchecked so just keep that in mind automatically add events from Gmail to my calendar I think that's unchecked by default because a lot of people like when they get you know get the email from their for their flights or whatever automatically adds that to their calendar this is one of the fixes that Google said works but it doesn't doesn't stop the API injection so I just want to show you before I run this that that's bullshit and hopefully the internet works I was having some problems all right we got 200 right so it worked yay and there I am got your shells got my zoom link here so just sorry for educational purposes for for your people in your corporation that you want to again this is kind of same old trick and emails roll over the hyperlink you're gonna see down here that it's really not going to where it says it is here so something to educate people on of course you got all this Google garbage at the beginning so you got to train people to look past that know how easy that's gonna be but you know it's there so educate your folks on that so when I click on the the zoom link come on internet probably get some ads from YouTube because they love to do that maybe yeah you got it now all right sell me some shit and there we go I love the Rick roll still I'm an idiot but it's funny to me every time I get somebody fall for a Rick roll so yeah that's it that's the tool we go back to the slideshow oh thanks so yeah that's plenty of time so moving on command and control this is kind of my bread and butter when I do these social engineering fishing things I like I have I build the infrastructure up in GCP but we created for for a exercise that we did recently we created a fake zoom update that's why I use the zoom link so instead of getting Rick rolled they would go and it would download a DMG again a Mac environment and that DMG would actually had a zoom update app that wrapped around an app fell payload anybody here familiar with app fell how nobody okay you guys don't like max do you yeah either do I but I don't want to attack them so specter ops Cody Thomas it's a feature created this C2 framework called app fell and it works great for max it's got a JxA payload works perfect gets around a lot of defenses just awesome and he's constantly updating it so if you if you get into max or even they have some good Linux payloads as well check it out I've been running with it for a while and again he's constantly updating it and it's great my partner Cedric Owens by the way he has a medium post where he talks about building that that zoom app wrapper yeah around the payload around the JxA payload so yeah okay anybody familiar with a Mac hacking and all right cool all right we got one at least so maybe gatekeeper you know what gatekeeper is so basically just it's a it's a security measure put in by Apple where it checks to make sure that an app that you download from a browser is signed right has to be signed and notarized by Apple now since cat well I think is before Catalina during Mojave they they and now if you have Catalina you can't run any Apple apps without it being notarized so so yeah okay so think about my my zoom app how the hell am I going to get that around gatekeeper right well so you just register for Apple developer account hundred bucks right the cool way you can do this is use this net spend and go get one of these prepaid cards and the cool thing with net spend is you can actually give it an address a name that links to create a completely fictitious person fictitious email address you got yourself a card they'll actually you got to give them your address so they're going to mail you the card with your name and everything on it but you can use this prepaid one before they do that works really well for red teaming so we go ahead and we spend a hundred bucks we get an Apple developer account and we get stuff notarized getting stuff notarized is actually really easy takes about three minutes total Apple notarizes your app right we found out the hard way though that if you have anything malicious in it in about a week they're going to just cut your your certs and you no longer can use that but so you burn a hundred dollars but yeah you got a week to use it so if you're cool spending a hundred bucks for a week you know you can have a good time so and this is also what happens if you link your net spend account to your real name and you actually have a developer account under your real name your search are actually going to have your real name in it so when your blue team finds the the payload they'll see that you're part of the red team so I learned that one the hard way as well don't use your real name this is just a an example of that zoom update wrapper that I was telling you about that's the Fugaz and that's the real pretty similar we just got rid of the what's new thing and make sure that all they could do is update but at that time when they open that dmg and run it they don't even have to click that we're already got the c2 or we already got the callback to our c2 and the way we got burned with the we found out that when we made the first developer account we got burned lost a hundred bucks as we had this and we had it calling out to the c2 but we also had it stealing obviously stealing credentials there's a pop-up asking for credentials when we took that out I'm still going strong for about a month and Apple has not killed my my malware yet so just don't make it obvious to and you can you can go that hundred bucks to take you far so how do we stop this right Google says this is a feature okay I thought I had a partial fix once I was in the shower I like jumped out but naked random my computer because I came up with this epiphany you know that it basically what I was like okay if I if I can have burps we run in and I can do the API injection versus a normal addition event addition to Google calendar be some sort of difference so yeah I thought okay well the person that you're injecting into might still have have that invite come to their phone but who cares right on my job is a protect the enterprise I don't give shit about your phone so yeah it's partial fix right yeah I was wrong that didn't work so there really is no difference that I could see I'm also not like you know super skilled on picking out the fine details of HTTP posts so if anybody else is that might be something that you could help me look into cool thing is some of the guys on the blue team at box I started meeting with them come up with ideas after I pull the shit out of everybody guy Brandon he's on the red team with me he thought about well maybe there's like a time discrepancy right so like because you're making an API calling it instantly adds the as the event to somebody's calendar that's unnatural right a human's not going instantly you know accept the the invite so maybe there's a difference in time something we're still looking into haven't found that I'll tell you why and then another one of our analysts Ben Phillips also came up with the idea that is pretty cool looking at the user agent string you can identify that like my app is a python app right so it's it can stop script kiddies that maybe just grab your tool of course right after he found that I went and added into my tool where you could change the user agent string so fuck it but that's kind of like the you know the back and forth between red and blue obviously he came up with a fix I had to come up with a you know work around the fix fun times right so yeah we were all like okay cool we can stop script kiddies with this and then we took a look at Google's like lag time between getting us the logs and I don't know if you can read this but it says one to three days so yeah that doesn't work out for us we can't really catch stuff in real time turns out it's not actually that long but it's I think it was like how much was like maybe close to an hour or something when we were getting logs still not it's still unsat I mean we need to see this stuff in real time so the thing is is like all right well maybe Google is the only one that can fix this for us maybe not maybe there's a lot of smart blue teamers from yesterday's talk so when we go out there if you have any ideas man I'm open to listen to them because my job is red teamers to help help our blue teamers learn and you know flexor muscles to different attacks and you know set up our defenses so the work so yeah back to this checkbox thing this is I I don't know if you guys saw but like there's Twitter kind of exploded maybe a month or more ago with all the spam coming in on Google calendars and it was just after I finished writing this this talk and all of a sudden everybody in the cyber security community wanted to have a medium posted oh you can fix that you can fix that and this was their fix and I just showed you obviously that's bullshit like that's not a fix being if they would have read the Blackhill security paper yeah they would have known that actually those guys wrote that this only fixed the there's there was two versions there was an email injection there's an API injection it stopped the email injection but as we just saw it doesn't stop the API injection yeah so that's it normally I take questions but I think we're about out of time so I'll take them out there and if anybody wants here's like all the references and GitHub take pictures whatever I just got it right on the end so finally the most important point most important takeaway from this talk I gotta I gotta tell you is Epstein did not kill himself thanks thanks amen that's awesome so I if anyone has any questions for him we can move it out to the patio get some drinks and talk to each other I do have one other announcement for anyone that's doing skydiving tomorrow for fun day we all have to meet at the registration desk at 1 p.m. so if if you're doing skydiving just keep that in mind 1 p.m. go to registration desk all right but yeah give it up again for ant-man and we'll we'll see you outside