how’d that end up on pastebin - sector.ca linn... · how’d that end up on pastebin ryan linn...
TRANSCRIPT
![Page 1: How’d That End Up On Pastebin - sector.ca Linn... · How’d That End Up On Pastebin Ryan Linn ... –Penetration Testing –Forensics ... • Web Application Firewalls • Web](https://reader034.vdocument.in/reader034/viewer/2022051602/5b7a61b17f8b9a99718c2311/html5/thumbnails/1.jpg)
How’d That End Up On PastebinRyan Linn
Principal Consultant, Cyber Threat Analysis
![Page 2: How’d That End Up On Pastebin - sector.ca Linn... · How’d That End Up On Pastebin Ryan Linn ... –Penetration Testing –Forensics ... • Web Application Firewalls • Web](https://reader034.vdocument.in/reader034/viewer/2022051602/5b7a61b17f8b9a99718c2311/html5/thumbnails/2.jpg)
COPYRIGHT NUIX 2014 223 October, 2014
• Introduction
• Why are we here ?
• Scenario 1: Wordpress Hack
– Attack Walkthrough
– Analysis and Countermeasures
• Scenario 2: Backoff POS Attack
– Attack Walkthrough
– Analysis and Countermeasures
• Strategic Defenses
• Conclusion
Agenda
![Page 3: How’d That End Up On Pastebin - sector.ca Linn... · How’d That End Up On Pastebin Ryan Linn ... –Penetration Testing –Forensics ... • Web Application Firewalls • Web](https://reader034.vdocument.in/reader034/viewer/2022051602/5b7a61b17f8b9a99718c2311/html5/thumbnails/3.jpg)
COPYRIGHT NUIX 2014 323 October, 2014
• Principal Consultant – Penetration Testing at Nuix
• Author– Coding for Pen Testers
– Browser Hacker’s Handbook (contributing)
– Gray Hat Hacking (in Novemberish)
• Open Source Projects– Metasploit
– Ettercap
– Browser Exploitation Framework
• Background– Sys Admin
– Penetration Testing
– Forensics
`whoami`
![Page 4: How’d That End Up On Pastebin - sector.ca Linn... · How’d That End Up On Pastebin Ryan Linn ... –Penetration Testing –Forensics ... • Web Application Firewalls • Web](https://reader034.vdocument.in/reader034/viewer/2022051602/5b7a61b17f8b9a99718c2311/html5/thumbnails/4.jpg)
COPYRIGHT NUIX 2014 423 October, 2014
• As security professionals, we’re busier than ever before
• New large scale breaches happening every month
• Many more are happening that aren’t as public
• Blue team is having a rough go at it
• In part, understanding what you’re defending against is hard
• Defense is no longer enough, you need detection
Why are we here ?
![Page 5: How’d That End Up On Pastebin - sector.ca Linn... · How’d That End Up On Pastebin Ryan Linn ... –Penetration Testing –Forensics ... • Web Application Firewalls • Web](https://reader034.vdocument.in/reader034/viewer/2022051602/5b7a61b17f8b9a99718c2311/html5/thumbnails/5.jpg)
COPYRIGHT NUIX 2014 523 October, 2014
What are the stakes ?
![Page 6: How’d That End Up On Pastebin - sector.ca Linn... · How’d That End Up On Pastebin Ryan Linn ... –Penetration Testing –Forensics ... • Web Application Firewalls • Web](https://reader034.vdocument.in/reader034/viewer/2022051602/5b7a61b17f8b9a99718c2311/html5/thumbnails/6.jpg)
COPYRIGHT NUIX 2014 623 October, 2014
Have a zine published about you?
![Page 7: How’d That End Up On Pastebin - sector.ca Linn... · How’d That End Up On Pastebin Ryan Linn ... –Penetration Testing –Forensics ... • Web Application Firewalls • Web](https://reader034.vdocument.in/reader034/viewer/2022051602/5b7a61b17f8b9a99718c2311/html5/thumbnails/7.jpg)
COPYRIGHT NUIX 2014 723 October, 2014
None of us are immune.
![Page 8: How’d That End Up On Pastebin - sector.ca Linn... · How’d That End Up On Pastebin Ryan Linn ... –Penetration Testing –Forensics ... • Web Application Firewalls • Web](https://reader034.vdocument.in/reader034/viewer/2022051602/5b7a61b17f8b9a99718c2311/html5/thumbnails/8.jpg)
COPYRIGHT NUIX 2014 823 October, 2014
• Attacker finds a website
• Fingerprints it
• Finds a vulnerable LFI module
• Uploads a shell
• Escalates
• Gets all the data…..
• DEMO
Wordpress Attack
![Page 9: How’d That End Up On Pastebin - sector.ca Linn... · How’d That End Up On Pastebin Ryan Linn ... –Penetration Testing –Forensics ... • Web Application Firewalls • Web](https://reader034.vdocument.in/reader034/viewer/2022051602/5b7a61b17f8b9a99718c2311/html5/thumbnails/9.jpg)
Analysis
![Page 10: How’d That End Up On Pastebin - sector.ca Linn... · How’d That End Up On Pastebin Ryan Linn ... –Penetration Testing –Forensics ... • Web Application Firewalls • Web](https://reader034.vdocument.in/reader034/viewer/2022051602/5b7a61b17f8b9a99718c2311/html5/thumbnails/10.jpg)
COPYRIGHT NUIX 2014 1023 October, 2014
• Find webshell
• Identify access pattern
• Determine attacker
• Determine other files touched
Goals
![Page 11: How’d That End Up On Pastebin - sector.ca Linn... · How’d That End Up On Pastebin Ryan Linn ... –Penetration Testing –Forensics ... • Web Application Firewalls • Web](https://reader034.vdocument.in/reader034/viewer/2022051602/5b7a61b17f8b9a99718c2311/html5/thumbnails/11.jpg)
COPYRIGHT NUIX 2014 1123 October, 2014
• We are using Nuix for analysis.
• These things will work with other products as well
– FTK has a free version for processing data offline
– Make a dupe and Linux can parse many of these things natively
• Grep and regexes are your friend.
• Find what makes you comfortable, and get to really know it.
• DEMO
Notes
![Page 12: How’d That End Up On Pastebin - sector.ca Linn... · How’d That End Up On Pastebin Ryan Linn ... –Penetration Testing –Forensics ... • Web Application Firewalls • Web](https://reader034.vdocument.in/reader034/viewer/2022051602/5b7a61b17f8b9a99718c2311/html5/thumbnails/12.jpg)
COPYRIGHT NUIX 2014 1223 October, 2014
• Regularly run wpscan against wp instances
• Focus on detection
• File Integrity Monitoring
• Web Application Firewalls
• Web App Pen Test
• Create canary and regularly search for it on the Internet
Strategic Defenses
![Page 13: How’d That End Up On Pastebin - sector.ca Linn... · How’d That End Up On Pastebin Ryan Linn ... –Penetration Testing –Forensics ... • Web Application Firewalls • Web](https://reader034.vdocument.in/reader034/viewer/2022051602/5b7a61b17f8b9a99718c2311/html5/thumbnails/13.jpg)
Backoff Malware
![Page 14: How’d That End Up On Pastebin - sector.ca Linn... · How’d That End Up On Pastebin Ryan Linn ... –Penetration Testing –Forensics ... • Web Application Firewalls • Web](https://reader034.vdocument.in/reader034/viewer/2022051602/5b7a61b17f8b9a99718c2311/html5/thumbnails/14.jpg)
COPYRIGHT NUIX 2014 1423 October, 2014
• Starts with phishing
• Attacks an integrator
• Compromises POS system
• Installs malware
• Exfiltrates data
• DEMO
Backoff Attack Walkthrough
![Page 15: How’d That End Up On Pastebin - sector.ca Linn... · How’d That End Up On Pastebin Ryan Linn ... –Penetration Testing –Forensics ... • Web Application Firewalls • Web](https://reader034.vdocument.in/reader034/viewer/2022051602/5b7a61b17f8b9a99718c2311/html5/thumbnails/15.jpg)
Analysis
![Page 16: How’d That End Up On Pastebin - sector.ca Linn... · How’d That End Up On Pastebin Ryan Linn ... –Penetration Testing –Forensics ... • Web Application Firewalls • Web](https://reader034.vdocument.in/reader034/viewer/2022051602/5b7a61b17f8b9a99718c2311/html5/thumbnails/16.jpg)
COPYRIGHT NUIX 2014 1623 October, 2014
• Goals
– Determine If a system is infected
– Identify IOCs
– Find files and registry values
– Determine how services are running
Analysis Overview
![Page 17: How’d That End Up On Pastebin - sector.ca Linn... · How’d That End Up On Pastebin Ryan Linn ... –Penetration Testing –Forensics ... • Web Application Firewalls • Web](https://reader034.vdocument.in/reader034/viewer/2022051602/5b7a61b17f8b9a99718c2311/html5/thumbnails/17.jpg)
COPYRIGHT NUIX 2014 1723 October, 2014
• 1.55 “backoff”
– Packed MD5: F5B4786C28CCF43E569CB21A6122A97E
– Unpacked MD5: CA4D58C61D463F35576C58F25916F258
– Install Path: %APPDATA%\AdobeFlashPlayer\mswinhost.exe
• Mutexes:
– Undsa8301nskal
– uyhnJmkuTgD
Sample Backoff IOCs
![Page 18: How’d That End Up On Pastebin - sector.ca Linn... · How’d That End Up On Pastebin Ryan Linn ... –Penetration Testing –Forensics ... • Web Application Firewalls • Web](https://reader034.vdocument.in/reader034/viewer/2022051602/5b7a61b17f8b9a99718c2311/html5/thumbnails/18.jpg)
COPYRIGHT NUIX 2014 1823 October, 2014
• Files Written:
– %APPDATA%\mskrnl
– %APPDATA%\winserv.exe
– %APPDATA%\AdobeFlashPlayer\mswinhost.exe
– %APPDATA%\AdobeFlashPlayer\Local.dat
– %APPDATA%\AdobeFlashPlayer\Log.txt
• Static String (POST Request): ihasd3jasdhkas
Backoff IOCs
![Page 19: How’d That End Up On Pastebin - sector.ca Linn... · How’d That End Up On Pastebin Ryan Linn ... –Penetration Testing –Forensics ... • Web Application Firewalls • Web](https://reader034.vdocument.in/reader034/viewer/2022051602/5b7a61b17f8b9a99718c2311/html5/thumbnails/19.jpg)
COPYRIGHT NUIX 2014 1923 October, 2014
• Registry Keys:
– HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\identifier
– HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows NT
Service
• User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101
Firefox/24.0
• URI(s): /aero2/fly.php
Backoff IOCs
![Page 20: How’d That End Up On Pastebin - sector.ca Linn... · How’d That End Up On Pastebin Ryan Linn ... –Penetration Testing –Forensics ... • Web Application Firewalls • Web](https://reader034.vdocument.in/reader034/viewer/2022051602/5b7a61b17f8b9a99718c2311/html5/thumbnails/20.jpg)
COPYRIGHT NUIX 2014 2023 October, 2014
• Walk through finding things with Nuix
• Find the malware in a variety of ways
• Determine attack point
Analysis Walkthrough
![Page 21: How’d That End Up On Pastebin - sector.ca Linn... · How’d That End Up On Pastebin Ryan Linn ... –Penetration Testing –Forensics ... • Web Application Firewalls • Web](https://reader034.vdocument.in/reader034/viewer/2022051602/5b7a61b17f8b9a99718c2311/html5/thumbnails/21.jpg)
COPYRIGHT NUIX 2014 2123 October, 2014
• Limit integrator access
• Audit all 3rd party access
• Strong network segregation
• File and Filesystem integrity monitoring
Strategic Defense
![Page 22: How’d That End Up On Pastebin - sector.ca Linn... · How’d That End Up On Pastebin Ryan Linn ... –Penetration Testing –Forensics ... • Web Application Firewalls • Web](https://reader034.vdocument.in/reader034/viewer/2022051602/5b7a61b17f8b9a99718c2311/html5/thumbnails/22.jpg)
COPYRIGHT NUIX 2014 2223 October, 2014
• Blue team is an outdated concept, lets fix that
• Red team members need to focus on more than breaking
• Attackers are going to get in, our only hope is mitigation and
detection
• Let’s keep up the discussion
Final Thoughts
![Page 23: How’d That End Up On Pastebin - sector.ca Linn... · How’d That End Up On Pastebin Ryan Linn ... –Penetration Testing –Forensics ... • Web Application Firewalls • Web](https://reader034.vdocument.in/reader034/viewer/2022051602/5b7a61b17f8b9a99718c2311/html5/thumbnails/23.jpg)
Questions?