Wipers are becoming the go-to tool for nation-state cyber warfare in the last decade since the Shamoon attack. Wipers have been used by Russia, Iran, North Korea, and other APTs to support offensive acts. One of the most famous recent attacks was launched during the Russian invasion of Ukraine. We were curious if we could build a next-gen wiper. It would run with the permissions of an unprivileged user yet have the ability to delete any file on the system, even making the Windows OS unbootable. It would do all this without implementing code that actually deletes files by itself, making it undetectable. The wiper would also make sure that the deleted files would be unrestorable. Using the wisdom of martial arts, we understood the importance of using the power of our opponents against them in order to defeat them. Thus, we aimed to use the deletion power of EDRs to our advantage, triggering it by faking a threat. We checked the leading EDR products and attempted to confuse them between malicious files and standard files during threat mitigation processes. We managed to discover and exploit 0-day vulnerabilities in more than 50% of them, leading to the creation of our Aikido wiper, which could be effective against hundreds of millions of endpoints all around the world. In this talk, we'll start by explaining the background of wiper usage, and our research goals and assumptions. Then we'll explain how different EDR products work when they detect a threat, and how we exploited their insecure actions in our Aikido wiper. We'll go on to present four vulnerabilities we found in Microsoft Defender Antivirus, Microsoft Defender For Endpoint, SentinelOne's EDR, Trend Micro Apex One, Avast Antivirus and AVG Antivirus. Finally - using those vulnerabilities - we'll demonstrate the wiping of all user data, and making the operating system unbootable.
Back to Schedule >>Phishing is a serious cyber threat that continues to affect organizations, regardless of their anti-phishing measures. These attacks can have significant consequences for individuals, small businesses, and large enterprises alike. Phishing tactics are no longer limited to email and are now delivered through various channels, making them harder to detect. Our presentation will delve into the latest tactics and techniques used by threat actors to create phishing websites that bypass conventional anti-phishing security measures. Attendees will gain insight into real-life examples of the latest phishing attacks and evasion techniques. By attending our presentation, security professionals, penetration testers, and anyone responsible for detecting and preventing phishing attacks will learn how these attacks evolve and how to stay ahead of attackers. We will provide practical tips and recommendations to help attendees protect their organizations from the growing threat of phishing attacks.
Back to Schedule >>On February 16, 2024, a Chinese cybersecurity company named I-Soon suffered a massive leak of internal documents. It allowed us to delve into the cyber operations of a state-affiliated entity, uncovering their extensive hacking-for-hire services. Our analysis sheds light on the intricate relationships between commercial cyber actors and governmental agendas. Focusing on the company’s commercial offering, we detail the various tools and platforms they maintain, strengths and weaknesses in their capabilities, and provide a unique outlook into the inner workings of an APT actor.
Back to Schedule >>On February 27, millions of Israelis participated in the municipal elections, unaware that they were not the only ones trying to influence their local city councils. Two Iranian cyber groups, Void Manticore and Scarred Manticore, collaborated in an attempt to disrupt municipal networks, aiming to disrupt the local elections. This attempt emphasizes the significant threat of foreign involvement in election processes through cyber attacks. This presentation will trace the history of these actors' intrusions, demonstrating how their collaboration has advanced into a systematic approach. This evolution is evident from their involvement in cyber attacks against the Albanian government's infrastructure to their more recent destructive activities in Israel amid the Israel-Hamas conflict. We will discuss the coordinated cyber operations orchestrated by the Iranian MOIS, highlighting how we distinguish between the two groups by analyzing their tools and techniques.
Back to Schedule >>In this presentation I will demonstrate research of using Bluetooth commodity hardware such as standard Android cellphone device to create RSSI based motion detector. There plenty of use cases both offensive and defensive such as smart security "Cameras" where visual signals can’t be relay on, smart advertising, access control, Bluetooth based Air tags, Cyber Intelligence etc.
Back to Schedule >>DHCP is everywhere. Its ability to simplify network configuration proves very efficient and results in it being used in most corporate networks today. Among the different DHCP servers on the market, Microsoft DHCP stands as one of the most popular choices. This session explores a unique aspect about Microsoft DHCP server - its integration with Active Directory. We will cover some seemingly harmless features, and understand how they can be transformed into attack vectors. First, we will cover the DHCP DNS Dynamic Update feature, and show how it can enable unauthenticated attackers to spoof arbitrary DNS records. After that we will dig into the DHCP Administrators group, and see how its members can escalate their privileges in the domain - potentially gaining Domain Admin. To conclude the talk, we’ll go over the different security settings that should prevent these attacks, and show how they fail to do so in some cases.
Back to Schedule >>In this talk, we’ll uncover a previously-unnamed vulnerability class in Windows, showing how long-standing incorrect assumptions in the design of core Windows features can result in undefined behavior and security vulnerabilities. We will demonstrate how one such vulnerability in the Windows 11 kernel can be exploited to achieve arbitrary code execution with kernel privileges. Digital code signatures provide a cryptographically-verifiable, tamper-evident way to attest that code was produced by a particular entity. Starting with Windows Vista, Microsoft requires all kernel drivers to be digitally signed - a feature called Driver Signing Enforcement (DSE). DSE allows Microsoft to control which entities are allowed to execute code with kernel privileges, keeping rootkits and other malware from tampering with core OS components in memory and on disk. After defining the vulnerability class and covering its brief history, we will demonstrate how the Windows 11 kernel can be exploited to bypass DSE and load arbitrary unsigned drivers without the use of any third-party code such as Bring-Your-Own-Vulnerable-Drivers. We will then describe a small kernel change that can fix this vulnerability, and show how defenders can detect this attack today. Beyond Windows itself, this class of vulnerability can affect any user- or kernel-mode software that relies on documented Windows behavior. This talk will be accompanied by the release of a tool demonstrating the DSE exploit, alongside a mitigation that detects and stops it.
Back to Schedule >>The challenge in ICS/OT is getting your hands on the rare and expensive equipment. That’s why we developed a couple of methods to research devices merely based on their firmware, without physically owning the esoteric devices. During this presentation, we will delve into our exploration of a Gas Chromatograph valued at $100,000. Chromatography is a discipline employed to differentiate between various constituents within a substance. One notable aspect of such equipment is the ethernet capability which opens the opportunity for remote network based attacks. How do we approach identifying vulnerabilities in such equipment? The solution lies in the firmware disassembling from the ground up and mapping key components to enable full device emulation. Fortunately, the firmware was accessible online, enabling us to both simulate the core functionality of the chromatograph and reconstruct internal structures and proprietary protocols, all without the need for the physical peripherals.
Back to Schedule >>As LLM performance improves and context window sizes grow, we’ve seen security researchers starting to integrate LLMs in tools, such as reverse engineering and fuzz target generation. Going beyond tools, the natural question to ask is how well LLMs perform in more general vulnerability research and exploit development tasks. Can LLMs find 0-days? Can they construct working exploits for complicated vulnerabilities? At Pattern Labs, we have been working with frontier AI labs on evaluating vulnerability discovery & exploit development abilities in LLMs. In this talk, I will discuss how we’ve been thinking about it, talk about our adventures in implementing these evals, and show you how well LLMs perform on a few of our challenges.
Back to Schedule >>On October 5th, our team detected unusual reconnaissance targeting Israeli organizations, later revealed as the precursor to a destructive cyber operation by the Iranian Agonizing Serpens (Agrius) APT group. By October 8th, multiple wiper attacks ensued, marked by infiltration, data exfiltration, and deployment of newly discovered wipers. Using our telemetry, we launched an investigation and managed to trace and attribute the attacks to the Agrius APT , an Iranian-affiliated hacking group known since 2020 for targeting mainly Israeli entities. Our research unveils their updated TTPs, newly discovered wipers, and their typical attack cycle.
Back to Schedule >>Chrome extensions are a double-edged sword. On the one hand, they can make your life easier by allowing anything from VPN connections to ad-blocking services. Still, on the other hand, they can also be used maliciously to steal your data, spy on you, or even take control of your computer. This talk will take you on a wild ride through the Chrome extensions jungle, where you will learn how to build an extension from scratch using good old-fashioned javascript, how hackers can exploit extensions to attack you, and how to protect yourself from these attacks. We’ll dive into the new Chrome extensions protocol - Manifest v3, and how it aims to stop hackers (or does it?)
Back to Schedule >>Peek behind the scenes of cloud threat research with me in this session where I'll break down the steps I took searching (and finding (: ) various vulnerabilities in Microsoft Azure and collecting CVEs. Boosting my Microsoft Most Valuable Researcher (MVR) ranking from #80 to #7 on the Azure MVR list for 2023. Attendees will take away actionable steps on how to perform their own cloud threat research and discover vulnerabilities in cloud platforms.
Back to Schedule >>One thing's for sure - we can no longer trust all code running under the same origin as our app because of today's landscape of development where web apps are mostly composed of third party code that builders do not control. Thus, we can no longer trustfully perform many operations we're used to blindly trust. A significant one being DOM interaction - if some code I don't trust runs in my app, how can I rest assured it doesn't manipulate the DOM and the content accessible to the user? If I present them with sensitive content, can an attacker just steal it? What stops them from changing my website's layout to phish the user? Regulating DOM restriction is a very hard problem to solve due to how it's designed. In this talk, we'll make it clear why DOM API is so complicated to confine, explain why this problem is so concerning, and explore noble approaches for addressing it such as SnowJS, LavaDome and LavaMoat and how they open up new possibilities for finally safely working with the DOM.
Back to Schedule >>Confidential Compute is a new technology designed to protect cloud customers' most sensitive data by isolating customers' VMs even from the cloud provider. In this talk we'll demonstrate weaknesses in confidential VM migration and how we at Microsoft worked with our partners at Intel to address all issues. We'll start the talk by exploring confidential VMs, and specifically - confidential VM Migration, a new feature in TDX 1.5. How it functions, which components are involved in the migration process and how it all comes together end to end. Then, we will guide you step by step on how we abused the feature. We will demonstrate both design and code flaws in the migration process, discovered during a close collaboration with Intel, and how these flaws combined affected more than the migration feature, and compromised the confidentiality and integrity of "Confidential VMs". Finally, we'll discuss Intel's fixes for the issues we found and our recommendations for users of confidential compute on how to use this technology securely.
Back to Schedule >>